• There is extra contextual data for the Malware Detection events that is needed in order to properly start an investigation into the alerts
• Some of the additional contextual elements needed are in the “C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\” directory
• When setting up a SOC to respond to these alerts you need this information embedded directly into the Detection Alert from your SIEM
• This covers only the “Malware_Detection_Logs” directory, there are other contextual data sources needed that will be covered in another post

First ensure baseline logging and dashboards are setup.  Veeam has actually done a very good job of making this easy 😁

• setup syslog for VBR Specifying Syslog Servers
• install Splunk app in your Splunk environment Veeam App for Splunk

You then need to install a Splunk Universal Forwarder on the VBR server to collect the additional context data:

• Download Universal Forwarder for Remote Data Collection | Splunk
• create a custom Splunk file monitor input to collect data from the "Malware_Detection_Logs" directory (work with your Splunk admin if you need help)

Now you are ready to correlate the Malware Detection events with their contextual data in a custom Detection Alert for your SOC:

• only the “ObjectName” field is present in both the Malware Detection event and the log files
• you need to use the timestamp and the ObjectName to correlate these data sources together
• THERE IS A LOT OF NUANCE IN THE <snip>ed SECTION BELOW (I can help if you need it, but it was too much to post and needed to be sanitized anyway)

You will now see contextual data embedded directly into the SOC alert (we were doing some testing and set .txt and .pdf as bad file extensions just to generate data 😋):