One of our customers is using Sophos Central with MDR (Managed Detection and Response) and recently added the "Back-up and Recovery" integration pack. This is an additional function that must be licensed accordingly!
This means that it is now also possible to monitor and react to certain events within VBR using the Sophos Managed Service.
Sean Simpson published the article Veeam Sophos Integration in the community in fall 2024. Among other things, this article deals with the advantages that are available with this solution.
In this blog post, I will now look at the step-by-step deployment and show possible messages via email or from the Sophos Central Dashboard to give you an overview of the product.
Under Veeam Backup & Replication integration, Sophos Central provides information on the scope and requirements. At Veeam, there is a corresponding white paper in the Resource Library under Sophos and Veeam Integration.
Licensing & activation by https://central.sophos.com/manage/overview/my-account/licensing
The license must be purchased in advance, please contact your trusted dealer. As soon as the license key is available, it can be activated in Sophos Central.
After logging in to Sophos Central, Click on the user icon at the top right and select Licensing. Alternatively, use the shortlink here to go directly to Licensing.
Under Apply License Key, the corresponding license key is entered, the EULA is read and confirmed and then activated via Apply.
The Central Backup and Recovery Integration Pack is then located in the portal and can now be configured.
Configuration
For configuration, the Threat Analysis Center is opened, and the Marketplace is called up here.
I filter for Veeam in the search mask on the right and then select the Veeam Backup and Replication Integration shown on it.
Under Data Ingest (Security Alerts), a new integration is configured via Add Configuration (this is then deployed as an appliance).
In this example, I enter VBR as the name and srv-veeam-05 as the appliance name. I choose VMware as the virtual platform, as this infrastructure is based on vSphere. At the time of writing, there is still the option of choosing Hyper-V, AWS or hardware.
The interface, which will communicate externally to Sophos (Internet-facing network port settings), is entered here with a manual IPv4 address (DHCP and IPv6 would also be possible).
The IP address, subnet mask, gateway and DNS server are entered according to the customer's infrastructure.
An additional IP address is stored under Syslog IP. This is another interface within this Sophos appliance and not an existing/external syslog system. I was somewhat puzzled by this during the first deployment, as the appliance itself provides this service. This must be taken into account according to the customer infrastructure, Veeam VBR can currently only communicate with one syslog server! The protocol to be used must also be selected, in this case via TCP (UDP or TLS would also be possible).
Finally, the set values are saved via Save (scroll up again for this, Sophos could adjust this).
As soon as the configuration has been saved, the login information with username zadmin and password will be displayed once, so be sure to save it in the password solution used.
The appliance can then be selected from the Actions menu (the three dots ...) can be downloaded via Download Image.
Deployment via OVA
As already mentioned in an older article of mine: Anyone who has ever deployed OVAs in vSphere should be familiar with these initial steps. Therefore, I will not go into it further here (if you have any questions, just contact me, or e.g. orient yourself here: Deploy appliances - Sophos Central Admin). You can see the summary of this deployment in the following screenshot.
After the successful OVA deployment and a look at the console, the whole thing looks like this:
If the appliance is allowed to communicate home to Sophos Central (see Domains and ports to allow - Sophos Central Admin)...
Communication with Sophos Central
All communication with the Sophos Central cloud environment uses HTTPS and TLS 1.2 or 1.3, depending on the service
...you can now see the newly configured integration in the Central Dashboard in the GREEN status:
Appliance Manager Website
The call to the Appliance Manager website is made via https://IPv4 or FQDN of appliance:8443/ (in this example) with the access data that was displayed once after saving the configuration, username zadmin...
The website is quite simple, and many options are not even available. Download Log Files, Restart and Shutdown. Under Settings you can see the IP information again. A modification or adaptation would in turn be controlled via a new deployment from Sophos Central.
Integration in VBR
The integration with Veeam Backup & Replication is now ready to be performed. To do this, you have to open the Options in the burger menu.
Under the Register Event Forwarding, in the area of Syslog servers, click Add... and enter the appliance you just configured with the syslog interface.
In this example, this would be 192.168.100.102, I had chose TCP as the transport protocol in the appliance configuration, so this must also be selected, so the port is 10514.
Then save via Apply .
Within the Users & Roles management, the Four-eyes authorization should be enabled (independent of Sophos Central & MDR). A change in this setting can also be monitored via Sophos.
To get data on additional events, Sophos recommends turning on Veeam's four-eyes authorization (btw. me too 😉).
Four-eyes authorization means that additional authorization must be granted by another administrator if, for example, backups are to be deleted (regardless of whether they are immutable or not), or if changes are made to the permissions. If the feature is enabled, details of these authorization events are sent to Sophos for analysis.
Incident API
Currently, Sophos Central is not yet able to communicate with the Incident API. This would be an advantage in the event of a malware infection, for example. This would trigger a quick backup of the affected systems.
I still have the function active so that I can test it via PowerShell script, the event itself is listed in Sophos Central. For this purpose, a separate user with the role of Incident API Operator is used as a service account.
I have already opened a feature request to Sophos for the purpose of integrating this feature.
Events via Incident API, 4eyes-Auth. & Encryption Key change
The article Incident API triggering and testing in VDP 23H2 V12.1 discusses a PowerShell script from jb16wer (Veeam) that triggers the Incident API in VBR. In this article here, I also use this script as a basis (to check if this event is captured by Sophos Central), but I have adapted and extended the whole thing to be able to work with more variables and to have it functional for version 12.3 (see also REST API Reference).
# Run this once, or read credentials from file
# Big thanks to Egor and Ed for their help with below!
# JB 3/1/2024
# $Cred = Get-Credential
# modified by Markus
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
#actual UTC-Time as variable
$detectionTimeUtc = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
#Server- and User-Creds
$VMquickbackupFQDN = "srv-app-01.int.customer.de"
$VMquickbackupIPv4 = "192.168.100.123"
$VBRAPIeventUrl = "https://srv-veeam-01.int.customer.de:9419/api/v1/malwareDetection/events"
$VBRAPIurl = "https://srv-veeam-01.int.customer.de:9419/api/oauth2/token"
$VBRusername = "veeam-incident-api"
$VBRpassword = "nFciqX-uTLja4C9"
#Create Auth-Body and Header
$authBody = @{
grant_type = "password"
username = $VBRusername
password = $VBRpassword
} | ConvertTo-Json -Depth 10
$authHeaders = @{
"Content-Type" = "application/json"
"x-api-version" = "1.2-rev0"
}
#Token request
$request = Invoke-RestMethod -Method POST -Uri $VBRAPIurl -Body $authBody -Headers $authHeaders -ErrorAction Stop
$token = $request.access_token
#update Header with Token
$headers = @{
"Content-Type" = "application/json"
"x-api-version" = "1.2-rev0"
"Authorization" = "Bearer $token"
}
#create Malware-Event-Body
$eventBody = @{
detectionTimeUtc = $detectionTimeUtc
machine = @{
fqdn = $VMquickbackupFQDN
ipv4 = $VMquickbackupIPv4
}
details = "This event is raised from REST API by Markus"
severity = "Infected"
engine = "Sophos"
} | ConvertTo-Json -Depth 10
#send Malware-Event
Invoke-RestMethod -Method POST -Uri $VBRAPIeventUrl -Headers $headers -Body $eventBody -ErrorAction Stop
Within Veeam VBR, these events are then also listed in the History under Malware Events.
Sophos Central Dashboard
In the Sophos Central Dashboard, you get a very good overview of the events that have occurred, the cases generated, their status and criticality. I like dashboards & graphs 😉
Feedback & Notifications from Sophos
In the case of a triggered event, you will be actively contacted by Sophos, e.g. via email. In most cases, with a recommendation for action or information.
Weekly Reports
You also receive regular, weekly reports on your infrastructure, here also with information related to the Veeam Backup & Replication infrastructure.
Among other things, it contains information about created & modified restore points, adjustment of MFA.
Result
In my eyes, this is an absolute added value for every customer who already uses Sophos Central. It is good to know that not only the IT managers of the customer and the IT service provider, but also the manufacturer, further secure the infrastructure through active monitoring. In terms of price, this is an attractive addition to the existing basic product.
Best, Markus
