Veeam App for Microsoft Sentinel 1
User Guide
Search

Configuring Watchlists

After you create the configuration playbook, configure the following watchlists required for Veeam connections:

  • Veeam Backup & Replication Settings
  • VONE Settings
  • Coveware Settings
  • Veeam Collection Schedule Settings

Configuring Veeam Backup & Replication Settings

To configure the watchlist, perform the following steps:

  1. Open the Watchlist section:
  • If you use Microsoft Sentinel in the Microsoft Defender portal, click Microsoft Sentinel > Configuration > Watchlist in the portal menu.
  • If you use Microsoft Sentinel in the Microsoft Azure portal, click Configuration > Watchlist in the workspace menu.
  1. On the My watchlists tab, select the Veeam Backup & Replication Settings watchlist.
  2. Click Update watchlist > Update watchlist items.
  3. Leave the example record and click New.
  4. Specify the following settings:
  • In the Veeam Server Name field, specify the DNS name of the Veeam Backup & Replication server. For example, VBRSRV01.
  • In the Base URL field, specify the URL you use to connect to the Veeam Backup & Replication REST API in the <FQDN>:<port> format. The default port number is 9419.
  • To collect malware events, specify true in the Collect Malware Events field or leave this field blank. For more information, see Malware Detection in the Veeam Backup & Replication User Guide.

If you do not want to collect this data, specify false.

  • To collect Security & Compliance Analyzer scan results, specify true in the Collect Security and Compliance Analyzer Results field or leave this field blank. For more information, see Security & Compliance Analyzer in the Veeam Backup & Replication User Guide.

If you do not want to collect this data, specify false.

  • To collect four-eyes authorization events, specify true in the Collect Authorization Events field or leave this field blank. For more information, see Four-Eyes Authorization in the Veeam Backup & Replication User Guide.

If you do not want to collect this data, specify false.

  • To collect configuration backup events, specify true in the Collect Configuration Backups field or leave this field blank. For more information, see Creating Configuration Backups in the Veeam Backup & Replication User Guide.

If you do not want to collect this data, specify false.

  • In the Key Vault Username ID field, enter the name of the secret that will be created in the Azure Key Vault instance you specified during the Veeam Data Connector deployment. This secret will contain the name of the user account you use to connect to the Veeam Backup & Replication REST API.

If you leave this field blank, the name of the secret will be created automatically in the <Veeam Server Name>Username format. For example, VBRSRV01Username.

  • In the Key Vault Password ID field, enter the name of the secret that will be created in the Azure Key Vault instance you specified during the Veeam Data Connector deployment. This secret will contain the password of the user account you use to connect to the Veeam Backup & Replication REST API.

If you leave this field blank, the name of the secret will be created automatically in the <Veeam Server Name>Password format. For example, VBRSRV01Password.

Configuring Watchlists 

  1. Delete the example record.
  2. Click Save.

Configuring VONE Settings

To configure the watchlist, perform the following steps:

  1. Open the Watchlist section:
  • If you use Microsoft Sentinel in the Microsoft Defender portal, click Microsoft Sentinel > Configuration > Watchlist in the portal menu.
  • If you use Microsoft Sentinel in the Microsoft Azure portal, click Configuration > Watchlist in the workspace menu.
  1. On the My watchlists tab, select the VONE Settings watchlist.
  2. Click Update watchlist > Update watchlist items.
  3. Leave the example record and click New.
  4. Specify the following settings:
  • In the Veeam Server Name field, specify the DNS name of the Veeam ONE server. For example, VONESRV01.
  • In the Base URL field, specify the URL you use to connect to the Veeam ONE REST API in the <FQDN>:<port> format. The default port number is 1239.
  • To collect triggered alarms, specify true in the Collect Alarms field or leave the field blank. For more information, see Working with Alarms in the Veeam ONE User Guide.

If you do not want to collect this data, specify false.

  • In the Key Vault Username ID field, enter the name of the secret that will be created in the Azure Key Vault instance you specified during the Veeam Data Connector deployment. This secret will contain the name of the user account you use to connect to the Veeam ONE REST API.

If you leave this field blank, the name of the secret will be created automatically in the <Veeam Server Name>Username format. For example, VONESRV01Username.

  • In the Key Vault Password ID field, enter the name of the secret that will be created in the Azure Key Vault instance you specified during the Veeam Data Connector deployment. This secret will contain the password of the user account you use to connect to the Veeam ONE REST API.

If you leave this field blank, the name of the secret will be created automatically in the <Veeam Server Name>Password format. For example, VONESRV01Password.

Configuring Watchlists 

  1. Delete the example record.
  2. Click Save.

Configuring Coveware Settings

To configure the watchlist, perform the following steps:

  1. Open the Watchlist section:
  • If you use Microsoft Sentinel in the Microsoft Defender portal, click Microsoft Sentinel > Configuration > Watchlist in the portal menu.
  • If you use Microsoft Sentinel in the Microsoft Azure portal, click Configuration > Watchlist in the workspace menu.
  1. On the My watchlists tab, select the Coveware Settings watchlist.
  2. Click Update watchlist > Update watchlist items.
  3. Leave the example record and click New.
  4. Specify the following settings:
  • In the Coveware Server Name field, specify the DNS name of the server running Recon Scanner. For example, CWSRV01.
  • In the Coveware Base URL field, specify the URL you use to connect to the Recon Scanner REST API. The default URL is https://api.coveware.com.
  • To collect security findings, specify true in the Collect Coveware Findings field or leave the field blank.

If you do not want to collect this data, specify false.

  • In the Key Vault Username ID field, enter the name of the secret that will be created in the Azure Key Vault instance you specified during the Veeam Data Connector deployment. This secret will contain the name of the user account you use to connect to the Recon Scanner REST API.

If you leave this field blank, the name of the secret will be created automatically in the <Coveware Server Name>Username format. For example, CWSRV01Username.

  • In the Key Vault Password ID field, enter the name of the secret that will be created in the Azure Key Vault instance you specified during the Veeam Data Connector deployment. This secret will contain the password of the user account you use to connect to the Recon Scanner REST API.

If you leave this field blank, the name of the secret will be created automatically in the <Coveware Server Name>Password format. For example, CWSRV01Password.

  • In the Key Vault Client ID field, enter the name of the secret that will be created in the Azure Key Vault instance you specified during the Veeam Data Connector deployment. This secret will contain the client ID you get during the integration process in the Coveware portal.

If you leave this field blank, the name of the secret will be created automatically in the <Coveware Server Name>ClientId format. For example, CWSRV01ClientId.

Configuring Watchlists 

  1. Delete the example record.
  2. Click Save.

Configuring Veeam Collection Schedule Settings

To configure the watchlist, perform the following steps:

  1. Open the Watchlist section:
  • If you use Microsoft Sentinel in the Microsoft Defender portal, click Microsoft Sentinel > Configuration > Watchlist in the portal menu.
  • If you use Microsoft Sentinel in the Microsoft Azure portal, click Configuration > Watchlist in the workspace menu.
  1. On the Watchlist tab, select the Veeam Collection Schedule Settings watchlist.
  2. Click Update watchlist > Update watchlist items.
  3. Review schedule settings for the following data collection operations. If required, update the time interval and time unit or leave the default values.
  • Veeam-CollectMalwareEvents — Collects malware events from Veeam Backup & Replication servers. By default, malware events are collected every 4 hours.
  • Veeam-CollectVeeamAuthorizationEvents — Collects four-eyes authorization events from Veeam Backup & Replication servers. By default, four-eyes authorization events are collected every 4 hours.
  • Veeam-CollectSecurityComplianceAnalyzerResult — Collects Security & Compliance Analyzer scan results from Veeam Backup & Replication servers. By default, scan results are collected once a day.
  • Veeam-CollectVeeamONEAlarms — Collects triggered alarms from Veeam ONE servers. By default, triggered alarms are collected once a day.
  • Veeam-CollectCovewareFindings — Collects security findings from Coveware servers. By default, security findings are collected once a day.
  • Veeam-CollectConfigurationBackups — Collects configuration backup jobs from Veeam Backup & Replication servers. By default, configuration backup jobs are collected once a day.

Note

Supported time unit values: Day, Hour.

Configuring Watchlists 

  1. Click Save.
View all results across Veeam Help Center
Back to document search