Analytics Rules Reference
The table below lists analytics rules supported by Veeam App for Microsoft Sentinel.
|
Rule Name |
Description |
Severity |
Schedule |
|---|---|---|---|
|
Adding User or Group Failed |
Detects failed attempts to add a user or user group to Veeam Backup & Replication. |
Low |
Every 3 hours |
|
Application Group Deleted |
Detects when an application group is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Application Group Settings Updated |
Detects when application group settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Archive Repository Deleted |
Detects when an archive repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Archive Repository Settings Updated |
Detects when archive repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Low |
Every 3 hours |
|
Attempt to Delete Backup Failed |
Detects failed backup operations. This might indicate system or storage issues, or a potential sabotage of the backup infrastructure. |
High |
Every 5 minutes |
|
Attempt to Update Security Object Failed |
Detects failed attempts to update security objects in Veeam Backup & Replication. Security objects include users and roles, credential records, certificates, or passwords. |
High |
Every 5 minutes |
|
Backup Proxy Deleted |
Detects when a backup proxy is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Backup Repository Deleted |
Detects when a backup repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Backup Repository Settings Updated |
Detects when backup repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Low |
Every 3 hours |
|
Best Practice Compliance Check Not Passed |
Detects when a security best practice does not pass a compliance check in Veeam Security & Compliance Analyzer. |
Medium |
Every 5 minutes |
|
Cloud Gateway Deleted |
Detects when a cloud gateway is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Cloud Gateway Pool Deleted |
Detects when a cloud gateway pool is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Cloud Gateway Pool Settings Updated |
Detects when cloud gateway pool settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Cloud Gateway Settings Updated |
Detects when cloud gateway settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Cloud Replica Permanent Failover Performed by Tenant |
Detects permanent failover of a cloud replica initiated by a tenant. This might indicate disaster recovery activity or issues with primary systems. |
High |
Every 5 minutes |
|
Configuration Backup Failed |
Detects failed configuration backup operations. This might indicate system or storage issues, or a potential sabotage of the backup infrastructure. |
High |
Every 5 minutes |
|
Configuration Backup Job Failed |
Detects failed configuration backup operations. This might indicate system or storage issues, or a potential sabotage of the backup infrastructure. |
Medium |
Every 5 minutes |
|
Configuration Backup Job Settings Updated |
Detects when configuration backup job settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Connection to Backup Repository Lost |
Detects when a backup server fails to connect to a backup repository. |
High |
Every 5 minutes |
|
Credential Record Deleted |
Detects when a credential record is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Credential Record Updated |
Detects when a credential record is updated in Veeam Backup & Replication. |
High |
Every 5 minutes |
|
Detaching Backups Started |
Detects when a backup file is detached from a backup job. |
Informational |
Once a day |
|
Encryption Password Added |
Detects when an encryption password is added to Veeam Backup & Replication. |
Informational |
Once a day |
|
Encryption Password Changed |
Detects when an encryption password is updated in Veeam Backup & Replication. |
High |
Every 5 minutes |
|
Encryption Password Deleted |
Detects when an encryption password is deleted in Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
External Repository Deleted |
Detects when an external repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
External Repository Settings Updated |
Detects when external repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Failover Plan Deleted |
Detects when a failover plan is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Low |
Every 3 hours |
|
Failover Plan Failed |
Detects when a failover plan fails. This might indicate disaster recovery activity or issues with primary systems. |
Low |
Every 3 hours |
|
Failover Plan Settings Updated |
Detects when failover plan settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Failover Plan Started |
Detects when a failover plan starts. This might indicate disaster recovery activity or issues with primary systems. |
High |
Every 5 minutes |
|
Failover Plan Stopped |
Detects when a failover plan stops. This might indicate disaster recovery activity or issues with primary systems. |
Medium |
Every 5 minutes |
|
File Server Deleted |
Detects when a file server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
File Server Settings Updated |
Detects when file server settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
File Share Deleted |
Detects when a file share is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Four-Eyes Authorization Disabled |
Detects when four-eyes authorization is disabled. |
High |
Every 5 minutes |
|
Four-Eyes Authorization Request Created |
Detects when a four-eyes authorization request is created. |
High |
Every 5 minutes |
|
Four-Eyes Authorization Request Expired |
Detects when a four-eyes authorization request is expired. |
Medium |
Every 5 minutes |
|
Four-Eyes Authorization Request Rejected |
Detects when a four-eyes authorization request is rejected. |
Informational |
Once a day |
|
General Settings Updated |
Detects when Veeam Backup & Replication general settings are updated. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Global Network Traffic Rules Deleted |
Detects when a global network traffic rule is deleted in Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Low |
Every 3 hours |
|
Global VM Exclusions Added |
Detects when global VM exclusion are added in Veeam Backup & Replication. |
High |
Every 5 minutes |
|
Global VM Exclusions Changed |
Detects when global VM exclusions are updated in Veeam Backup & Replication. |
High |
Every 5 minutes |
|
Global VM Exclusions Deleted |
Detects when a VM is removed from global exclusions in Veeam Backup & Replication. This might indicate unauthorized changes. |
Low |
Every 3 hours |
|
Host Deleted |
Detects when a host is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Low |
Every 3 hours |
|
Host Settings Updated |
Detects when host settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Hypervisor Host Deleted |
Detects when a hypervisor host is deleted from Veeam Backup & Replication. This might indicate unauthorized changes to the virtualization environment. |
Informational |
Once a day |
|
Hypervisor Host Settings Updated |
Detects when hypervisor host settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Invalid Code for Multi-Factor Authentication Entered |
Detects failed multi-factor authentication attempts. This might indicate credential stuffing or brute-force attacks. |
High |
Every 5 minutes |
|
Job Deleted |
Detects when a job is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Job No Longer Used as Second Destination |
Detects when a job used as a secondary destination is removed. |
High |
Every 5 minutes |
|
KMS Key Rotation Job Finished |
Detects when a KMS key rotation job is finished. |
Informational |
Once a day |
|
KMS Server Deleted |
Detects when a KMS server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
KMS Server Settings Updated |
Detects when KMS server settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
High |
Every 5 minutes |
|
License Expired |
Detects when a Veeam license is expired. This could impact backup operations and data protection. |
High |
Every 5 minutes |
|
License Expiring |
Detects when a Veeam license expires shortly. |
Informational |
Once a day |
|
License Grace Period Started |
Detects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention. |
High |
Every 5 minutes |
|
License Limit Exceeded |
Detects when the Veeam license limit is exceeded. |
Medium |
Every 5 minutes |
|
License Removed |
Detects when the Veeam license is removed from Veeam Backup & Replication. |
High |
Every 5 minutes |
|
License Support Expired |
Detects when the Veeam support contract is expired. This might impact backup operations and data protection. |
High |
Every 5 minutes |
|
License Support Expiring |
Detects when the Veeam support contract expires shortly. |
Low |
Every 3 hours |
|
Malware Activity Detected |
Detects when restore points marked as suspicious. This might indicate potential compromise of backup data. |
High |
Every 5 minutes |
|
Malware Detection Exclusions List Updated |
Detects when malware detection exclusions are updated. This might indicate potential compromise of backup data. |
Medium |
Every 5 minutes |
|
Malware Detection Session Finished |
Detects when malware detection session finishes. |
Informational |
Once a day |
|
Malware Detection Settings Updated |
Detects when malware detection settings are updated. |
High |
Every 5 minutes |
|
Malware Event Detected |
Detects when restore points are marked as infected. This might indicate potential compromise of backup data. |
Medium |
Every 5 minutes |
|
Multi-Factor Authentication Disabled |
Detects when multi-factor authentication is disabled for all users. |
High |
Every 5 minutes |
|
Multi-Factor Authentication for User Disabled |
Detects when multi-factor authentication is disabled for a specific user. |
High |
Every 5 minutes |
|
Multi-Factor Authentication Token Revoked |
Detects when a multi-factor authentication token is revoked. |
Medium |
Every 5 minutes |
|
Multi-Factor Authentication User Locked |
Detects when the allowed number of multi-factor authentication attempts is exceeded for a user. |
High |
Every 5 minutes |
|
NDMP Server Deleted |
Detects when an NDMP server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Object Marked as Clean |
Detects when an object is marked as clean. |
Informational |
Once a day |
|
Object Storage Deleted |
Detects when an object storage is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Object Storage Settings Updated |
Detects when object storage settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Low |
Every 3 hours |
|
Objects Added to Malware Detection Exclusions |
Detects when an object is added to malware detection exclusions. |
High |
Every 5 minutes |
|
Objects Deleted from Malware Detection Exclusions |
Detects when an object is deleted from malware detection exclusions. |
Informational |
Once a day |
|
Objects for Job Deleted |
Detects when objects are deleted from the job. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Objects for Protection Group Changed |
Detects when protection group objects are updated. |
Informational |
Once a day |
|
Objects for Protection Group Deleted |
Detects when objects are deleted from a protection group. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Preferred Networks Deleted |
Detects when a preferred network is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Protection Group Deleted |
Detects when a protection group is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Protection Group Settings Updated |
Detects when protection group settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Recovery Token Deleted |
Detects when a recovery token is deleted. This might indicate unauthorized removal of critical components. |
Low |
Every 3 hours |
|
Restore Point Marked as Clean |
Detects when a restore point is marked as clean. |
Informational |
Once a day |
|
Restore Point Marked as Infected |
Detects when a restore point is marked as infected. |
High |
Every 5 minutes |
|
Scale-Out Backup Repository Deleted |
Detects when a scale-out backup repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Scale-Out Backup Repository Settings Updated |
Detects when scale-out backup repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Low |
Every 3 hours |
|
Service Provider Deleted |
Detects when a service provider is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Service Provider Updated |
Detects when service provider settings are updated in Veeam Backup & Replication. |
Informational |
Once a day |
|
SSH Credentials Changed |
Detects when SSH credentials are updated. |
High |
Every 5 minutes |
|
Storage Deleted |
Detects when storage is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Storage Settings Updated |
Detects when storage settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |
|
Subtenant Deleted |
Detects when a subtenant is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Subtenant Updated |
Detects when subtenant settings are updated in Veeam Backup & Replication. |
Informational |
Once a day |
|
SureBackup Job Failed |
Detects failed SureBackup job operations. This might indicate malware issues, storage problems, or potential sabotage of backup infrastructure. |
High |
Every 5 minutes |
|
Tape Erase Job Started |
Detects when tape erase operations start. This might indicate data destruction activity. |
High |
Every 5 minutes |
|
Tape Library Deleted |
Detects when a tape library is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Tape Media Pool Deleted |
Detects when a tape media pool is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Tape Media Vault Deleted |
Detects when a tape media vault is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Tape Medium Deleted |
Detects when a tape medium is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Tape Server Deleted |
Detects when a tape server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Tenant Password Changed |
Detects when a tenant password is updated. |
High |
Every 5 minutes |
|
Tenant Quota Changed |
Detects when a tenant quota is updated. |
Informational |
Once a day |
|
Tenant Quota Deleted |
Detects when a tenant quota is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
Tenant Replica Started |
Detects when a tenant replica starts. |
Informational |
Once a day |
|
Tenant Replica Stopped |
Detects when a tenant replica stops. |
High |
Every 5 minutes |
|
Tenant State Changed |
Detects when tenant state is updated. |
Informational |
Once a day |
|
User or Group Added |
Detects when a user or user group is added to Veeam Backup & Replication. |
High |
Every 5 minutes |
|
User or Group Deleted |
Detects when a user or user group is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
High |
Every 5 minutes |
|
Veeam ONE Application with No Recent Data Backup Sessions |
Detects applications with no recent backup sessions. |
High |
Every 5 minutes |
|
Veeam ONE Backup Copy RPO |
Detects Veeam ONE Backup Copy RPO violation alerts. |
High |
Every 5 minutes |
|
Veeam ONE Backup Server Security and Compliance State |
Detects backup server security and compliance state issues. |
Medium |
Every 5 minutes |
|
Veeam ONE Computer with No Backup |
Detects computers with no backup. |
High |
Every 5 minutes |
|
Veeam ONE Immutability Change Tracking |
Detects changes in Veeam ONE immutability tracking configuration. |
Medium |
Every 5 minutes |
|
Veeam ONE Immutability State |
Detects changes in the immutability state of Veeam Backup & Replication repositories. This might indicate configuration changes that require review. |
Medium |
Every 5 minutes |
|
Veeam ONE Job Disabled |
Detects when a Veeam ONE job is disabled. |
Medium |
Every 5 minutes |
|
Veeam ONE Job Disabled (Veeam Backup for Microsoft Office 365) |
Detects when Veeam Backup for Microsoft Office 365 jobs are disabled. |
Medium |
Every 5 minutes |
|
Veeam ONE Malware Detection Change Tracking |
Detects changes in Veeam ONE malware detection tracking. |
High |
Every 5 minutes |
|
Veeam ONE Possible Ransomware Activity (Hyper-V) |
Detects Veeam ONE possible ransomware activity alerts for Microsoft Hyper-V. |
High |
Every 5 minutes |
|
Veeam ONE Possible Ransomware Activity (vSphere) |
Detects Veeam ONE possible ransomware activity alerts for VMware vSphere. |
High |
Every 5 minutes |
|
Veeam ONE Suspicious Incremental Backup Size |
Detects suspiciously large incremental backup sizes. |
High |
Every 5 minutes |
|
Veeam ONE Unusual Job Duration |
Detects Veeam ONE unusual job duration alerts. |
Medium |
Every 5 minutes |
|
Veeam ONE Unusual Job Duration (Veeam Backup for Microsoft Office 365) |
Detects Veeam Backup for Microsoft Office 365 jobs with unusual execution duration. |
Medium |
Every 5 minutes |
|
Veeam ONE VM with No Backup |
Detects Veeam ONE VMs with no backup. |
High |
Every 5 minutes |
|
Veeam ONE VM with No Backup (Hyper-V) |
Detects Veeam ONE VMs with no backup (Hyper-V). |
High |
Every 5 minutes |
|
Veeam ONE VM with No Replica |
Detects Veeam ONE VMs with no replica configuration. |
High |
Every 5 minutes |
|
Veeam ONE VM with No Replica (Hyper-V) |
Detects Hyper-V VMs with no replica configured. |
High |
Every 5 minutes |
|
Virtual Lab Deleted |
Detects when a virtual lab is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Low |
Every 3 hours |
|
Virtual Lab Settings Updated |
Detects when virtual lab settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Low |
Every 3 hours |
|
WAN Accelerator Deleted |
Detects when a WAN accelerator is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. |
Informational |
Once a day |
|
WAN Accelerator Settings Updated |
Detects when WAN accelerator settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. |
Informational |
Once a day |