Veeam App for Palo Alto Networks XSIAM 1.0
User Guide
Related documents
Search

Correlation Rule Templates

This section contains the list of Veeam correlation rule templates with recommended settings and examples of XQL search queries. For more details on how to add a correlation, see Adding Correlations.

Correlation Rule TemplatesAllowed Attempts for Multi-Factor Authentication Exceeded

Rule Name: Allowed Attempts for Multi-Factor Authentication Exceeded

Rule Description: Sent when a user exceeds the allowed number of attempts for multi-factor authentication.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("40206")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0),

   _endpoint=arrayindex(regextract(_raw_log, "Endpoint\=\"([^\"]*)\""), 0),

   _sid=arrayindex(regextract(_raw_log, "SID\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _endpoint as `Endpoint`, _sid as `User SID`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesArchive Repository Deleted

Rule Name: Archive Repository Deleted

Rule Description: Sent when a user deletes an archive repository from the backup infrastructure.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("29900")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0),

   _name=arrayindex(regextract(_raw_log, "Name\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _name as `Object Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesAttempt to Delete Backup Failed

Rule Name: Attempt to Delete Backup Failed

Rule Description: Sent when a user with insufficient privileges tries to delete a backup file.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("41800")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "param3\=\"([^\"]*)\""), 0),

   _endpoint=arrayindex(regextract(_raw_log, "param2\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _endpoint as `Endpoint`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesAttempt To Update Security Object Failed

Rule Name: Attempt To Update Security Object Failed

Rule Description: Sent when a user with insufficient privileges tries to update a security object including users and roles, credential records, certificates, or passwords.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("41810")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "param3\=\"([^\"]*)\""), 0),

   _endpoint=arrayindex(regextract(_raw_log, "param2\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _endpoint as `Endpoint`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesBackup Repository Deleted

Rule Name: Backup Repository Deleted

Rule Description: Sent when a user deletes a backup repository from the backup infrastructure.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("28200")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0),

   _repositoryName=arrayindex(regextract(_raw_log, "Name\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _repositoryName as `Object Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesConnection to Backup Repository Lost

Rule Name: Connection to Backup Repository Lost

Rule Description: Sent when a backup server fails to connect to a backup repository.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("21224")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _hostName=arrayindex(regextract(_raw_log, "HostName\=\"([^\"]*)\""), 0),

   _objectName=arrayindex(regextract(_raw_log, "ObjectName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _hostName as `Data Source Name`, _objectName as `Object Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesCredential Record Deleted

Rule Name: Credential Record Deleted

Rule Description: Sent when a user deletes a credential record.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("25500")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0),

   _accountName=arrayindex(regextract(_raw_log, "AccountName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _accountName as `Credential Record`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesEncryption Password Deleted

Rule Name: Encryption Password Deleted

Rule Description: Sent when a user deletes an encryption password.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("31800")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0),

   _hint=arrayindex(regextract(_raw_log, "Hint\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _hint as `Hint`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesExternal Repository Deleted

Rule Name: External Repository Deleted

Rule Description: Sent when a user deletes an external repository from the backup infrastructure.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("32200")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0),

   _repositoryName=arrayindex(regextract(_raw_log, "RepositoryName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _repositoryName as `Object Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesFour-Eyes Authorization Disabled

Rule Name: Four-Eyes Authorization Disabled

Rule Description: Sent when a user disables four-eyes authorization.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("42401")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _operation=arrayindex(regextract(_raw_log, "Operation\=\"([^\"]*)\""), 0),

 _user=arrayindex(regextract(_raw_log, "FullName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`,

  _operation as `Operation Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesFour-Eyes Authorization Request Created

Rule Name: Four-Eyes Authorization Request Created

Rule Description: Sent when a user creates a four-eyes authorization request.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("42402")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _operation=arrayindex(regextract(_raw_log, "Operation\=\"([^\"]*)\""), 0),

   _user=arrayindex(regextract(_raw_log, "FullName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _operation as `Operation Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesJob Deleted

Rule Name: Job Deleted

Rule Description: Sent when a user deletes a job.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("23090")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "param6\=\"([^\"]*)\""), 0),

   _jobName=arrayindex(regextract(_raw_log, "JobName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _jobName as `Job Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesKMS Server Deleted

Rule Name: KMS Server Deleted

Rule Description: Sent when a user exceeds the allowed number of attempts for multi-factor authentication.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("42301")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0),

   _name=arrayindex(regextract(_raw_log, "Name\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _name as `Object Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesMalware Activity Detected

Rule Name: Malware Activity Detected

Rule Description: Sent when malware activity is detected.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("41600")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _activityType=arrayindex(regextract(_raw_log, "ActivityType\=\"([^\"]*)\""), 0),

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _activityType as `Malware Detection Method`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesMalware Detection Settings Updated

Rule Name: Malware Detection Settings Updated

Rule Description: Sent when a user updates malware detection settings.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("42290")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="High",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: High

Category: Other

Correlation Rule TemplatesMulti-Factor Authentication Disabled

Rule Name: Multi-Factor Authentication Disabled

Rule Description: Sent when a user disables multi-factor authentication for all users.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("40201")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "fullName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesMulti-Factor Authentication for User Disabled

Rule Name: Multi-Factor Authentication for User Disabled

Rule Description: Sent when a user disables multi-factor authentication for a specific user if it is used as a service account.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("40204")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "fullName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesObject Storage Deleted

Rule Name: Object Storage Deleted

Rule Description: Sent when a user deletes an object storage repository from the backup infrastructure.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("28980")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0),

   _name=arrayindex(regextract(_raw_log, "param4\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _name as `Object Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesStorage Deleted

Rule Name: Storage Deleted

Rule Description: Sent when a user deletes a storage appliance from the backup infrastructure.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("41402")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "param6\=\"([^\"]*)\""), 0),

   _name=arrayindex(regextract(_raw_log, "name\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _name as `Object Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

Correlation Rule TemplatesUser or Group Deleted

Rule Name: User or Group Deleted

Rule Description: Sent when a user deletes a user or a user group.

XQL Search:

dataset in (DATASET_NAME )

| filter _vendor="Veeam"

| alter

   _instanceId=arrayindex(regextract(_raw_log, "instanceId\=(\d+)\s"), 0)

| filter _instanceId in ("31400")

| alter

   _time= parse_timestamp("%FT%H:%M:%E6S%Ez", arrayindex(regextract(_raw_log, "<\d+>1\s+(\S+)\s"), 0)),

   _host=regextract(_raw_log , "\s(\S+)\s(?:Veeam_MP|Veeam_Backup)"),

   _description=arrayindex(regextract(_raw_log, "Description\=\"([^\"]*)(?:\"|$)"),0),

   _severity="Critical",

   _user=arrayindex(regextract(_raw_log, "UserName\=\"([^\"]*)\""), 0)

| fields

    _time as `Date`, _host as `Data Source`, _instanceId as `Event ID`, _user as `User Name`, _description as `Message Details`, _severity as `Severity`

Time Schedule: Every 10 minutes

Action: Generate alert

Alert Domain: Security

Severity: Critical

Category: Other

View all results across Veeam
Back to document search