Scheduled Searches

Veeam App for CrowdStrike Falcon LogScale provides you with built-in search queries based on Veeam security activities. You can run queries periodically at specific time intervals and perform a trigger action when search results meet query conditions. By default, all queries are disabled.

Scheduled Searches 

For more information about scheduled searches, see Falcon LogScale documentation:

Query List

In the Automation > Scheduled searches section, you can use the following search queries:

Query Name

Query Condition

Time Interval for Check

Events

Adding User or Group Failed

At least one Veeam event with ID 31210 (Adding User or Group Failed) is found.

Every 3 hours

Application Group Deleted

At least one Veeam event with ID 30500 (Application Group Deleted) is found.

Once a day

Application Group Settings Updated

At least one Veeam event with ID 30400 (Application Group Settings Updated) is found.

Once a day

Archive Repository Deleted

At least one Veeam event with ID 29900 (Archive Repository Deleted) is found.

Every 5 minutes

Archive Repository Settings Updated

At least one Veeam event with ID 29800 (Archive Repository Settings Updated) is found.

Every 3 hours

Backup Proxy Deleted

At least one Veeam event with ID 27900 (Backup Proxy Deleted) is found.

Once a day

Backup Repository Deleted

At least one Veeam event with ID 28200 (Backup Repository Deleted) is found.

Every 5 minutes

Backup Repository Settings Updated

At least one Veeam event with ID 28100 (Backup Repository Settings Updated) is found.

Every 3 hours

Cloud Gateway Deleted

At least one Veeam event with ID 24140 (Cloud Gateway Deleted) is found.

Once a day

Cloud Gateway Pool Deleted

At least one Veeam event with ID 24143 (Cloud Gateway Pool Deleted) is found.

Once a day

Cloud Gateway Pool Settings Updated

At least one Veeam event with ID 24142 (Cloud Gateway Pool Settings Updated) is found.

Once a day

Cloud Gateway Settings Updated

At least one Veeam event with ID 24131 (Cloud Gateway Settings Updated) is found.

Once a day

Cloud Replica Permanent Failover Performed by Tenant

At least one Veeam event with ID 27000 (Cloud Replica Permanent Failover Performed by Tenant) is found.

Every 5 minutes

Configuration Backup Job Failed

At least one Veeam event with ID 40700 (Configuration Backup Job Finished) and state Failed is found.

Every 3 hours

Configuration Backup Job Settings Updated

At least one Veeam event with ID 31500 (Configuration Backup Job Settings Updated) is found.

Once a day

Connection to Backup Repository Lost

At least one Veeam event with ID 21224 (Connection to Backup Repository Lost) is found.

Every 5 minutes

Credential Record Deleted

At least one Veeam event with ID 25500 (Credential Record Deleted) is found.

Every 5 minutes

Credential Record Updated

At least one Veeam event with ID 25400 (Credential Record Updated) is found.

Every 5 minutes

Detaching Backups Started

At least one Veeam event with ID 41200 (Detaching Backups Started) is found.

Once a day

Encryption Password Added

At least one Veeam event with ID 31600 (Encryption Password Added) is found.

Once a day

Encryption Password Changed

At least one Veeam event with ID 31700 (Encryption Password Changed) is found.

Every 5 minutes

Encryption Password Deleted

At least one Veeam event with ID 31800 (Encryption Password Deleted) is found.

Every 5 minutes

External Repository Deleted

At least one Veeam event with ID 32200 (External Repository Deleted) is found.

Every 5 minutes

External Repository Settings Updated

At least one Veeam event with ID 32100 (External Repository Settings Updated) is found.

Once a day

Failover Plan Deleted

At least one Veeam event with ID 26100 (Failover Plan Deleted) is found.

Every 3 hours

Failover Plan Settings Updated

At least one Veeam event with ID 26000 (Failover Plan Settings Updated) is found.

Once a day

Failover Plan Started

At least one Veeam event with ID 26600 (Failover Plan Started) is found.

Every 5 minutes

Failover Plan Stopped

At least one Veeam event with ID 26700 (Failover Plan Stopped) is found.

Every 3 hours

File Server Deleted

At least one Veeam event with ID 28950 (File Server Deleted) is found.

Every 5 minutes

File Server Settings Updated

At least one Veeam event with ID 28940 (File Server Settings Updated) is found.

Once a day

File Share Deleted

At least one Veeam event with ID 28920 (File Share Deleted) is found.

Every 5 minutes

Four-Eyes Authorization Disabled

At least one Veeam event with ID 42401 (Four-Eyes Authorization Disabled) is found.

Every 5 minutes

Four-Eyes Authorization Request Created

At least one Veeam event with ID 42402 (Four-Eyes Authorization Request Created) is found.

Every 5 minutes

Four-Eyes Authorization Request Expired

At least one Veeam event with ID 42405 (Four-Eyes Authorization Request Expired) is found.

Every 5 minutes

Four-Eyes Authorization Request Rejected

At least one Veeam event with ID 42404 (Four-Eyes Authorization Request Rejected) is found.

Once a day

General Settings Updated

At least one Veeam event with ID 31000 (General Settings Updated) is found.

Once a day

Global Network Traffic Rules Deleted

At least one Veeam event with ID 32400 (Global Network Traffic Rules Deleted) is found.

Once a day

Global VM Exclusions Added

At least one Veeam event with ID 40400 (Global VM Exclusions Added) is found.

Every 5 minutes

Global VM Exclusions Changed

At least one Veeam event with ID 40600 (Global VM Exclusions Changed) is found.

Every 5 minutes

Global VM Exclusions Deleted

At least one Veeam event with ID 40500 (Global VM Exclusions Deleted) is found.

Every 3 hours

Host Deleted

At least one Veeam event with ID 28500 (Host Deleted) is found.

Every 5 minutes

Host Settings Updated

At least one Veeam event with ID 28400 (Host Settings Updated) is found.

Once a day

Hypervisor Host Deleted

At least one Veeam event with ID 25700 (Hypervisor Host Deleted) is found.

Once a day

Hypervisor Host Settings Updated

At least one Veeam event with ID 25800 (Hypervisor Host Settings Updated) is found.

Once a day

Invalid Code for Multi-Factor Authentication Entered

At least one Veeam event with ID 40205 (Invalid Code for Multi-Factor Authentication Entered) is found.

Every 5 minutes

Job Deleted

At least one Veeam event with ID 23090 (Job Deleted) is found.

Every 5 minutes

Job No Longer Used as Second Destination

At least one Veeam event with ID 23420 (Job No Longer Used as Second Destination) is found.

Every 5 minutes

KMS Key Rotation Job Finished

At least one Veeam event with ID 42500 (KMS Key Rotation Job Finished) is found.

Once a day

KMS Server Deleted

At least one Veeam event with ID 42301 (KMS Server Deleted) is found.

Every 5 minutes

KMS Server Settings Updated

At least one Veeam event with ID 42302 (KMS Server Settings Updated) is found.

Every 5 minutes

License Expired

At least one Veeam event with ID 24030 (License Expired) is found.

Every 5 minutes

License Expiring

At least one Veeam event with ID 24020 (License Expiring) is found.

Once a day

License Grace Period Started

At least one Veeam event with ID 24060 (License Grace Period Started) is found.

Every 3 hours

License Limit Exceeded

At least one Veeam event with ID 24070 (License Limit Exceeded) is found.

Every 3 hours

License Removed

At least one Veeam event with ID 24080 (License Removed) is found.

Every 5 minutes

License Support Expired

At least one Veeam event with ID 24050 (License Support Expired) is found.

Every 5 minutes

License Support Expiring

At least one Veeam event with ID 24040 (License Support Expiring) is found.

Every 3 hours

Malware Activity Detected

At least one Veeam event with ID 41600 (Malware Activity Detected) is found.

Every 5 minutes

Malware Detection Exclusions List Updated

At least one Veeam event with ID 42280 (Malware Detection Exclusions List Updated) is found.

Every 5 minutes

Malware Detection Session Finished

At least one Veeam event with ID 42210 (Malware Detection Session Finished) is found.

Once a day

Malware Detection Settings Updated

At least one Veeam event with ID 42290 (Malware Detection Settings Updated) is found.

Every 5 minutes

Multi-Factor Authentication Disabled

At least one Veeam event with ID 40201 (Multi-Factor Authentication Disabled) is found.

Every 5 minutes

Multi-Factor Authentication for User Disabled

At least one Veeam event with ID 40204 (Multi-Factor Authentication for User Disabled) is found.

Every 5 minutes

Multi-Factor Authentication Token Revoked

At least one Veeam event with ID 40202 (Multi-Factor Authentication Token Revoked) is found.

Every 3 hours

NDMP Server Deleted

At least one Veeam event with ID 28850 (NDMP Server Deleted) is found.

Once a day

Object Marked as Clean

At least one Veeam event with ID 41610 (Object Marked as Clean) is found.

Once a day

Object Storage Deleted

At least one Veeam event with ID 28980 (Object Storage Deleted) is found.

Every 5 minutes

Object Storage Settings Updated

At least one Veeam event with ID 28970 (Object Storage Settings Updated) is found.

Every 3 hours

Objects Added to Malware Detection Exclusions

At least one Veeam event with ID 42260 (Objects Added to Malware Detection Exclusions) is found.

Every 5 minutes

Objects Deleted from Malware Detection Exclusions

At least one Veeam event with ID 42270 (Objects Deleted from Malware Detection Exclusions) is found.

Once a day

Objects for Job Deleted

At least one Veeam event with ID 32120 (Objects for Job Deleted) is found.

Every 5 minutes

Objects for Protection Group Changed

At least one Veeam event with ID 29140 (Objects for Protection Group Changed) is found.

Once a day

Objects for Protection Group Deleted

At least one Veeam event with ID 29150 (Objects for Protection Group Deleted) is found.

Every 5 minutes

Preferred Networks Deleted

At least one Veeam event with ID 32800 (Preferred Networks Deleted) is found.

Once a day

Protection Group Deleted

At least one Veeam event with ID 29120 (Protection Group Deleted) is found.

Every 5 minutes

Protection Group Settings Updated

At least one Veeam event with ID 29110 (Protection Group Settings Updated) is found.

Once a day

Recovery Token Deleted

At least one Veeam event with ID 36013 (Recovery Token Deleted) is found.

Every 3 hours

Restore Point Marked as Clean

At least one Veeam event with ID 42230 (Restore Point Marked as Clean) is found.

Once a day

Restore Point Marked as Infected

At least one Veeam event with ID 42220 (Restore Point Marked as Infected) is found.

Every 5 minutes

Scale-Out Backup Repository Deleted

At least one Veeam event with ID 30200 (Scale-Out Backup Repository Deleted) is found.

Every 5 minutes

Scale-Out Backup Repository Settings Updated

At least one Veeam event with ID 30100 (Scale-Out Backup Repository Settings Updated) is found.

Every 5 minutes

Service Provider Deleted

At least one Veeam event with ID 27600 (Service Provider Deleted) is found.

Once a day

Service Provider Updated

At least one Veeam event with ID 27500 (Service Provider Updated) is found.

Once a day

Storage Deleted

At least one Veeam event with ID 41402 (Storage Deleted) is found.

Every 5 minutes

Storage Settings Updated

At least one Veeam event with ID 41401 (Storage Settings Updated) is found.

Once a day

Subtenant Deleted

At least one Veeam event with ID 25210 (Subtenant Deleted) is found.

Every 5 minutes

Subtenant Updated

At least one Veeam event with ID 25220 (Subtenant Updated) is found.

Once a day

SureBackup Job Failed

At least one Veeam event with ID 390 (SureBackup Job Finished) and state Failed is found.

Every 3 hours

Tape Erase Job Started

At least one Veeam event with ID 115 (Tape Erase Job Started) is found.

Every 5 minutes

Tape Library Deleted

At least one Veeam event with ID 23633 (Tape Library Deleted) is found.

Once a day

Tape Media Pool Deleted

At least one Veeam event with ID 23630 (Tape Media Pool Deleted) is found.

Once a day

Tape Media Vault Deleted

At least one Veeam event with ID 23631 (Tape Media Vault Deleted) is found.

Once a day

Tape Medium Deleted

At least one Veeam event with ID 23632 (Tape Medium Deleted) is found.

Every 5 minutes

Tape Server Deleted

At least one Veeam event with ID 28800 (Tape Server Deleted) is found.

Once a day

Tenant Replica Started

At least one Veeam event with ID 26800 (Tenant Replica Started) is found.

Once a day

Tenant Replica Stopped

At least one Veeam event with ID 26900 (Tenant Replica Stopped) is found.

Every 5 minutes

Tenant State Changed

At least one Veeam event with ID 25000 (Tenant State Changed) is found.

Once a day

User or Group Added

At least one Veeam event with ID 31200 (User or Group Added) is found.

Every 5 minutes

User or Group Deleted

At least one Veeam event with ID 31400 (User or Group Deleted) is found.

Every 5 minutes

Virtual Lab Deleted

At least one Veeam event with ID 30800 (Virtual Lab Deleted) is found.

Once a day

Virtual Lab Settings Updated

At least one Veeam event with ID 30700 (Virtual Lab Settings Updated) is found.

Once a day

WAN Accelerator Deleted

At least one Veeam event with ID 27300 (WAN Accelerator Deleted) is found.

Once a day

WAN Accelerator Settings Updated

At least one Veeam event with ID 27200 (WAN Accelerator Settings Updated) is found.

Once a day

Reports

All Veeam failed multi-factor authentication events for the last 24h

Veeam events with specific IDs related to multi-factor authentication are found.

Once a day

All Veeam finished jobs for the last 24h

Veeam events with specific IDs related to job types are found.

Once a day

All Veeam four-eyes authorization events for the last 24h

Veeam events with specific IDs related to four-eyes authentication are found.

Once a day

All Veeam malware detection events for the last 24h

Veeam events with specific IDs related to malware detection are found.

Once a day

All Veeam ONE triggered alarms for the last 7 days

Veeam ONE triggered alarms with specific IDs are found.

Once a week

All Veeam security events for the last 7 days

Veeam events with specific IDs related to security events are found.

Once a week

All Veeam security events with Critical and High severity for the last 24h

Veeam events with specific IDs related to security events with Critical and High severity are found.

Once a day