Veeam App for Microsoft Sentinel 1
User Guide
Search

Creating Collection Playbooks

Veeam App for Microsoft Sentinel includes the following playbooks to manage Veeam data collection through Veeam REST APIs:

  • Veeam-CollectVeeamAuthorizationEvents — Collects four-eyes authorization events from Veeam Backup & Replication servers.
  • Veeam-CollectConfigurationBackups — Collects configuration backup events from Veeam Backup & Replication servers.
  • Veeam-CollectSecurityComplianceAnalyzerResult — Collects Security & Compliance Analyzer scan results from Veeam Backup & Replication servers.
  • Veeam-CollectMalwareEvents — Collects malware events from Veeam Backup & Replication servers.
  • Veeam-CollectVeeamONEAlarms — Collects triggered alarms from Veeam ONE servers.
  • Veeam-CollectCovewareFindings — Collects security findings from servers running Recon Scanner.
  • Veeam-ChangeCollectionTime — Updates collection interval for all collection playbooks.

You need to create a collection playbook if you configured data collection for specific events in the watchlist settings. For more information, see Configuring Watchlists.

To create a collection playbook, perform the following steps:

  1. Open the Automation section:
  • If you use Microsoft Sentinel in the Microsoft Defender portal, click Microsoft Sentinel > Configuration > Automation in the portal menu.
  • If you use Microsoft Sentinel in the Microsoft Azure portal, click Configuration > Automation in the workspace menu.
  1. On the Playbook templates tab, select a playbook.

Note

Before you create the playbook, make sure that you configure required Microsoft Azure components, assign roles and grant permissions. For more information, see the Prerequisites section in the playbook description.

  1. Click Create playbook.
  2. At the Basics step of the wizard, review default values for the subscription, resource group, and playbook name, and update them if required.
  3. At the Parameters step of the wizard, specify the following parameters:
  • functionAppName — The name of the application you specified during the Veeam Data Connector deployment. The default value is veeamapp.

This parameter is not required for the Veeam-ChangeCollectionTime playbook.

  • workspaceId — The ID of the Log Analytics workspace that contains Microsoft Sentinel. You can find the workspace ID in the Microsoft Sentinel > Settings > Workspace settings section.

For other parameters, leave the default values.

  1. At the Connections step of the wizard, review default values for connections and update them if required.
  2. To complete the wizard and create the rule, click Review + create > Create playbook.

Created collection playbooks are displayed on the Logic apps service page.

Creating Collection Playbooks 

View all results across Veeam Help Center
Back to document search