Scheduled Searches
Veeam App for CrowdStrike Falcon LogScale provides you with built-in search queries based on Veeam security activities. You can run queries periodically at specific time intervals and perform a trigger action when search results meet query conditions. By default, all queries are disabled.
For more information about scheduled searches, see Falcon LogScale documentation:
Query List
In the Automation > Scheduled searches section, you can use the following search queries:
Query Name | Query Condition | Time Interval for Check |
---|---|---|
Events | ||
Adding User or Group Failed | At least one Veeam event with ID 31210 (Adding User or Group Failed) is found. | Every 3 hours |
Application Group Deleted | At least one Veeam event with ID 30500 (Application Group Deleted) is found. | Once a day |
Application Group Settings Updated | At least one Veeam event with ID 30400 (Application Group Settings Updated) is found. | Once a day |
Archive Repository Deleted | At least one Veeam event with ID 29900 (Archive Repository Deleted) is found. | Every 5 minutes |
Archive Repository Settings Updated | At least one Veeam event with ID 29800 (Archive Repository Settings Updated) is found. | Every 3 hours |
Backup Proxy Deleted | At least one Veeam event with ID 27900 (Backup Proxy Deleted) is found. | Once a day |
Backup Repository Deleted | At least one Veeam event with ID 28200 (Backup Repository Deleted) is found. | Every 5 minutes |
Backup Repository Settings Updated | At least one Veeam event with ID 28100 (Backup Repository Settings Updated) is found. | Every 3 hours |
Cloud Gateway Deleted | At least one Veeam event with ID 24140 (Cloud Gateway Deleted) is found. | Once a day |
Cloud Gateway Pool Deleted | At least one Veeam event with ID 24143 (Cloud Gateway Pool Deleted) is found. | Once a day |
Cloud Gateway Pool Settings Updated | At least one Veeam event with ID 24142 (Cloud Gateway Pool Settings Updated) is found. | Once a day |
Cloud Gateway Settings Updated | At least one Veeam event with ID 24131 (Cloud Gateway Settings Updated) is found. | Once a day |
Cloud Replica Permanent Failover Performed by Tenant | At least one Veeam event with ID 27000 (Cloud Replica Permanent Failover Performed by Tenant) is found. | Every 5 minutes |
Configuration Backup Job Failed | At least one Veeam event with ID 40700 (Configuration Backup Job Finished) and state Failed is found. | Every 3 hours |
Configuration Backup Job Settings Updated | At least one Veeam event with ID 31500 (Configuration Backup Job Settings Updated) is found. | Once a day |
Connection to Backup Repository Lost | At least one Veeam event with ID 21224 (Connection to Backup Repository Lost) is found. | Every 5 minutes |
Credential Record Deleted | At least one Veeam event with ID 25500 (Credential Record Deleted) is found. | Every 5 minutes |
Credential Record Updated | At least one Veeam event with ID 25400 (Credential Record Updated) is found. | Every 5 minutes |
Detaching Backups Started | At least one Veeam event with ID 41200 (Detaching Backups Started) is found. | Once a day |
Encryption Password Added | At least one Veeam event with ID 31600 (Encryption Password Added) is found. | Once a day |
Encryption Password Changed | At least one Veeam event with ID 31700 (Encryption Password Changed) is found. | Every 5 minutes |
Encryption Password Deleted | At least one Veeam event with ID 31800 (Encryption Password Deleted) is found. | Every 5 minutes |
External Repository Deleted | At least one Veeam event with ID 32200 (External Repository Deleted) is found. | Every 5 minutes |
External Repository Settings Updated | At least one Veeam event with ID 32100 (External Repository Settings Updated) is found. | Once a day |
Failover Plan Deleted | At least one Veeam event with ID 26100 (Failover Plan Deleted) is found. | Every 3 hours |
Failover Plan Settings Updated | At least one Veeam event with ID 26000 (Failover Plan Settings Updated) is found. | Once a day |
Failover Plan Started | At least one Veeam event with ID 26600 (Failover Plan Started) is found. | Every 5 minutes |
Failover Plan Stopped | At least one Veeam event with ID 26700 (Failover Plan Stopped) is found. | Every 3 hours |
File Server Deleted | At least one Veeam event with ID 28950 (File Server Deleted) is found. | Every 5 minutes |
File Server Settings Updated | At least one Veeam event with ID 28940 (File Server Settings Updated) is found. | Once a day |
File Share Deleted | At least one Veeam event with ID 28920 (File Share Deleted) is found. | Every 5 minutes |
Four-Eyes Authorization Disabled | At least one Veeam event with ID 42401 (Four-Eyes Authorization Disabled) is found. | Every 5 minutes |
Four-Eyes Authorization Request Created | At least one Veeam event with ID 42402 (Four-Eyes Authorization Request Created) is found. | Every 5 minutes |
Four-Eyes Authorization Request Expired | At least one Veeam event with ID 42405 (Four-Eyes Authorization Request Expired) is found. | Every 5 minutes |
Four-Eyes Authorization Request Rejected | At least one Veeam event with ID 42404 (Four-Eyes Authorization Request Rejected) is found. | Once a day |
General Settings Updated | At least one Veeam event with ID 31000 (General Settings Updated) is found. | Once a day |
Global Network Traffic Rules Deleted | At least one Veeam event with ID 32400 (Global Network Traffic Rules Deleted) is found. | Once a day |
Global VM Exclusions Added | At least one Veeam event with ID 40400 (Global VM Exclusions Added) is found. | Every 5 minutes |
Global VM Exclusions Changed | At least one Veeam event with ID 40600 (Global VM Exclusions Changed) is found. | Every 5 minutes |
Global VM Exclusions Deleted | At least one Veeam event with ID 40500 (Global VM Exclusions Deleted) is found. | Every 3 hours |
Host Deleted | At least one Veeam event with ID 28500 (Host Deleted) is found. | Every 5 minutes |
Host Settings Updated | At least one Veeam event with ID 28400 (Host Settings Updated) is found. | Once a day |
Hypervisor Host Deleted | At least one Veeam event with ID 25700 (Hypervisor Host Deleted) is found. | Once a day |
Hypervisor Host Settings Updated | At least one Veeam event with ID 25800 (Hypervisor Host Settings Updated) is found. | Once a day |
Invalid Code for Multi-Factor Authentication Entered | At least one Veeam event with ID 40205 (Invalid Code for Multi-Factor Authentication Entered) is found. | Every 5 minutes |
Job Deleted | At least one Veeam event with ID 23090 (Job Deleted) is found. | Every 5 minutes |
Job No Longer Used as Second Destination | At least one Veeam event with ID 23420 (Job No Longer Used as Second Destination) is found. | Every 5 minutes |
KMS Key Rotation Job Finished | At least one Veeam event with ID 42500 (KMS Key Rotation Job Finished) is found. | Once a day |
KMS Server Deleted | At least one Veeam event with ID 42301 (KMS Server Deleted) is found. | Every 5 minutes |
KMS Server Settings Updated | At least one Veeam event with ID 42302 (KMS Server Settings Updated) is found. | Every 5 minutes |
License Expired | At least one Veeam event with ID 24030 (License Expired) is found. | Every 5 minutes |
License Expiring | At least one Veeam event with ID 24020 (License Expiring) is found. | Once a day |
License Grace Period Started | At least one Veeam event with ID 24060 (License Grace Period Started) is found. | Every 3 hours |
License Limit Exceeded | At least one Veeam event with ID 24070 (License Limit Exceeded) is found. | Every 3 hours |
License Removed | At least one Veeam event with ID 24080 (License Removed) is found. | Every 5 minutes |
License Support Expired | At least one Veeam event with ID 24050 (License Support Expired) is found. | Every 5 minutes |
License Support Expiring | At least one Veeam event with ID 24040 (License Support Expiring) is found. | Every 3 hours |
Malware Activity Detected | At least one Veeam event with ID 41600 (Malware Activity Detected) is found. | Every 5 minutes |
Malware Detection Exclusions List Updated | At least one Veeam event with ID 42280 (Malware Detection Exclusions List Updated) is found. | Every 5 minutes |
Malware Detection Session Finished | At least one Veeam event with ID 42210 (Malware Detection Session Finished) is found. | Once a day |
Malware Detection Settings Updated | At least one Veeam event with ID 42290 (Malware Detection Settings Updated) is found. | Every 5 minutes |
Multi-Factor Authentication Disabled | At least one Veeam event with ID 40201 (Multi-Factor Authentication Disabled) is found. | Every 5 minutes |
Multi-Factor Authentication for User Disabled | At least one Veeam event with ID 40204 (Multi-Factor Authentication for User Disabled) is found. | Every 5 minutes |
Multi-Factor Authentication Token Revoked | At least one Veeam event with ID 40202 (Multi-Factor Authentication Token Revoked) is found. | Every 3 hours |
NDMP Server Deleted | At least one Veeam event with ID 28850 (NDMP Server Deleted) is found. | Once a day |
Object Marked as Clean | At least one Veeam event with ID 41610 (Object Marked as Clean) is found. | Once a day |
Object Storage Deleted | At least one Veeam event with ID 28980 (Object Storage Deleted) is found. | Every 5 minutes |
Object Storage Settings Updated | At least one Veeam event with ID 28970 (Object Storage Settings Updated) is found. | Every 3 hours |
Objects Added to Malware Detection Exclusions | At least one Veeam event with ID 42260 (Objects Added to Malware Detection Exclusions) is found. | Every 5 minutes |
Objects Deleted from Malware Detection Exclusions | At least one Veeam event with ID 42270 (Objects Deleted from Malware Detection Exclusions) is found. | Once a day |
Objects for Job Deleted | At least one Veeam event with ID 32120 (Objects for Job Deleted) is found. | Every 5 minutes |
Objects for Protection Group Changed | At least one Veeam event with ID 29140 (Objects for Protection Group Changed) is found. | Once a day |
Objects for Protection Group Deleted | At least one Veeam event with ID 29150 (Objects for Protection Group Deleted) is found. | Every 5 minutes |
Preferred Networks Deleted | At least one Veeam event with ID 32800 (Preferred Networks Deleted) is found. | Once a day |
Protection Group Deleted | At least one Veeam event with ID 29120 (Protection Group Deleted) is found. | Every 5 minutes |
Protection Group Settings Updated | At least one Veeam event with ID 29110 (Protection Group Settings Updated) is found. | Once a day |
Recovery Token Deleted | At least one Veeam event with ID 36013 (Recovery Token Deleted) is found. | Every 3 hours |
Restore Point Marked as Clean | At least one Veeam event with ID 42230 (Restore Point Marked as Clean) is found. | Once a day |
Restore Point Marked as Infected | At least one Veeam event with ID 42220 (Restore Point Marked as Infected) is found. | Every 5 minutes |
Scale-Out Backup Repository Deleted | At least one Veeam event with ID 30200 (Scale-Out Backup Repository Deleted) is found. | Every 5 minutes |
Scale-Out Backup Repository Settings Updated | At least one Veeam event with ID 30100 (Scale-Out Backup Repository Settings Updated) is found. | Every 5 minutes |
Service Provider Deleted | At least one Veeam event with ID 27600 (Service Provider Deleted) is found. | Once a day |
Service Provider Updated | At least one Veeam event with ID 27500 (Service Provider Updated) is found. | Once a day |
Storage Deleted | At least one Veeam event with ID 41402 (Storage Deleted) is found. | Every 5 minutes |
Storage Settings Updated | At least one Veeam event with ID 41401 (Storage Settings Updated) is found. | Once a day |
Subtenant Deleted | At least one Veeam event with ID 25210 (Subtenant Deleted) is found. | Every 5 minutes |
Subtenant Updated | At least one Veeam event with ID 25220 (Subtenant Updated) is found. | Once a day |
SureBackup Job Failed | At least one Veeam event with ID 390 (SureBackup Job Finished) and state Failed is found. | Every 3 hours |
Tape Erase Job Started | At least one Veeam event with ID 115 (Tape Erase Job Started) is found. | Every 5 minutes |
Tape Library Deleted | At least one Veeam event with ID 23633 (Tape Library Deleted) is found. | Once a day |
Tape Media Pool Deleted | At least one Veeam event with ID 23630 (Tape Media Pool Deleted) is found. | Once a day |
Tape Media Vault Deleted | At least one Veeam event with ID 23631 (Tape Media Vault Deleted) is found. | Once a day |
Tape Medium Deleted | At least one Veeam event with ID 23632 (Tape Medium Deleted) is found. | Every 5 minutes |
Tape Server Deleted | At least one Veeam event with ID 28800 (Tape Server Deleted) is found. | Once a day |
Tenant Replica Started | At least one Veeam event with ID 26800 (Tenant Replica Started) is found. | Once a day |
Tenant Replica Stopped | At least one Veeam event with ID 26900 (Tenant Replica Stopped) is found. | Every 5 minutes |
Tenant State Changed | At least one Veeam event with ID 25000 (Tenant State Changed) is found. | Once a day |
User or Group Added | At least one Veeam event with ID 31200 (User or Group Added) is found. | Every 5 minutes |
User or Group Deleted | At least one Veeam event with ID 31400 (User or Group Deleted) is found. | Every 5 minutes |
Virtual Lab Deleted | At least one Veeam event with ID 30800 (Virtual Lab Deleted) is found. | Once a day |
Virtual Lab Settings Updated | At least one Veeam event with ID 30700 (Virtual Lab Settings Updated) is found. | Once a day |
WAN Accelerator Deleted | At least one Veeam event with ID 27300 (WAN Accelerator Deleted) is found. | Once a day |
WAN Accelerator Settings Updated | At least one Veeam event with ID 27200 (WAN Accelerator Settings Updated) is found. | Once a day |
Reports | ||
All Veeam failed multi-factor authentication events for the last 24h | Veeam events with specific IDs related to multi-factor authentication are found. | Once a day |
All Veeam finished jobs for the last 24h | Veeam events with specific IDs related to job types are found. | Once a day |
All Veeam four-eyes authorization events for the last 24h | Veeam events with specific IDs related to four-eyes authentication are found. | Once a day |
All Veeam malware detection events for the last 24h | Veeam events with specific IDs related to malware detection are found. | Once a day |
All Veeam ONE triggered alarms for the last 7 days | Veeam ONE triggered alarms with specific IDs are found. | Once a week |
All Veeam security events for the last 7 days | Veeam events with specific IDs related to security events are found. | Once a week |
All Veeam security events with Critical and High severity for the last 24h | Veeam events with specific IDs related to security events with Critical and High severity are found. | Once a day |