Analytics Rules Reference
The table below lists analytics rules supported by Veeam App for Microsoft Sentinel.
Rule Name | Description | Severity | Schedule |
|---|---|---|---|
Adding User or Group Failed | Detects failed attempts to add a user or user group to Veeam Backup & Replication. | Low | Every 3 hours |
Application Group Deleted | Detects when an application group is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Application Group Settings Updated | Detects when application group settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Archive Repository Deleted | Detects when an archive repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Archive Repository Settings Updated | Detects when archive repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Low | Every 3 hours |
Attempt to Delete Backup Failed | Detects failed backup operations. This might indicate system or storage issues, or a potential sabotage of the backup infrastructure. | High | Every 5 minutes |
Attempt to Update Security Object Failed | Detects failed attempts to update security objects in Veeam Backup & Replication. Security objects include users and roles, credential records, certificates, or passwords. | High | Every 5 minutes |
Backup Proxy Deleted | Detects when a backup proxy is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Backup Repository Deleted | Detects when a backup repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Backup Repository Settings Updated | Detects when backup repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Low | Every 3 hours |
Best Practice Compliance Check Not Passed | Detects when a security best practice does not pass a compliance check in Veeam Security & Compliance Analyzer. | Medium | Every 5 minutes |
Cloud Gateway Deleted | Detects when a cloud gateway is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Cloud Gateway Pool Deleted | Detects when a cloud gateway pool is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Cloud Gateway Pool Settings Updated | Detects when cloud gateway pool settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Cloud Gateway Settings Updated | Detects when cloud gateway settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Cloud Replica Permanent Failover Performed by Tenant | Detects permanent failover of a cloud replica initiated by a tenant. This might indicate disaster recovery activity or issues with primary systems. | High | Every 5 minutes |
Configuration Backup Failed | Detects failed configuration backup operations. This might indicate system or storage issues, or a potential sabotage of the backup infrastructure. | High | Every 5 minutes |
Configuration Backup Job Failed | Detects failed configuration backup operations. This might indicate system or storage issues, or a potential sabotage of the backup infrastructure. | Medium | Every 5 minutes |
Configuration Backup Job Settings Updated | Detects when configuration backup job settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Connection to Backup Repository Lost | Detects when a backup server fails to connect to a backup repository. | High | Every 5 minutes |
Credential Record Deleted | Detects when a credential record is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Credential Record Updated | Detects when a credential record is updated in Veeam Backup & Replication. | High | Every 5 minutes |
Detaching Backups Started | Detects when a backup file is detached from a backup job. | Informational | Once a day |
Encryption Password Added | Detects when an encryption password is added to Veeam Backup & Replication. | Informational | Once a day |
Encryption Password Changed | Detects when an encryption password is updated in Veeam Backup & Replication. | High | Every 5 minutes |
Encryption Password Deleted | Detects when an encryption password is deleted in Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
External Repository Deleted | Detects when an external repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
External Repository Settings Updated | Detects when external repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Failover Plan Deleted | Detects when a failover plan is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Low | Every 3 hours |
Failover Plan Failed | Detects when a failover plan fails. This might indicate disaster recovery activity or issues with primary systems. | Low | Every 3 hours |
Failover Plan Settings Updated | Detects when failover plan settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Failover Plan Started | Detects when a failover plan starts. This might indicate disaster recovery activity or issues with primary systems. | High | Every 5 minutes |
Failover Plan Stopped | Detects when a failover plan stops. This might indicate disaster recovery activity or issues with primary systems. | Medium | Every 5 minutes |
File Server Deleted | Detects when a file server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
File Server Settings Updated | Detects when file server settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
File Share Deleted | Detects when a file share is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Four-Eyes Authorization Disabled | Detects when four-eyes authorization is disabled. | High | Every 5 minutes |
Four-Eyes Authorization Request Created | Detects when a four-eyes authorization request is created. | High | Every 5 minutes |
Four-Eyes Authorization Request Expired | Detects when a four-eyes authorization request is expired. | Medium | Every 5 minutes |
Four-Eyes Authorization Request Rejected | Detects when a four-eyes authorization request is rejected. | Informational | Once a day |
General Settings Updated | Detects when Veeam Backup & Replication general settings are updated. This might indicate configuration changes that require review. | Informational | Once a day |
Global Network Traffic Rules Deleted | Detects when a global network traffic rule is deleted in Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Low | Every 3 hours |
Global VM Exclusions Added | Detects when global VM exclusion are added in Veeam Backup & Replication. | High | Every 5 minutes |
Global VM Exclusions Changed | Detects when global VM exclusions are updated in Veeam Backup & Replication. | High | Every 5 minutes |
Global VM Exclusions Deleted | Detects when a VM is removed from global exclusions in Veeam Backup & Replication. This might indicate unauthorized changes. | Low | Every 3 hours |
Host Deleted | Detects when a host is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Low | Every 3 hours |
Host Settings Updated | Detects when host settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Hypervisor Host Deleted | Detects when a hypervisor host is deleted from Veeam Backup & Replication. This might indicate unauthorized changes to the virtualization environment. | Informational | Once a day |
Hypervisor Host Settings Updated | Detects when hypervisor host settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Invalid Code for Multi-Factor Authentication Entered | Detects failed multi-factor authentication attempts. This might indicate credential stuffing or brute-force attacks. | High | Every 5 minutes |
Job Deleted | Detects when a job is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Job No Longer Used as Second Destination | Detects when a job used as a secondary destination is removed. | High | Every 5 minutes |
KMS Key Rotation Job Finished | Detects when a KMS key rotation job is finished. | Informational | Once a day |
KMS Server Deleted | Detects when a KMS server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
KMS Server Settings Updated | Detects when KMS server settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | High | Every 5 minutes |
License Expired | Detects when a Veeam license is expired. This could impact backup operations and data protection. | High | Every 5 minutes |
License Expiring | Detects when a Veeam license expires shortly. | Informational | Once a day |
License Grace Period Started | Detects when a Veeam license grace period starts. This might indicate potential licensing issues that need attention. | High | Every 5 minutes |
License Limit Exceeded | Detects when the Veeam license limit is exceeded. | Medium | Every 5 minutes |
License Removed | Detects when the Veeam license is removed from Veeam Backup & Replication. | High | Every 5 minutes |
License Support Expired | Detects when the Veeam support contract is expired. This might impact backup operations and data protection. | High | Every 5 minutes |
License Support Expiring | Detects when the Veeam support contract expires shortly. | Low | Every 3 hours |
Malware Activity Detected | Detects when restore points marked as suspicious. This might indicate potential compromise of backup data. | High | Every 5 minutes |
Malware Detection Exclusions List Updated | Detects when malware detection exclusions are updated. This might indicate potential compromise of backup data. | Medium | Every 5 minutes |
Malware Detection Session Finished | Detects when malware detection session finishes. | Informational | Once a day |
Malware Detection Settings Updated | Detects when malware detection settings are updated. | High | Every 5 minutes |
Malware Event Detected | Detects when restore points are marked as infected. This might indicate potential compromise of backup data. | Medium | Every 5 minutes |
Multi-Factor Authentication Disabled | Detects when multi-factor authentication is disabled for all users. | High | Every 5 minutes |
Multi-Factor Authentication for User Disabled | Detects when multi-factor authentication is disabled for a specific user. | High | Every 5 minutes |
Multi-Factor Authentication Token Revoked | Detects when a multi-factor authentication token is revoked. | Medium | Every 5 minutes |
Multi-Factor Authentication User Locked | Detects when the allowed number of multi-factor authentication attempts is exceeded for a user. | High | Every 5 minutes |
NDMP Server Deleted | Detects when an NDMP server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Object Marked as Clean | Detects when an object is marked as clean. | Informational | Once a day |
Object Storage Deleted | Detects when an object storage is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Object Storage Settings Updated | Detects when object storage settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Low | Every 3 hours |
Objects Added to Malware Detection Exclusions | Detects when an object is added to malware detection exclusions. | High | Every 5 minutes |
Objects Deleted from Malware Detection Exclusions | Detects when an object is deleted from malware detection exclusions. | Informational | Once a day |
Objects for Job Deleted | Detects when objects are deleted from the job. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Objects for Protection Group Changed | Detects when protection group objects are updated. | Informational | Once a day |
Objects for Protection Group Deleted | Detects when objects are deleted from a protection group. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Preferred Networks Deleted | Detects when a preferred network is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Protection Group Deleted | Detects when a protection group is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Protection Group Settings Updated | Detects when protection group settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Recovery Token Deleted | Detects when a recovery token is deleted. This might indicate unauthorized removal of critical components. | Low | Every 3 hours |
Restore Point Marked as Clean | Detects when a restore point is marked as clean. | Informational | Once a day |
Restore Point Marked as Infected | Detects when a restore point is marked as infected. | High | Every 5 minutes |
Scale-Out Backup Repository Deleted | Detects when a scale-out backup repository is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Scale-Out Backup Repository Settings Updated | Detects when scale-out backup repository settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Low | Every 3 hours |
Service Provider Deleted | Detects when a service provider is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Service Provider Updated | Detects when service provider settings are updated in Veeam Backup & Replication. | Informational | Once a day |
SSH Credentials Changed | Detects when SSH credentials are updated. | High | Every 5 minutes |
Storage Deleted | Detects when storage is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Storage Settings Updated | Detects when storage settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |
Subtenant Deleted | Detects when a subtenant is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Subtenant Updated | Detects when subtenant settings are updated in Veeam Backup & Replication. | Informational | Once a day |
SureBackup Job Failed | Detects failed SureBackup job operations. This might indicate malware issues, storage problems, or potential sabotage of backup infrastructure. | High | Every 5 minutes |
Tape Erase Job Started | Detects when tape erase operations start. This might indicate data destruction activity. | High | Every 5 minutes |
Tape Library Deleted | Detects when a tape library is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Tape Media Pool Deleted | Detects when a tape media pool is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Tape Media Vault Deleted | Detects when a tape media vault is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Tape Medium Deleted | Detects when a tape medium is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Tape Server Deleted | Detects when a tape server is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Tenant Password Changed | Detects when a tenant password is updated. | High | Every 5 minutes |
Tenant Quota Changed | Detects when a tenant quota is updated. | Informational | Once a day |
Tenant Quota Deleted | Detects when a tenant quota is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
Tenant Replica Started | Detects when a tenant replica starts. | Informational | Once a day |
Tenant Replica Stopped | Detects when a tenant replica stops. | High | Every 5 minutes |
Tenant State Changed | Detects when tenant state is updated. | Informational | Once a day |
User or Group Added | Detects when a user or user group is added to Veeam Backup & Replication. | High | Every 5 minutes |
User or Group Deleted | Detects when a user or user group is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | High | Every 5 minutes |
Veeam ONE Application with No Recent Data Backup Sessions | Detects applications with no recent backup sessions. | High | Every 5 minutes |
Veeam ONE Backup Copy RPO | Detects Veeam ONE Backup Copy RPO violation alerts. | High | Every 5 minutes |
Veeam ONE Backup Server Security and Compliance State | Detects backup server security and compliance state issues. | Medium | Every 5 minutes |
Veeam ONE Computer with No Backup | Detects computers with no backup. | High | Every 5 minutes |
Veeam ONE Immutability Change Tracking | Detects changes in Veeam ONE immutability tracking configuration. | Medium | Every 5 minutes |
Veeam ONE Immutability State | Detects changes in the immutability state of Veeam Backup & Replication repositories. This might indicate configuration changes that require review. | Medium | Every 5 minutes |
Veeam ONE Job Disabled | Detects when a Veeam ONE job is disabled. | Medium | Every 5 minutes |
Veeam ONE Job Disabled (Veeam Backup for Microsoft Office 365) | Detects when Veeam Backup for Microsoft Office 365 jobs are disabled. | Medium | Every 5 minutes |
Veeam ONE Malware Detection Change Tracking | Detects changes in Veeam ONE malware detection tracking. | High | Every 5 minutes |
Veeam ONE Possible Ransomware Activity (Hyper-V) | Detects Veeam ONE possible ransomware activity alerts for Microsoft Hyper-V. | High | Every 5 minutes |
Veeam ONE Possible Ransomware Activity (vSphere) | Detects Veeam ONE possible ransomware activity alerts for VMware vSphere. | High | Every 5 minutes |
Veeam ONE Suspicious Incremental Backup Size | Detects suspiciously large incremental backup sizes. | High | Every 5 minutes |
Veeam ONE Unusual Job Duration | Detects Veeam ONE unusual job duration alerts. | Medium | Every 5 minutes |
Veeam ONE Unusual Job Duration (Veeam Backup for Microsoft Office 365) | Detects Veeam Backup for Microsoft Office 365 jobs with unusual execution duration. | Medium | Every 5 minutes |
Veeam ONE VM with No Backup | Detects Veeam ONE VMs with no backup. | High | Every 5 minutes |
Veeam ONE VM with No Backup (Hyper-V) | Detects Veeam ONE VMs with no backup (Hyper-V). | High | Every 5 minutes |
Veeam ONE VM with No Replica | Detects Veeam ONE VMs with no replica configuration. | High | Every 5 minutes |
Veeam ONE VM with No Replica (Hyper-V) | Detects Hyper-V VMs with no replica configured. | High | Every 5 minutes |
Virtual Lab Deleted | Detects when a virtual lab is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Low | Every 3 hours |
Virtual Lab Settings Updated | Detects when virtual lab settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Low | Every 3 hours |
WAN Accelerator Deleted | Detects when a WAN accelerator is deleted from Veeam Backup & Replication. This might indicate unauthorized removal of critical components. | Informational | Once a day |
WAN Accelerator Settings Updated | Detects when WAN accelerator settings are updated in Veeam Backup & Replication. This might indicate configuration changes that require review. | Informational | Once a day |