Skip to main content
  • EN

Hello Community Team,

In preparation for VeeamON 2025~ we have some exciting new materials that have been developed to share with you all when it comes to integrating Veeam Events with your Security Vendors. 

Here is additional information on event IDs that are useful for SIEM tools to capture, resulting in better identification and actionable outcomes for potential threats. While Helpcenter provides a comprehensive list of event IDs, providing SIEM tools the most useful event IDs generated before, during, or after backups are critical for identifying and responding to these events. I realized this could be extremely useful after having conversations with analysts and customers. Specifically when it comes to when do some of the scanning capabilities take place and what exactly is it looking for.

Example of During a Backup: See below for full document

The document also includes how these event IDs are mapped to the MITRE ATT&CK Framework tactics and techniques, as well as providing actionable next steps to consider when investigating alerts in your systems. You can use these examples provided in the document as a starting point to building out your response plan but should not be the only responses considered.

 

A few of the security integrations made available by Veeam Security Alliance Team come with incident response playbooks pre-built with the necessary logic. Security analysts can also utilize this document to build customized logical playbooks with their own tools. Inspiration came by working with a security analyst who was receiving logs within Splunk and forwarding critical ones into Palo Alto XSOAR with customized playbooks. These playbooks were designed to handle critical warnings indicating potential breaches, encryption, or exfiltration events.

Additionally, with the latest release of Veeam Data Platform, a filter was added to restrict the volume of logs sent to your SIEM tool. This improves flexibility by allowing you to choose to send only the logs most critical to your business and can help decrease costs, especially if some providers charge based on the amount of transferred or stored data.

You can also find a useful JSON file, available on Helpcenter, that you can leverage to import events into your SIEM tool.

 

https://helpcenter.veeam.com/docs/backup/events/event_changelog.html?ver=120

 

If you have any additions or feedback to this document, please reach out to myself, ​@Matt Crape, or ​@Tyler Jurgens.

If you have a integration you want to share please post it below! We want to hear more from customers taking advantage of integrating Veeam within their security partner! 

Thanks for providing this document.  I am passing it on to our Security team that monitors all backup related events via our SIEM.

Thanks for the documentation! Im doing an lab to integrate veeam and SIEM to monitor the backups.

Hello Community Team,

In preparation for VeeamON 2025~ we have some exciting new materials that have been developed to share with you all when it comes to integrating Veeam Events with your Security Vendors. 

Here is additional information on event IDs that are useful for SIEM tools to capture, resulting in better identification and actionable outcomes for potential threats. While Helpcenter provides a comprehensive list of event IDs, providing SIEM tools the most useful event IDs generated before, during, or after backups are critical for identifying and responding to these events. I realized this could be extremely useful after having conversations with analysts and customers. Specifically when it comes to when do some of the scanning capabilities take place and what exactly is it looking for.

Example of During a Backup: See below for full document

The document also includes how these event IDs are mapped to the MITRE ATT&CK Framework tactics and techniques, as well as providing actionable next steps to consider when investigating alerts in your systems. You can use these examples provided in the document as a starting point to building out your response plan but should not be the only responses considered.

 

A few of the security integrations made available by Veeam Security Alliance Team come with incident response playbooks pre-built with the necessary logic. Security analysts can also utilize this document to build customized logical playbooks with their own tools. Inspiration came by working with a security analyst who was receiving logs within Splunk and forwarding critical ones into Palo Alto XSOAR with customized playbooks. These playbooks were designed to handle critical warnings indicating potential breaches, encryption, or exfiltration events.

Additionally, with the latest release of Veeam Data Platform, a filter was added to restrict the volume of logs sent to your SIEM tool. This improves flexibility by allowing you to choose to send only the logs most critical to your business and can help decrease costs, especially if some providers charge based on the amount of transferred or stored data.

You can also find a useful JSON file, available on Helpcenter, that you can leverage to import events into your SIEM tool.

 

https://helpcenter.veeam.com/docs/backup/events/event_changelog.html?ver=120

 

If you have any additions or feedback to this document, please reach out to myself, ​@Matt Crape, or ​@Tyler Jurgens.

If you have a integration you want to share please post it below! We want to hear more from customers taking advantage of integrating Veeam within their security partner! 

 

Hi ​@ertelle1 this is amazing job i will send this document to our cyber security team for review. 

 

Comment


Terms & Conditions