![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/VeeamLogo.svg\")
",
"Description": "Veeam App for Microsoft Sentinel allows Veeam Data Platform Advanced and Premium customers to combine the powerful cyberthreat detection and response features of Microsoft Sentinel with a simple and powerful data platform that goes beyond backup, providing organizations with reliable data protection, seamless recovery, and vital security insights.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\nc. [Azure Key Vault](https://azure.microsoft.com/products/key-vault/)\n\nd. [Azure Storage Account](https://azure.microsoft.com/products/storage/)\n\ne. [Azure Relays](https://azure.microsoft.com/products/service-bus/)\n\nf. [Azure Logic Apps](https://azure.microsoft.com/products/logic-apps/)\n\ng. [Azure Log Analytics](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview)",
- "DataConnectors": [
- "Data Connectors/Veeam_API_FunctionApp.json"
+ "Data Connectors": [
+ "Data Connectors/Veeam_API_FunctionApp.json",
+ "Data Connectors/Veeam_CCF/Veeam_ConnectorDefinition.json"
],
"Playbooks": [
"Playbooks/Veeam-ChangeCollectionTime/ChangeCollectionTime.json",
@@ -40,7 +41,13 @@
"Parsers/Veeam_GetJobFinished.yaml",
"Parsers/Veeam_GetVeeamONEAlarms.yaml",
"Parsers/Veeam_GetFinishedConfigurationBackupSessions.yaml",
- "Parsers/Veeam_GetSecurityEvents.yaml"
+ "Parsers/Veeam_GetSecurityEvents.yaml",
+ "Parsers/parser_VeeamAuthorizationEventsV2AliasFunction.json",
+ "Parsers/parser_VeeamCovewareFindingsV2AliasFunction.json",
+ "Parsers/parser_VeeamMalwareEventsV2AliasFunction.json",
+ "Parsers/parser_VeeamOneTriggeredAlarmsV2AliasFunction.json",
+ "Parsers/parser_VeeamSecurityComplianceAnalyzerV2AliasFunction.json",
+ "Parsers/parser_VeeamSessionsV2AliasFunction.json"
],
"AnalyticsRules": [
"Analytic Rules/Adding_User_or_Group_Failed.yaml",
@@ -186,8 +193,9 @@
"WatchlistDescription": [],
"dependentDomainSolutionIds": [],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Veeam",
- "Version": "3.0.1",
+ "Version": "3.1.0",
+ "DataConnectorCCFVersion": "3.1.0",
"Metadata": "SolutionMetadata.json",
- "TemplateSpec": true,
+ "TemplateSpec": false,
"Is1Pconnector": false
}
\ No newline at end of file
diff --git a/Solutions/Veeam/Package/3.1.0.zip b/Solutions/Veeam/Package/3.1.0.zip
new file mode 100644
index 00000000000..96526c58b46
Binary files /dev/null and b/Solutions/Veeam/Package/3.1.0.zip differ
diff --git a/Solutions/Veeam/Package/createUiDefinition.json b/Solutions/Veeam/Package/createUiDefinition.json
index 329551f7ef3..68c8e90cc75 100644
--- a/Solutions/Veeam/Package/createUiDefinition.json
+++ b/Solutions/Veeam/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Veeam/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nVeeam App for Microsoft Sentinel allows Veeam Data Platform Advanced and Premium customers to combine the powerful cyberthreat detection and response features of Microsoft Sentinel with a simple and powerful data platform that goes beyond backup, providing organizations with reliable data protection, seamless recovery, and vital security insights.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\nc. [Azure Key Vault](https://azure.microsoft.com/products/key-vault/)\n\nd. [Azure Storage Account](https://azure.microsoft.com/products/storage/)\n\ne. [Azure Relays](https://azure.microsoft.com/products/service-bus/)\n\nf. [Azure Logic Apps](https://azure.microsoft.com/products/logic-apps/)\n\ng. [Azure Log Analytics](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview)\n\n**Data Connectors:** 1, **Parsers:** 4, **Workbooks:** 2, **Analytic Rules:** 132, **Watchlists:** 11, **Playbooks:** 15\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Veeam/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nVeeam App for Microsoft Sentinel allows Veeam Data Platform Advanced and Premium customers to combine the powerful cyberthreat detection and response features of Microsoft Sentinel with a simple and powerful data platform that goes beyond backup, providing organizations with reliable data protection, seamless recovery, and vital security insights.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Azure Monitor Ingestion API](https://learn.microsoft.com/azure/azure-monitor/logs/data-collector-api)\n\nb. [Azure Functions](https://azure.microsoft.com/products/functions/#overview)\n\nc. [Azure Key Vault](https://azure.microsoft.com/products/key-vault/)\n\nd. [Azure Storage Account](https://azure.microsoft.com/products/storage/)\n\ne. [Azure Relays](https://azure.microsoft.com/products/service-bus/)\n\nf. [Azure Logic Apps](https://azure.microsoft.com/products/logic-apps/)\n\ng. [Azure Log Analytics](https://learn.microsoft.com/azure/azure-monitor/logs/log-analytics-overview)\n\n**Data Connectors:** 2, **Parsers:** 10, **Workbooks:** 2, **Analytic Rules:** 132, **Watchlists:** 11, **Playbooks:** 15\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -62,6 +62,23 @@
"options": {
"text": "This Solution installs the data connector for Veeam. You can get Veeam custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
+ },
+ {
+ "name": "dataconnectors2-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "This Solution installs the data connector for Veeam Data Connector (via Codeless Connector Framework). You can get Veeam Data Connector (via Codeless Connector Framework) data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
+ }
+ },
+ {
+ "name": "dataconnectors-link2",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "link": {
+ "label": "Learn more about connecting data sources",
+ "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
+ }
+ }
}
]
},
diff --git a/Solutions/Veeam/Package/mainTemplate.json b/Solutions/Veeam/Package/mainTemplate.json
index ec853e471ba..35c120d56ca 100644
--- a/Solutions/Veeam/Package/mainTemplate.json
+++ b/Solutions/Veeam/Package/mainTemplate.json
@@ -28,6 +28,20 @@
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "resource group name where Microsoft Sentinel is setup"
+ }
+ },
+ "subscription": {
+ "type": "string",
+ "defaultValue": "[last(split(subscription().id, '/'))]",
+ "metadata": {
+ "description": "subscription id where Microsoft Sentinel is setup"
+ }
+ },
"watchlist1-id": {
"type": "string",
"defaultValue": "job_types_lookup",
@@ -137,7 +151,7 @@
"email": "microsoftappsupport@veeam.com",
"_email": "[variables('email')]",
"_solutionName": "Veeam",
- "_solutionVersion": "3.0.2",
+ "_solutionVersion": "3.1.0",
"solutionId": "veeamsoftware.azure-sentinel-solution-veeamapp",
"_solutionId": "[variables('solutionId')]",
"TemplateEmptyArray": "[json('[]')]",
@@ -150,6 +164,14 @@
"dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0.0",
"_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "dataConnectorCCPVersion": "3.1.0",
+ "_dataConnectorContentIdConnectorDefinition2": "VeeamConnector",
+ "dataConnectorTemplateNameConnectorDefinition2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition2')))]",
+ "_dataConnectorContentIdConnections2": "VeeamConnectorConnections",
+ "dataConnectorTemplateNameConnections2": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections2')))]",
+ "dataCollectionEndpointId2": "[concat('/subscriptions/',parameters('subscription'),'/resourceGroups/',parameters('resourceGroupName'),'/providers/Microsoft.Insights/dataCollectionEndpoints/',parameters('workspace'))]",
+ "blanks": "[replace('b', 'b', '')]",
"Veeam-ChangeCollectionTime": "Veeam-ChangeCollectionTime",
"_Veeam-ChangeCollectionTime": "[variables('Veeam-ChangeCollectionTime')]",
"playbookVersion1": "1.0",
@@ -157,9 +179,7 @@
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
"playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
- "blanks": "[replace('b', 'b', '')]",
"Veeam-CollectVeeamAuthorizationEvents": "Veeam-CollectVeeamAuthorizationEvents",
"_Veeam-CollectVeeamAuthorizationEvents": "[variables('Veeam-CollectVeeamAuthorizationEvents')]",
"playbookVersion2": "1.0",
@@ -322,6 +342,48 @@
"parserVersion4": "1.0.0",
"parserContentId4": "Veeam_GetSecurityEvents-Parser"
},
+ "parserObject5": {
+ "_parserName5": "[concat(parameters('workspace'),'/','VeeamAuthorizationEvents_CL')]",
+ "_parserId5": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VeeamAuthorizationEvents_CL')]",
+ "parserTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('VeeamAuthorizationEvents_CL-Parser')))]",
+ "parserVersion5": "1.0.0",
+ "parserContentId5": "VeeamAuthorizationEvents_CL-Parser"
+ },
+ "parserObject6": {
+ "_parserName6": "[concat(parameters('workspace'),'/','VeeamCovewareFindings_CL')]",
+ "_parserId6": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VeeamCovewareFindings_CL')]",
+ "parserTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('VeeamCovewareFindings_CL-Parser')))]",
+ "parserVersion6": "1.0.0",
+ "parserContentId6": "VeeamCovewareFindings_CL-Parser"
+ },
+ "parserObject7": {
+ "_parserName7": "[concat(parameters('workspace'),'/','VeeamMalwareEvents_CL')]",
+ "_parserId7": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VeeamMalwareEvents_CL')]",
+ "parserTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('VeeamMalwareEvents_CL-Parser')))]",
+ "parserVersion7": "1.0.0",
+ "parserContentId7": "VeeamMalwareEvents_CL-Parser"
+ },
+ "parserObject8": {
+ "_parserName8": "[concat(parameters('workspace'),'/','VeeamOneTriggeredAlarms_CL')]",
+ "_parserId8": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VeeamOneTriggeredAlarms_CL')]",
+ "parserTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('VeeamOneTriggeredAlarms_CL-Parser')))]",
+ "parserVersion8": "1.0.0",
+ "parserContentId8": "VeeamOneTriggeredAlarms_CL-Parser"
+ },
+ "parserObject9": {
+ "_parserName9": "[concat(parameters('workspace'),'/','VeeamSecurityComplianceAnalyzer_CL')]",
+ "_parserId9": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VeeamSecurityComplianceAnalyzer_CL')]",
+ "parserTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('VeeamSecurityComplianceAnalyzer_CL-Parser')))]",
+ "parserVersion9": "1.0.0",
+ "parserContentId9": "VeeamSecurityComplianceAnalyzer_CL-Parser"
+ },
+ "parserObject10": {
+ "_parserName10": "[concat(parameters('workspace'),'/','VeeamSessions_CL')]",
+ "_parserId10": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), 'VeeamSessions_CL')]",
+ "parserTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring('VeeamSessions_CL-Parser')))]",
+ "parserVersion10": "1.0.0",
+ "parserContentId10": "VeeamSessions_CL-Parser"
+ },
"analyticRuleObject1": {
"analyticRuleVersion1": "1.0.1",
"_analyticRulecontentId1": "6d1a5478-e613-44f4-a48f-12cc18568522",
@@ -1270,7 +1332,7 @@
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Veeam data connector with template version 3.0.2",
+ "description": "Veeam data connector with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -1649,565 +1711,329 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition2'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Veeam-ChangeCollectionTime Playbook with template version 3.0.2",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]",
+ "displayName": "Veeam Data Connector (via Codeless Connector Framework)",
+ "contentKind": "DataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion1')]",
- "parameters": {
- "PlaybookName": {
- "type": "string",
- "defaultValue": "Veeam-ChangeCollectionTime",
- "metadata": {
- "description": "Name of the playbook (Logic App) to be created"
- }
- },
- "workspaceId": {
- "defaultValue": "",
- "type": "string",
- "metadata": {
- "description": "Workspace ID (GUID) of the Log Analytics workspace that contains Microsoft Sentinel"
- }
- },
- "AzureSentinelConnectionName": {
- "type": "string",
- "defaultValue": "azuresentinel-connection",
- "metadata": {
- "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)"
- }
- },
- "subscriptionId": {
- "type": "string",
- "defaultValue": "[subscription().subscriptionId]",
- "metadata": {
- "description": "Azure subscription ID"
- }
- },
- "resourceGroupName": {
- "type": "string",
- "defaultValue": "[resourceGroup().name]",
- "metadata": {
- "description": "Name of the resource group containing the Logic Apps to be updated"
- }
- },
- "environmentResourceManagerUrl": {
- "type": "string",
- "defaultValue": "[environment().resourceManager]",
- "metadata": {
- "description": "Resource Manager URL for the Azure environment"
- }
- },
- "logicAppsApiVersion": {
- "type": "string",
- "defaultValue": "2019-05-01",
- "metadata": {
- "description": "API version to use for Logic Apps operations"
- }
- },
- "watchlistName": {
- "type": "string",
- "defaultValue": "collection_schedule_settings",
- "metadata": {
- "description": "Name of the watchlist containing collection schedule settings"
- }
- },
- "defaultRecurrenceInterval": {
- "type": "string",
- "defaultValue": "12",
- "metadata": {
- "description": "Default recurrence interval to use when not specified in watchlist"
- }
- },
- "defaultRecurrenceFrequency": {
- "type": "string",
- "defaultValue": "Hour",
- "metadata": {
- "description": "Default recurrence frequency to use when not specified in watchlist"
- }
- }
- },
- "variables": {
- "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "_connection-1": "[[variables('connection-1')]",
- "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "workspace-name": "[parameters('workspace')]",
- "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
- },
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {},
+ "variables": {},
"resources": [
{
- "type": "Microsoft.Web/connections",
- "apiVersion": "2018-07-01-preview",
- "name": "[[parameters('AzureSentinelConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "properties": {
- "displayName": "[[parameters('AzureSentinelConnectionName')]",
- "api": {
- "id": "[[variables('_connection-1')]"
- },
- "parameterValueType": "Alternative"
- }
- },
- {
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2019-05-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "identity": {
- "type": "SystemAssigned"
- },
- "tags": {
- "hidden-SentinelTemplateName": "Veeam-ChangeCollectionTime",
- "hidden-SentinelTemplateVersion": "1.0",
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
- },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
+ "location": "[parameters('workspace-location')]",
+ "kind": "Customizable",
"properties": {
- "state": "Enabled",
- "definition": {
- "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "$connections": {
- "type": "Object"
+ "connectorUiConfig": {
+ "id": "VeeamConnector",
+ "title": "Veeam Data Connector (via Codeless Connector Framework)",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "Veeam Data Connector allows you to ingest Veeam telemetry data from multiple custom tables into Microsoft Sentinel.\n\nThe connector supports integration with Veeam Backup & Replication, Veeam ONE and Coveware platforms to provide comprehensive monitoring and security analytics. The data is collected through Azure Functions and stored in custom Log Analytics tables with dedicated Data Collection Rules (DCR) and Data Collection Endpoints (DCE).\n\n**Custom Tables Included:**\n- **VeeamMalwareEventsV2_CL**: Malware detection events from Veeam Backup & Replication\n- **VeeamSecurityComplianceAnalyzerV2_CL**: Security & Compliance Analyzer results collected from Veeam backup infrastructure components\n- **VeeamAuthorizationEventsV2_CL**: Authorization and authentication events\n- **VeeamOneTriggeredAlarmsV2_CL**: Triggered alarms from Veeam ONE servers\n- **VeeamCovewareFindingsV2_CL**: Security findings from Coveware solution\n- **VeeamSessionsV2_CL**: Veeam sessions",
+ "graphQueries": [
+ {
+ "metricName": "Total malware logs received",
+ "legend": "Malware events",
+ "baseQuery": "VeeamMalwareEventsV2_CL"
},
- "workspaceId": {
- "defaultValue": "[[parameters('workspaceId')]",
- "type": "String"
+ {
+ "metricName": "Critical malware events",
+ "legend": "Critical malware events",
+ "baseQuery": "VeeamMalwareEventsV2_CL\n| where Severity == \"Critical\""
},
- "resourceGroupName": {
- "defaultValue": "[[parameters('resourceGroupName')]",
- "type": "String"
+ {
+ "metricName": "Total security & compliance analyzer logs received",
+ "legend": "Security & Compliance Analyzer results",
+ "baseQuery": "VeeamSecurityComplianceAnalyzerV2_CL"
},
- "subscriptionId": {
- "defaultValue": "[[subscription().subscriptionId]",
- "type": "String"
+ {
+ "metricName": "Total veeam ONE alarms logs received",
+ "legend": "Veeam ONE alarms",
+ "baseQuery": "VeeamOneTriggeredAlarmsV2_CL"
},
- "watchlistName": {
- "defaultValue": "[[parameters('watchlistName')]",
- "type": "String"
+ {
+ "metricName": "Total authorization events logs received",
+ "legend": "Authorization events",
+ "baseQuery": "VeeamAuthorizationEventsV2_CL"
},
- "environmentResourceManagerUrl": {
- "defaultValue": "[[parameters('environmentResourceManagerUrl')]",
- "type": "String"
+ {
+ "metricName": "Total coveware findings logs received",
+ "legend": "Coveware findings",
+ "baseQuery": "VeeamCovewareFindingsV2_CL"
},
- "logicAppsApiVersion": {
- "defaultValue": "[[parameters('logicAppsApiVersion')]",
- "type": "String"
+ {
+ "metricName": "Total session logs received",
+ "legend": "Session logs",
+ "baseQuery": "VeeamSessionsV2_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Malware Events",
+ "query": "VeeamMalwareEventsV2_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Critical Malware Events",
+ "query": "VeeamMalwareEventsV2_CL\n | where Severity == \"Critical\"\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Security Compliance Results",
+ "query": "VeeamSecurityComplianceAnalyzerV2_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Veeam ONE Alarms",
+ "query": "VeeamOneTriggeredAlarmsV2_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Authorization Events",
+ "query": "VeeamAuthorizationEventsV2_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Coveware Security Findings",
+ "query": "VeeamCovewareFindingsV2_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Session events",
+ "query": "VeeamSessionsV2_CL\n | sort by TimeGenerated desc"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "VeeamMalwareEventsV2_CL",
+ "lastDataReceivedQuery": "VeeamMalwareEventsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamSecurityComplianceAnalyzerV2_CL",
+ "lastDataReceivedQuery": "VeeamSecurityComplianceAnalyzerV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamOneTriggeredAlarmsV2_CL",
+ "lastDataReceivedQuery": "VeeamOneTriggeredAlarmsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamAuthorizationEventsV2_CL",
+ "lastDataReceivedQuery": "VeeamAuthorizationEventsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamCovewareFindingsV2_CL",
+ "lastDataReceivedQuery": "VeeamCovewareFindingsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamSessionsV2_CL",
+ "lastDataReceivedQuery": "VeeamSessionsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
}
+ ],
+ "availability": {
+ "isPreview": true,
+ "status": 1
},
- "triggers": {
- "manual": {
- "type": "Request",
- "kind": "Http",
- "inputs": {
- "schema": {
- "type": "object",
- "properties": {
- "recurrenceInterval": {
- "default": "[[parameters('defaultRecurrenceInterval')]"
- },
- "recurrenceFrequency": {
- "default": "[[parameters('defaultRecurrenceFrequency')]"
- }
- }
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true,
+ "action": false
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true
}
}
- }
+ ],
+ "customs": [
+ {
+ "name": "Veeam Data Access",
+ "description": "Access to Veeam systems is required to collect security and operational data. The connector supports data ingestion from Veeam Backup & Replication, Veeam ONE, and Coveware platforms."
+ }
+ ]
},
- "actions": {
- "Watchlists_-_Get_all_Collection_Times": {
- "type": "ApiConnection",
- "inputs": {
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ "instructionSteps": [
+ {
+ "title": "Prerequisites",
+ "description": "Follow the instructions to configure the Veeam Data Connector.",
+ "instructions": [
+ {
+ "type": "InfoMessage",
+ "parameters": {
+ "text": "**Note:** This data connector depends on parsers based on Kusto Functions to work as expected. These parsers are installed with the Microsoft Sentinel Solution for Veeam."
}
- },
- "method": "get",
- "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent(parameters('watchlistName'))}/watchlistItems"
- }
+ }
+ ]
},
- "Parse_settings": {
- "type": "ParseJson",
- "inputs": {
- "content": "@body('Watchlists_-_Get_all_Collection_Times')",
- "schema": {
- "type": "object",
- "properties": {
- "properties": {
- "type": "object",
- "properties": {
- "watchlistItems": {
- "type": "array"
- }
- }
- }
+ {
+ "title": "1. Configuration steps for Veeam Data Connector",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "1. Configure your Veeam systems to export security and operational data.\n2. Set up data collection endpoints to ingest data into the custom Log Analytics tables.\n3. Ensure proper permissions are configured for data access.\n4. Verify connectivity and data flow to Microsoft Sentinel."
}
}
- },
- "runAfter": {
- "Watchlists_-_Get_all_Collection_Times": [
- "Succeeded"
- ]
- }
+ ]
},
- "For_each": {
- "type": "Foreach",
- "foreach": "@body('Parse_settings')?['properties']?['watchlistItems']",
- "actions": {
- "Parse_setting": {
- "type": "ParseJson",
- "inputs": {
- "content": "@items('For_each')",
- "schema": {
- "type": "object",
- "properties": {
- "properties.watchlistItemType": {
- "type": "string"
- },
- "properties.watchlistItemId": {
- "type": "string"
- },
- "properties.tenantId": {
- "type": "string"
- },
- "properties.isDeleted": {
- "type": "boolean"
- },
- "properties.created": {
- "type": "string"
- },
- "properties.updated": {
- "type": "string"
- },
- "properties.createdBy": {
- "type": "object",
- "properties": {
- "email": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "objectId": {
- "type": "string"
- }
- }
- },
- "properties.updatedBy": {
- "type": "object",
- "properties": {
- "email": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "objectId": {
- "type": "string"
- }
- }
- },
- "properties.itemsKeyValue": {
- "type": "object",
- "properties": {
- "CollectionPlaybookName": {
- "type": "string"
- },
- "RecurrenceInterval": {
- "type": "string"
- },
- "TimeUnit": {
- "type": "string"
- }
- }
- },
- "properties.entityMapping": {
- "type": "object"
- },
- "etag": {
- "type": "string"
- },
- "id": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "type": {
- "type": "string"
- },
- "systemData": {
- "type": "object",
- "properties": {
- "createdBy": {
- "type": "string"
- },
- "createdByType": {
- "type": "string"
- },
- "createdAt": {
- "type": "string"
- },
- "lastModifiedBy": {
- "type": "string"
- },
- "lastModifiedByType": {
- "type": "string"
- },
- "lastModifiedAt": {
- "type": "string"
- }
- }
- }
- }
+ {
+ "title": "2. Coveware API Configuration",
+ "description": "Configure Coveware API credentials for security findings data collection.",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2.1 Obtain Coveware API Credentials\n1. Log in to your Coveware management console\n2. Navigate to API settings or integrations section\n3. Create or configure an API application\n4. Generate or obtain a Bearer token for API access\n5. Note your Coveware API base URL"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Coveware API URL",
+ "placeholder": "https://api.coveware.com",
+ "type": "text",
+ "name": "covewareApiUrl",
+ "validations": {
+ "required": true
}
}
},
- "Get_Current_Workflow_Definition": {
- "type": "Http",
- "inputs": {
- "uri": "@concat(parameters('environmentResourceManagerUrl'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Logic/workflows/', body('Parse_setting')?['properties.itemsKeyValue']?['CollectionPlaybookName'], '?api-version=', parameters('logicAppsApiVersion'))",
- "method": "GET",
- "authentication": {
- "type": "ManagedServiceIdentity"
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Coveware Bearer Token",
+ "placeholder": "Your Coveware API Bearer Token",
+ "type": "password",
+ "name": "covewareBearerToken",
+ "validations": {
+ "required": true
}
- },
- "runAfter": {
- "Parse_setting": [
- "Succeeded"
- ]
+ }
+ }
+ ]
+ },
+ {
+ "title": "3. Veeam API Configuration",
+ "description": "Configure Veeam API credentials for all Veeam services (Malware Events, Security Analyzer, and Authorization Events).",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 3.1 Obtain Veeam API Access Token\n1. Access your Veeam Backup & Replication management console\n2. Navigate to the REST API settings or authentication section\n3. Generate or obtain a Bearer token for API access\n4. Ensure the token has appropriate permissions for:\n - Malware Detection API (v1.3-rev1)\n - Security & Compliance Analyzer API (v1.3-rev1)\n - Authorization Events API (v1.3-rev1)\n - Sessions API (v1.3-rev1)\n5. Note the API base URL (typically https://your-veeam-server.com:9419)\n6. This token will be used for both on-premises and CDN-hosted APIs"
}
},
- "Parse_Workflow_Definition": {
- "type": "ParseJson",
- "inputs": {
- "content": "@body('Get_Current_Workflow_Definition')",
- "schema": {
- "type": "object",
- "properties": {
- "properties": {
- "type": "object",
- "properties": {
- "provisioningState": {
- "type": "string"
- },
- "createdTime": {
- "type": "string"
- },
- "changedTime": {
- "type": "string"
- },
- "state": {
- "type": "string"
- },
- "version": {
- "type": "string"
- },
- "accessEndpoint": {
- "type": "string"
- },
- "definition": {
- "type": "object",
- "properties": {
- "$schema": {
- "type": "string"
- },
- "contentVersion": {
- "type": "string"
- },
- "parameters": {
- "type": "object"
- },
- "triggers": {
- "type": "object"
- },
- "actions": {
- "type": "object"
- },
- "outputs": {
- "type": "object"
- }
- }
- },
- "parameters": {
- "type": "object"
- },
- "endpointsConfiguration": {
- "type": "object"
- }
- }
- },
- "id": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "type": {
- "type": "string"
- },
- "location": {
- "type": "string"
- },
- "tags": {
- "type": "object"
- },
- "identity": {
- "type": "object",
- "properties": {
- "type": {
- "type": "string"
- },
- "principalId": {
- "type": "string"
- },
- "tenantId": {
- "type": "string"
- }
- }
- }
- }
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Veeam API URL",
+ "placeholder": "https://your-veeam-server.com:9419",
+ "type": "text",
+ "name": "veeamApiUrl",
+ "validations": {
+ "required": true
}
- },
- "runAfter": {
- "Get_Current_Workflow_Definition": [
- "Succeeded"
- ]
}
},
- "Compose_Updated_Definition": {
- "type": "Compose",
- "inputs": {
- "location": "@body('Parse_Workflow_Definition')?['location']",
- "identity": "@body('Parse_Workflow_Definition')?['identity']",
- "properties": {
- "state": "Enabled",
- "definition": {
- "$schema": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['$schema']",
- "contentVersion": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['contentVersion']",
- "parameters": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['parameters']",
- "triggers": {
- "Every_@{int(coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['RecurrenceInterval'], '12'))}_@{coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['TimeUnit'], 'Hour')}": {
- "recurrence": {
- "interval": "@int(coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['RecurrenceInterval'], '12'))",
- "frequency": "@coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['TimeUnit'], 'Hour')"
- },
- "evaluatedRecurrence": {
- "interval": "@int(coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['RecurrenceInterval'], '12'))",
- "frequency": "@coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['TimeUnit'], 'Hour')"
- },
- "type": "Recurrence"
- }
- },
- "actions": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['actions']",
- "outputs": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['outputs']"
- },
- "parameters": "@body('Parse_Workflow_Definition')?['properties']?['parameters']"
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Veeam Bearer Token",
+ "placeholder": "Your Veeam API Bearer Token",
+ "type": "password",
+ "name": "veeamBearerToken",
+ "validations": {
+ "required": true
}
- },
- "runAfter": {
- "Parse_Workflow_Definition": [
- "Succeeded"
- ]
+ }
+ }
+ ]
+ },
+ {
+ "title": "4. Veeam ONE API Configuration",
+ "description": "Configure Veeam ONE API credentials for triggered alarms data collection.",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 4.1 Obtain Veeam ONE API Access Key\n1. Access your Veeam ONE management console\n2. Navigate to Administration -> Users and Roles\n3. Create or use an existing user with API access permissions\n4. Generate or obtain a Bearer token for API access\n5. Note the Veeam ONE server URL and port (typically https://your-veeam-one-server:1239)"
}
},
- "Update_Events_Workflow": {
- "type": "Http",
- "inputs": {
- "uri": "@concat(parameters('environmentResourceManagerUrl'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Logic/workflows/', body('Parse_setting')?['properties.itemsKeyValue']?['CollectionPlaybookName'], '?api-version=', parameters('logicAppsApiVersion'))",
- "method": "PUT",
- "headers": {
- "Content-Type": "application/json"
- },
- "body": "@outputs('Compose_Updated_Definition')",
- "authentication": {
- "type": "ManagedServiceIdentity"
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Veeam ONE API URL",
+ "placeholder": "https://your-veeam-one-server:1239",
+ "type": "text",
+ "name": "veeamOneApiUrl",
+ "validations": {
+ "required": true
+ }
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Veeam ONE API Bearer Token",
+ "placeholder": "Your Veeam ONE API Bearer Token",
+ "type": "password",
+ "name": "veeamOneBearerToken",
+ "validations": {
+ "required": true
}
- },
- "runAfter": {
- "Compose_Updated_Definition": [
- "Succeeded"
- ]
}
}
- },
- "runAfter": {
- "Parse_settings": [
- "Succeeded"
- ]
- }
- },
- "Response_Success": {
- "type": "Response",
- "inputs": {
- "statusCode": 200,
- "body": {
- "message": "Successfully updated collection schedule",
- "processedWorkflows": "@length(body('Parse_settings')?['properties']?['watchlistItems'])"
- }
- },
- "runAfter": {
- "For_each": [
- "Succeeded"
- ]
- }
+ ]
},
- "Response_Error": {
- "type": "Response",
- "inputs": {
- "statusCode": 500,
- "body": {
- "message": "Failed to update collection schedule",
- "error": "@actions('For_each')?['error']"
- }
- },
- "runAfter": {
- "For_each": [
- "Failed"
- ]
- }
- }
- }
- },
- "parameters": {
- "$connections": {
- "value": {
- "azuresentinel": {
- "connectionName": "[[parameters('AzureSentinelConnectionName')]",
- "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "connectionProperties": {
- "authentication": {
- "type": "ManagedServiceIdentity"
+ {
+ "title": "5. Connect",
+ "description": "Enable the Veeam Data Connector.",
+ "instructions": [
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "Connect",
+ "disconnectLabel": "Disconnect",
+ "name": "toggle"
}
}
- }
+ ]
}
- }
+ ]
}
- },
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]"
- ]
+ }
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
- "parentId": "[variables('playbookId1')]",
- "contentId": "[variables('_playbookContentId1')]",
- "kind": "Playbook",
- "version": "[variables('playbookVersion1')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
"source": {
- "kind": "Solution",
- "name": "Veeam",
- "sourceId": "[variables('_solutionId')]"
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
},
"author": {
"name": "Veeam Software",
@@ -2218,734 +2044,1369 @@
"email": "microsoftappsupport@veeam.com",
"tier": "Partner",
"link": "https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
}
}
- }
- ],
- "metadata": {
- "_generator": {
- "name": "bicep",
- "version": "0.36.177.2456",
- "templateHash": "5498632779764501884"
- },
- "title": "Veeam-ChangeCollectionTime",
- "description": "This Microsoft Sentinel playbook adjusts the recurrence intervals for Veeam collection playbooks based on settings in the collection_schedule_settings watchlist.",
- "prerequisites": [
- "1. Microsoft Sentinel workspace configured.",
- "2. Permissions to create Logic Apps and API Connections.",
- "3. Permissions to assign roles to the Resource Group and Log Analytics workspace.",
- "4. Collection schedule settings watchlist configured in Microsoft Sentinel.",
- "5. Logic App Contributor permissions for managing other workflows."
- ],
- "tags": [
- "Automation",
- "Veeam",
- "Schedule",
- "Collection",
- "Configuration"
- ],
- "lastUpdateTime": "2025-08-20T00:00:01Z",
- "parameterTemplateVersion": "1.0.0",
- "postDeployment": [
- "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.",
- "2. Assign the Logic App Contributor role to the Logic App's managed identity on the Resource Group.",
- "3. Configure the collection_schedule_settings watchlist with required schedule data."
- ],
- "releaseNotes": {
- "version": "1.0",
- "title": "[variables('blanks')]",
- "notes": [
- "Initial version"
- ]
- }
- }
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId1')]",
- "contentKind": "Playbook",
- "displayName": "Veeam-ChangeCollectionTime",
- "contentProductId": "[variables('_playbookcontentProductId1')]",
- "id": "[variables('_playbookcontentProductId1')]",
- "version": "[variables('playbookVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
- "properties": {
- "description": "Veeam-CollectVeeamAuthorizationEvents Playbook with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion2')]",
- "parameters": {
- "PlaybookName": {
- "defaultValue": "Veeam-CollectVeeamAuthorizationEvents",
- "type": "string",
- "metadata": {
- "description": "Name of the playbook (Logic App) to be created"
- }
- },
- "functionAppName": {
- "defaultValue": "",
- "type": "string",
- "metadata": {
- "description": "Name of the Azure Function App for Veeam integration"
- }
- },
- "workspaceId": {
- "defaultValue": "",
- "type": "string",
- "metadata": {
- "description": "Workspace ID (GUID) of the Log Analytics workspace that contains Microsoft Sentinel"
- }
- },
- "AzureSentinelConnectionName": {
- "defaultValue": "azuresentinel-connection",
- "type": "string",
- "metadata": {
- "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)"
- }
},
- "resourceGroupName": {
- "defaultValue": "[resourceGroup().name]",
- "type": "string",
- "metadata": {
- "description": "Name of the resource group containing the Microsoft Sentinel workspace"
- }
- }
- },
- "variables": {
- "functionAppId": "[[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
- "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "_connection-1": "[[variables('connection-1')]",
- "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "workspace-name": "[parameters('workspace')]",
- "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
- },
- "resources": [
{
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[parameters('AzureSentinelConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
+ "name": "VeeamBackupReplicationDCR",
+ "apiVersion": "2022-06-01",
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "location": "[parameters('workspace-location')]",
+ "kind": "[variables('blanks')]",
"properties": {
- "displayName": "[[parameters('AzureSentinelConnectionName')]",
- "api": {
- "id": "[[variables('_connection-1')]"
+ "dataCollectionEndpointId": "[variables('dataCollectionEndpointId2')]",
+ "streamDeclarations": {
+ "Custom-VeeamCovewareFindingsV2_CL": {
+ "columns": [
+ {
+ "name": "covewareHostName",
+ "type": "string"
+ },
+ {
+ "name": "artifact",
+ "type": "string"
+ },
+ {
+ "name": "eventType",
+ "type": "string"
+ },
+ {
+ "name": "techniqueId",
+ "type": "string"
+ },
+ {
+ "name": "eventTime",
+ "type": "datetime"
+ },
+ {
+ "name": "firstRunOrAccessed",
+ "type": "datetime"
+ },
+ {
+ "name": "hostname",
+ "type": "string"
+ },
+ {
+ "name": "eventActivity",
+ "type": "string"
+ },
+ {
+ "name": "country",
+ "type": "string"
+ },
+ {
+ "name": "id",
+ "type": "string"
+ },
+ {
+ "name": "machineId",
+ "type": "string"
+ },
+ {
+ "name": "riskLevel",
+ "type": "string"
+ },
+ {
+ "name": "scanTime",
+ "type": "datetime"
+ },
+ {
+ "name": "username",
+ "type": "string"
+ },
+ {
+ "name": "fileHashes",
+ "type": "dynamic"
+ }
+ ]
+ },
+ "Custom-VeeamMalwareEventsV2_CL": {
+ "columns": [
+ {
+ "name": "vbrHostName",
+ "type": "string"
+ },
+ {
+ "name": "type",
+ "type": "string"
+ },
+ {
+ "name": "state",
+ "type": "string"
+ },
+ {
+ "name": "source",
+ "type": "string"
+ },
+ {
+ "name": "severity",
+ "type": "string"
+ },
+ {
+ "name": "id",
+ "type": "string"
+ },
+ {
+ "name": "detectionTimeUtc",
+ "type": "datetime"
+ },
+ {
+ "name": "details",
+ "type": "string"
+ },
+ {
+ "name": "createdBy",
+ "type": "string"
+ },
+ {
+ "name": "engine",
+ "type": "string"
+ },
+ {
+ "name": "machine",
+ "type": "dynamic"
+ }
+ ]
+ },
+ "Custom-VeeamOneTriggeredAlarmsV2_CL": {
+ "columns": [
+ {
+ "name": "voneHostName",
+ "type": "string"
+ },
+ {
+ "name": "triggeredAlarmId",
+ "type": "int"
+ },
+ {
+ "name": "name",
+ "type": "string"
+ },
+ {
+ "name": "alarmTemplateId",
+ "type": "int"
+ },
+ {
+ "name": "predefinedAlarmId",
+ "type": "int"
+ },
+ {
+ "name": "triggeredTime",
+ "type": "datetime"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "description",
+ "type": "string"
+ },
+ {
+ "name": "comment",
+ "type": "string"
+ },
+ {
+ "name": "repeatCount",
+ "type": "int"
+ },
+ {
+ "name": "childAlarmsCount",
+ "type": "int"
+ },
+ {
+ "name": "alarmSource",
+ "type": "dynamic"
+ },
+ {
+ "name": "remediation",
+ "type": "dynamic"
+ }
+ ]
+ },
+ "Custom-VeeamSecurityComplianceAnalyzerV2_CL": {
+ "columns": [
+ {
+ "name": "vbrHostName",
+ "type": "string"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "id",
+ "type": "string"
+ },
+ {
+ "name": "bestPractice",
+ "type": "string"
+ },
+ {
+ "name": "note",
+ "type": "string"
+ }
+ ]
+ },
+ "Custom-VeeamSessionsV2_CL": {
+ "columns": [
+ {
+ "name": "vbrHostName",
+ "type": "string"
+ },
+ {
+ "name": "sessionType",
+ "type": "string"
+ },
+ {
+ "name": "state",
+ "type": "string"
+ },
+ {
+ "name": "id",
+ "type": "string"
+ },
+ {
+ "name": "name",
+ "type": "string"
+ },
+ {
+ "name": "jobId",
+ "type": "string"
+ },
+ {
+ "name": "creationTime",
+ "type": "datetime"
+ },
+ {
+ "name": "endTime",
+ "type": "datetime"
+ },
+ {
+ "name": "progressPercent",
+ "type": "int"
+ },
+ {
+ "name": "resourceId",
+ "type": "string"
+ },
+ {
+ "name": "resourceReference",
+ "type": "string"
+ },
+ {
+ "name": "parentSessionId",
+ "type": "string"
+ },
+ {
+ "name": "platformName",
+ "type": "string"
+ },
+ {
+ "name": "platformId",
+ "type": "string"
+ },
+ {
+ "name": "usn",
+ "type": "long"
+ },
+ {
+ "name": "result",
+ "type": "dynamic"
+ }
+ ]
+ },
+ "Custom-VeeamAuthorizationEventsV2_CL": {
+ "columns": [
+ {
+ "name": "vbrHostName",
+ "type": "string"
+ },
+ {
+ "name": "createdBy",
+ "type": "string"
+ },
+ {
+ "name": "creationTime",
+ "type": "datetime"
+ },
+ {
+ "name": "description",
+ "type": "string"
+ },
+ {
+ "name": "expirationTime",
+ "type": "datetime"
+ },
+ {
+ "name": "id",
+ "type": "string"
+ },
+ {
+ "name": "name",
+ "type": "string"
+ },
+ {
+ "name": "processedBy",
+ "type": "string"
+ },
+ {
+ "name": "processedTime",
+ "type": "datetime"
+ },
+ {
+ "name": "state",
+ "type": "string"
+ }
+ ]
+ }
},
- "parameterValueType": "Alternative"
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[variables('workspaceResourceId')]",
+ "name": "clv2ws1"
+ }
+ ]
+ },
+ "dataFlows": [
+ {
+ "streams": [
+ "Custom-VeeamMalwareEventsV2_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "outputStream": "Custom-VeeamMalwareEventsV2_CL",
+ "transformKql": "source | extend TimeGenerated = now() , VbrHostName = ['vbrHostName'] , MalwareEventType = ['type'] , MalwareState = ['state'] , Source = ['source'] , Severity = ['severity'] , Id = ['id'] , DetectionTimeUtc = ['detectionTimeUtc'] , MachineDisplayName = tostring(machine.displayName) , MachineUuid = tostring(machine.uuid) , MachineBackupObjectId = tostring(machine.backupObjectId) , Details = ['details'] , CreatedBy = ['createdBy'] , Engine = ['engine'] | project TimeGenerated , VbrHostName , MalwareEventType , MalwareState , Source , Severity , Id , DetectionTimeUtc , MachineDisplayName , MachineUuid , MachineBackupObjectId , Details , CreatedBy , Engine"
+ },
+ {
+ "streams": [
+ "Custom-VeeamSecurityComplianceAnalyzerV2_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "outputStream": "Custom-VeeamSecurityComplianceAnalyzerV2_CL",
+ "transformKql": "source | extend TimeGenerated = now() , VbrHostName = ['vbrHostName'] , Status = ['status'] , Id = ['id'] , BestPractice = ['bestPractice'] , Note = ['note'] | project TimeGenerated , VbrHostName , Status , Id , BestPractice , Note"
+ },
+ {
+ "streams": [
+ "Custom-VeeamOneTriggeredAlarmsV2_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "outputStream": "Custom-VeeamOneTriggeredAlarmsV2_CL",
+ "transformKql": "source | extend TimeGenerated = now() , VoneHostName = ['voneHostName'] , TriggeredAlarmId = ['triggeredAlarmId'] , Name = ['name'] , AlarmTemplateId = ['alarmTemplateId'] , PredefinedAlarmId = ['predefinedAlarmId'] , TriggeredTime = ['triggeredTime'] , Status = ['status'] , Description = ['description'] , Comment = ['comment'] , RepeatCount = ['repeatCount'] , ObjectId = toint(alarmSource.objectId) , ObjectName = tostring(alarmSource.objectName) , ObjectType = tostring(alarmSource.objectType) , ChildAlarmsCount = ['childAlarmsCount'] , RemediationDescription = tostring(remediation.description) , RemediationMode = tostring(remediation.mode) | project TimeGenerated , VoneHostName , TriggeredAlarmId , Name , AlarmTemplateId , PredefinedAlarmId , TriggeredTime , Status , Description , Comment , RepeatCount , ObjectId , ObjectName , ObjectType , ChildAlarmsCount , RemediationDescription , RemediationMode"
+ },
+ {
+ "streams": [
+ "Custom-VeeamAuthorizationEventsV2_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "outputStream": "Custom-VeeamAuthorizationEventsV2_CL",
+ "transformKql": "source | extend TimeGenerated = iff(isempty(creationTime), now(), todatetime(creationTime)) , VbrHostName = ['vbrHostName'] , CreatedBy = ['createdBy'] , CreationTime = ['creationTime'] , Description = ['description'] , ExpirationTime = ['expirationTime'] , Id = ['id'] , Name = ['name'] , ProcessedBy = ['processedBy'] , ProcessedTime = ['processedTime'] , State = ['state'] | project TimeGenerated , VbrHostName , CreatedBy , CreationTime , Description , ExpirationTime , Id , Name , ProcessedBy , ProcessedTime , State"
+ },
+ {
+ "streams": [
+ "Custom-VeeamCovewareFindingsV2_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "outputStream": "Custom-VeeamCovewareFindingsV2_CL",
+ "transformKql": "source | extend TimeGenerated = iff(isempty(eventTime), now(), todatetime(eventTime)) , CovewareHostName = ['covewareHostName'] , Artifact = ['artifact'] , EventType = ['eventType'] , TechniqueId = ['techniqueId'] , EventTime = ['eventTime'] , FirstRunOrAccessed = ['firstRunOrAccessed'] , Hostname = ['hostname'] , EventActivity = ['eventActivity'] , Country = ['country'] , Id = ['id'] , Md5Hash = tostring(fileHashes.md5) , Sha1Hash = tostring(fileHashes.sha1) , Sha256Hash = tostring(fileHashes.sha256) , MachineId = ['machineId'] , RiskLevel = ['riskLevel'] , ScanTime = ['scanTime'] , Username = ['username'] | project TimeGenerated , CovewareHostName , Artifact , EventType , TechniqueId , EventTime , FirstRunOrAccessed , Hostname , EventActivity , Country , Id , Md5Hash , Sha1Hash , Sha256Hash , MachineId , RiskLevel , ScanTime , Username"
+ },
+ {
+ "streams": [
+ "Custom-VeeamSessionsV2_CL"
+ ],
+ "destinations": [
+ "clv2ws1"
+ ],
+ "outputStream": "Custom-VeeamSessionsV2_CL",
+ "transformKql": "source | extend TimeGenerated = iff(isempty(creationTime), now(), todatetime(creationTime)) , VbrHostName = ['vbrHostName'] , SessionType = ['sessionType'] , State = ['state'] , Id = ['id'] , Name = ['name'] , JobId = ['jobId'] , CreationTime = ['creationTime'] , EndTime = ['endTime'] , ProgressPercent = ['progressPercent'] , ResultStatus = tostring(result.result) , ResultMessage = tostring(result.message) , ResultIsCanceled = tobool(result.isCanceled) , VeeamResourceId = ['resourceId'] , ResourceReference = ['resourceReference'] , ParentSessionId = ['parentSessionId'] , PlatformName = ['platformName'] , PlatformId = ['platformId'] , Usn = ['usn'] , Result = tostring(result.result) , Message = tostring(result.message) , IsCanceled = tobool(result.isCanceled) | project TimeGenerated , VbrHostName , SessionType , State , Id , Name , JobId , CreationTime , EndTime , ProgressPercent , ResultStatus , ResultMessage , ResultIsCanceled , VeeamResourceId , ResourceReference , ParentSessionId , PlatformName , PlatformId , Usn , Result , Message , IsCanceled"
+ }
+ ]
}
},
{
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2017-07-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "identity": {
- "type": "SystemAssigned"
- },
- "tags": {
- "hidden-SentinelTemplateName": "Veeam-CollectVeeamAuthorizationEvents",
- "hidden-SentinelTemplateVersion": "1.0",
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
- },
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]"
- ],
+ "name": "VeeamSessionsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
"properties": {
- "state": "Enabled",
- "definition": {
- "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "$connections": {
- "type": "Object"
+ "retentionInDays": 180,
+ "schema": {
+ "name": "VeeamSessionsV2_CL",
+ "description": "Veeam comprehensive session data including backup, restore, and other operations with detailed status and progress information.",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true
},
- "functionAppName": {
- "defaultValue": "[[parameters('functionAppName')]",
- "type": "String"
+ {
+ "name": "VbrHostName",
+ "type": "string",
+ "description": "Veeam Backup & Replication server hostname"
},
- "workspaceId": {
- "defaultValue": "[[parameters('workspaceId')]",
- "type": "String"
+ {
+ "name": "SessionType",
+ "type": "string",
+ "description": "Type of Veeam session operation"
},
- "resourceGroupName": {
- "defaultValue": "[[parameters('resourceGroupName')]",
- "type": "String"
+ {
+ "name": "State",
+ "type": "string",
+ "description": "Current state of the session"
},
- "subscriptionId": {
- "defaultValue": "[[subscription().subscriptionId]",
- "type": "String"
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "Unique session identifier"
},
- "VbrHostName": {
- "defaultValue": "vbr1",
- "type": "String"
- }
- },
- "triggers": {
- "Every_24_hours": {
- "recurrence": {
- "interval": 24,
- "frequency": "Hour"
- },
- "evaluatedRecurrence": {
- "interval": 24,
- "frequency": "Hour"
- },
- "type": "Recurrence"
- }
- },
- "actions": {
- "Watchlists_-_Get_VBR_Settings": {
- "type": "ApiConnection",
- "inputs": {
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
- }
- },
- "method": "get",
- "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems"
- }
+ {
+ "name": "Name",
+ "type": "string",
+ "description": "Display name of the session"
},
- "Parse_VBR_settings": {
- "runAfter": {
- "Watchlists_-_Get_VBR_Settings": [
- "Succeeded"
- ]
- },
- "type": "ParseJson",
- "inputs": {
- "content": "@body('Watchlists_-_Get_VBR_Settings')",
- "schema": {
- "type": "object",
- "properties": {
- "properties": {
- "type": "object",
- "properties": {
- "watchlistItems": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "properties.itemsKeyValue": {
- "type": "object",
- "properties": {
- "Veeam Server Name": {
- "type": "string"
- },
- "Base URL": {
- "type": "string"
- },
- "Collect Authorization Events": {
- "type": "string"
- },
- "Key Vault Password ID": {
- "type": "string"
- },
- "Key Vault Username ID": {
- "type": "string"
- }
- }
- }
- }
- }
- }
- }
- }
- }
- }
- }
+ {
+ "name": "JobId",
+ "type": "string",
+ "description": "Associated job identifier"
},
- "For_each_VBR": {
- "foreach": "@body('Parse_VBR_settings')?['properties']?['watchlistItems']",
- "actions": {
- "Parse_current_VBR": {
- "type": "ParseJson",
- "inputs": {
- "content": "@items('For_each_VBR')",
- "schema": {
- "type": "object",
- "properties": {
- "properties.itemsKeyValue": {
- "type": "object",
- "properties": {
- "Veeam Server Name": {
- "type": "string"
- },
- "Base URL": {
- "type": "string"
- },
- "Collect Authorization Events": {
- "type": "string"
- },
- "Key Vault Password ID": {
- "type": "string"
- },
- "Key Vault Username ID": {
- "type": "string"
- }
- }
- }
- }
- }
- }
- },
- "If_authorization_events_collection_is_enabled": {
- "actions": {
- "Collect_Authorization_Events_into_VeeamAuthorizationEventsTable_CL": {
- "type": "Function",
- "inputs": {
- "queries": {
- "vbrHostName": "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Veeam Server Name']"
- },
- "function": {
- "id": "[[concat(variables('functionAppId'), '/functions/GetAllAuthorizationEventsAsync')]"
- }
- }
- }
- },
- "runAfter": {
- "Parse_current_VBR": [
- "Succeeded"
- ]
- },
- "else": {
- "actions": {
- "Print_baseUrl": {
- "type": "Compose",
- "inputs": "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Base URL']"
- }
- }
- },
- "expression": {
- "and": [
- {
- "equals": [
- "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Collect Authorization Events']",
- "true"
- ]
- }
- ]
- },
- "type": "If"
- }
- },
- "runAfter": {
- "Parse_VBR_settings": [
- "Succeeded"
- ]
- },
- "type": "Foreach"
- }
- }
- },
- "parameters": {
- "$connections": {
- "value": {
- "azuresentinel": {
- "connectionName": "[[parameters('AzureSentinelConnectionName')]",
- "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]",
- "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]",
- "connectionProperties": {
- "authentication": {
- "type": "ManagedServiceIdentity"
- }
- }
- }
+ {
+ "name": "CreationTime",
+ "type": "datetime",
+ "description": "Timestamp when session was created"
+ },
+ {
+ "name": "EndTime",
+ "type": "datetime",
+ "description": "Timestamp when session completed"
+ },
+ {
+ "name": "ProgressPercent",
+ "type": "int",
+ "description": "Session completion percentage"
+ },
+ {
+ "name": "ResultStatus",
+ "type": "string",
+ "description": "Session result status"
+ },
+ {
+ "name": "ResultMessage",
+ "type": "string",
+ "description": "Session result message"
+ },
+ {
+ "name": "ResultIsCanceled",
+ "type": "boolean",
+ "description": "Whether session was canceled"
+ },
+ {
+ "name": "VeeamResourceId",
+ "type": "string",
+ "description": "Veeam resource identifier"
+ },
+ {
+ "name": "ResourceReference",
+ "type": "string",
+ "description": "Reference to associated resource"
+ },
+ {
+ "name": "ParentSessionId",
+ "type": "string",
+ "description": "Parent session identifier if applicable"
+ },
+ {
+ "name": "PlatformName",
+ "type": "string",
+ "description": "Platform name associated with the session"
+ },
+ {
+ "name": "PlatformId",
+ "type": "string",
+ "description": "Platform identifier associated with the session"
+ },
+ {
+ "name": "Usn",
+ "type": "long",
+ "description": "Update sequence number"
+ },
+ {
+ "name": "Result",
+ "type": "string",
+ "description": "Session result status"
+ },
+ {
+ "name": "Message",
+ "type": "string",
+ "description": "Session result message"
+ },
+ {
+ "name": "IsCanceled",
+ "type": "boolean",
+ "description": "Whether session was canceled"
}
- }
+ ]
}
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
+ "name": "VeeamAuthorizationEventsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
"properties": {
- "parentId": "[variables('playbookId2')]",
- "contentId": "[variables('_playbookContentId2')]",
- "kind": "Playbook",
- "version": "[variables('playbookVersion2')]",
- "source": {
- "kind": "Solution",
- "name": "Veeam",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Veeam Software",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Veeam Software",
- "email": "microsoftappsupport@veeam.com",
- "tier": "Partner",
- "link": "https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/"
+ "retentionInDays": 180,
+ "schema": {
+ "name": "VeeamAuthorizationEventsV2_CL",
+ "description": "Veeam authorization and authentication events for security monitoring and access control.",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true
+ },
+ {
+ "name": "VbrHostName",
+ "type": "string",
+ "description": "Veeam Backup & Replication server hostname"
+ },
+ {
+ "name": "CreatedBy",
+ "type": "string",
+ "description": "User who created the authorization request"
+ },
+ {
+ "name": "CreationTime",
+ "type": "datetime",
+ "description": "Timestamp when authorization was created"
+ },
+ {
+ "name": "Description",
+ "type": "string",
+ "description": "Description of authorization request"
+ },
+ {
+ "name": "ExpirationTime",
+ "type": "datetime",
+ "description": "Timestamp when authorization expires"
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "Unique authorization event identifier"
+ },
+ {
+ "name": "Name",
+ "type": "string",
+ "description": "Name of authorization request"
+ },
+ {
+ "name": "ProcessedBy",
+ "type": "string",
+ "description": "User who processed the authorization"
+ },
+ {
+ "name": "ProcessedTime",
+ "type": "datetime",
+ "description": "Timestamp when authorization was processed"
+ },
+ {
+ "name": "State",
+ "type": "string",
+ "description": "Current authorization state"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "VeeamCovewareFindingsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "retentionInDays": 180,
+ "schema": {
+ "name": "VeeamCovewareFindingsV2_CL",
+ "description": "Coveware security findings and threat intelligence from Veeam backup systems.",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true
+ },
+ {
+ "name": "CovewareHostName",
+ "type": "string",
+ "description": "Coveware server hostname"
+ },
+ {
+ "name": "Artifact",
+ "type": "string",
+ "description": "File or process path"
+ },
+ {
+ "name": "EventType",
+ "type": "string",
+ "description": "Type of security event"
+ },
+ {
+ "name": "TechniqueId",
+ "type": "string",
+ "description": "MITRE ATT&CK technique identifier"
+ },
+ {
+ "name": "EventTime",
+ "type": "datetime",
+ "description": "Timestamp when event occurred"
+ },
+ {
+ "name": "FirstRunOrAccessed",
+ "type": "datetime",
+ "description": "First time artifact was run or accessed"
+ },
+ {
+ "name": "Hostname",
+ "type": "string",
+ "description": "Machine hostname where event occurred"
+ },
+ {
+ "name": "EventActivity",
+ "type": "string",
+ "description": "Description of security activity"
+ },
+ {
+ "name": "Country",
+ "type": "string",
+ "description": "Geographic location of the event"
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "Unique finding identifier"
+ },
+ {
+ "name": "Md5Hash",
+ "type": "string",
+ "description": "MD5 hash of the file"
+ },
+ {
+ "name": "Sha1Hash",
+ "type": "string",
+ "description": "SHA1 hash of the file"
+ },
+ {
+ "name": "Sha256Hash",
+ "type": "string",
+ "description": "SHA256 hash of the file"
+ },
+ {
+ "name": "MachineId",
+ "type": "string",
+ "description": "Unique machine identifier"
+ },
+ {
+ "name": "RiskLevel",
+ "type": "string",
+ "description": "Security risk level assessment"
+ },
+ {
+ "name": "ScanTime",
+ "type": "datetime",
+ "description": "Timestamp when scan was performed"
+ },
+ {
+ "name": "Username",
+ "type": "string",
+ "description": "User account associated with event"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "VeeamMalwareEventsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "retentionInDays": 180,
+ "schema": {
+ "name": "VeeamMalwareEventsV2_CL",
+ "description": "Veeam Backup & Replication malware detection events and security threats.",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true
+ },
+ {
+ "name": "VbrHostName",
+ "type": "string",
+ "description": "Veeam Backup & Replication server hostname"
+ },
+ {
+ "name": "MalwareEventType",
+ "type": "string",
+ "description": "Type of malware detection event"
+ },
+ {
+ "name": "MalwareState",
+ "type": "string",
+ "description": "Current state of malware event"
+ },
+ {
+ "name": "Source",
+ "type": "string",
+ "description": "Source that triggered the detection"
+ },
+ {
+ "name": "Severity",
+ "type": "string",
+ "description": "Severity level of malware threat"
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "Unique malware event identifier"
+ },
+ {
+ "name": "DetectionTimeUtc",
+ "type": "datetime",
+ "description": "UTC timestamp of malware detection"
+ },
+ {
+ "name": "MachineDisplayName",
+ "type": "string",
+ "description": "Display name of affected machine"
+ },
+ {
+ "name": "MachineUuid",
+ "type": "string",
+ "description": "Unique identifier of affected machine"
+ },
+ {
+ "name": "MachineBackupObjectId",
+ "type": "string",
+ "description": "Backup object ID for affected machine"
+ },
+ {
+ "name": "Details",
+ "type": "string",
+ "description": "Detailed information about malware detection"
+ },
+ {
+ "name": "CreatedBy",
+ "type": "string",
+ "description": "User or system that created the event"
+ },
+ {
+ "name": "Engine",
+ "type": "string",
+ "description": "Antivirus engine that detected malware"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "VeeamOneTriggeredAlarmsV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "retentionInDays": 180,
+ "schema": {
+ "name": "VeeamOneTriggeredAlarmsV2_CL",
+ "description": "Veeam ONE triggered alarms and monitoring alerts from Veeam infrastructure.",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true
+ },
+ {
+ "name": "VoneHostName",
+ "type": "string",
+ "description": "Veeam ONE server hostname"
+ },
+ {
+ "name": "TriggeredAlarmId",
+ "type": "int",
+ "description": "Unique identifier for triggered alarm"
+ },
+ {
+ "name": "Name",
+ "type": "string",
+ "description": "Name of the alarm"
+ },
+ {
+ "name": "AlarmTemplateId",
+ "type": "int",
+ "description": "Template identifier for alarm type"
+ },
+ {
+ "name": "PredefinedAlarmId",
+ "type": "int",
+ "description": "Predefined alarm rule identifier"
+ },
+ {
+ "name": "TriggeredTime",
+ "type": "datetime",
+ "description": "Timestamp when alarm was triggered"
+ },
+ {
+ "name": "Status",
+ "type": "string",
+ "description": "Current alarm status"
+ },
+ {
+ "name": "Description",
+ "type": "string",
+ "description": "Detailed alarm description"
+ },
+ {
+ "name": "Comment",
+ "type": "string",
+ "description": "Additional comments or notes"
+ },
+ {
+ "name": "RepeatCount",
+ "type": "int",
+ "description": "Number of times alarm has repeated"
+ },
+ {
+ "name": "ObjectId",
+ "type": "int",
+ "description": "Identifier of object that triggered alarm"
+ },
+ {
+ "name": "ObjectName",
+ "type": "string",
+ "description": "Name of object that triggered alarm"
+ },
+ {
+ "name": "ObjectType",
+ "type": "string",
+ "description": "Type of object that triggered alarm"
+ },
+ {
+ "name": "ChildAlarmsCount",
+ "type": "int",
+ "description": "Number of child alarms"
+ },
+ {
+ "name": "RemediationDescription",
+ "type": "string",
+ "description": "Detailed description of the alarm event"
+ },
+ {
+ "name": "RemediationMode",
+ "type": "string",
+ "description": "Recommended remediation mode for the alarm event"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "VeeamSecurityComplianceAnalyzerV2_CL",
+ "apiVersion": "2022-10-01",
+ "type": "Microsoft.OperationalInsights/workspaces/tables",
+ "location": "[parameters('workspace-location')]",
+ "kind": null,
+ "properties": {
+ "retentionInDays": 180,
+ "schema": {
+ "name": "VeeamSecurityComplianceAnalyzerV2_CL",
+ "description": "Veeam Security & Compliance Analyzer best practice assessments and compliance results.",
+ "columns": [
+ {
+ "name": "TimeGenerated",
+ "type": "datetime",
+ "isDefaultDisplay": true
+ },
+ {
+ "name": "VbrHostName",
+ "type": "string",
+ "description": "Veeam Backup & Replication server hostname"
+ },
+ {
+ "name": "Status",
+ "type": "string",
+ "description": "Assessment status of security best practice"
+ },
+ {
+ "name": "Id",
+ "type": "string",
+ "description": "Unique identifier for best practice assessment"
+ },
+ {
+ "name": "BestPractice",
+ "type": "string",
+ "description": "Security best practice being evaluated"
+ },
+ {
+ "name": "Note",
+ "type": "string",
+ "description": "Additional notes and recommendations"
+ }
+ ]
}
}
}
- ],
- "metadata": {
- "title": "Veeam-CollectVeeamAuthorizationEvents",
- "description": "This Microsoft Sentinel playbook automatically collects Veeam authorization events Veeam Backup & Replication servers on schedule. The playbook gets Veeam Backup & Replication settings from watchlist and calls the GetAllAuthorizationEventsAsync function for each enabled server, ingesting the data into custom tables.",
- "prerequisites": [
- "1. Microsoft Sentinel workspace configured.",
- "2. Permissions to create Logic Apps and API Connections.",
- "3. Permissions to assign roles to the Resource Group.",
- "4. Veeam Azure Function App deployed and configured.",
- "5. VBR Settings watchlist configured in Microsoft Sentinel.",
- "6. Hybrid Connection and Key Vault secrets configured for each VBR Server."
- ],
- "tags": [
- "Automation",
- "Veeam",
- "Authorization",
- "Collection"
- ],
- "lastUpdateTime": "2025-08-25T00:00:00Z",
- "parameterTemplateVersion": "1.0.0",
- "postDeployment": [
- "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.",
- "2. Ensure the VBR Settings watchlist is properly configured with the 'Collect Authorization Events' flag set to true on servers from which you want to collect data."
- ],
- "releaseNotes": {
- "version": "1.0",
- "title": "[variables('blanks')]",
- "notes": [
- "Initial version"
- ]
- }
- }
+ ]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition2'),'-', variables('dataConnectorCCPVersion'))))]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId2')]",
- "contentKind": "Playbook",
- "displayName": "Veeam-CollectVeeamAuthorizationEvents",
- "contentProductId": "[variables('_playbookcontentProductId2')]",
- "id": "[variables('_playbookcontentProductId2')]",
- "version": "[variables('playbookVersion2')]"
+ "version": "[variables('dataConnectorCCPVersion')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName3')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "apiVersion": "2022-09-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
+ "kind": "Customizable",
"properties": {
- "description": "Veeam-CollectSecurityComplianceAnalyzerResult Playbook with template version 3.0.2",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion3')]",
- "parameters": {
- "PlaybookName": {
- "defaultValue": "Veeam-CollectSecurityComplianceAnalyzerResult",
- "type": "string",
- "metadata": {
- "description": "Name of the playbook (Logic App) to be created"
- }
+ "connectorUiConfig": {
+ "id": "VeeamConnector",
+ "title": "Veeam Data Connector (via Codeless Connector Framework)",
+ "publisher": "Microsoft",
+ "descriptionMarkdown": "Veeam Data Connector allows you to ingest Veeam telemetry data from multiple custom tables into Microsoft Sentinel.\n\nThe connector supports integration with Veeam Backup & Replication, Veeam ONE and Coveware platforms to provide comprehensive monitoring and security analytics. The data is collected through Azure Functions and stored in custom Log Analytics tables with dedicated Data Collection Rules (DCR) and Data Collection Endpoints (DCE).\n\n**Custom Tables Included:**\n- **VeeamMalwareEventsV2_CL**: Malware detection events from Veeam Backup & Replication\n- **VeeamSecurityComplianceAnalyzerV2_CL**: Security & Compliance Analyzer results collected from Veeam backup infrastructure components\n- **VeeamAuthorizationEventsV2_CL**: Authorization and authentication events\n- **VeeamOneTriggeredAlarmsV2_CL**: Triggered alarms from Veeam ONE servers\n- **VeeamCovewareFindingsV2_CL**: Security findings from Coveware solution\n- **VeeamSessionsV2_CL**: Veeam sessions",
+ "graphQueries": [
+ {
+ "metricName": "Total malware logs received",
+ "legend": "Malware events",
+ "baseQuery": "VeeamMalwareEventsV2_CL"
},
- "functionAppName": {
- "defaultValue": "",
- "type": "string",
- "metadata": {
- "description": "Name of the Azure Function App for Veeam integration"
- }
+ {
+ "metricName": "Critical malware events",
+ "legend": "Critical malware events",
+ "baseQuery": "VeeamMalwareEventsV2_CL\n| where Severity == \"Critical\""
},
- "workspaceId": {
- "defaultValue": "",
- "type": "string",
- "metadata": {
- "description": "Workspace ID (GUID) of the Log Analytics workspace that contains Microsoft Sentinel"
- }
+ {
+ "metricName": "Total security & compliance analyzer logs received",
+ "legend": "Security & Compliance Analyzer results",
+ "baseQuery": "VeeamSecurityComplianceAnalyzerV2_CL"
},
- "AzureSentinelConnectionName": {
- "defaultValue": "azuresentinel-connection",
- "type": "string",
- "metadata": {
- "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)"
- }
+ {
+ "metricName": "Total veeam ONE alarms logs received",
+ "legend": "Veeam ONE alarms",
+ "baseQuery": "VeeamOneTriggeredAlarmsV2_CL"
},
- "resourceGroupName": {
- "defaultValue": "[resourceGroup().name]",
- "type": "string",
- "metadata": {
- "description": "Name of the resource group containing the Microsoft Sentinel workspace"
- }
+ {
+ "metricName": "Total authorization events logs received",
+ "legend": "Authorization events",
+ "baseQuery": "VeeamAuthorizationEventsV2_CL"
+ },
+ {
+ "metricName": "Total coveware findings logs received",
+ "legend": "Coveware findings",
+ "baseQuery": "VeeamCovewareFindingsV2_CL"
+ },
+ {
+ "metricName": "Total session logs received",
+ "legend": "Session logs",
+ "baseQuery": "VeeamSessionsV2_CL"
}
- },
- "variables": {
- "functionAppId": "[[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
- "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
- "_connection-1": "[[variables('connection-1')]",
- "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "workspace-name": "[parameters('workspace')]",
- "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
- },
- "resources": [
+ ],
+ "sampleQueries": [
{
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "name": "[[parameters('AzureSentinelConnectionName')]",
- "location": "[[variables('workspace-location-inline')]",
- "properties": {
- "displayName": "[[parameters('AzureSentinelConnectionName')]",
- "api": {
- "id": "[[variables('_connection-1')]"
- },
- "parameterValueType": "Alternative"
- }
+ "description": "Malware Events",
+ "query": "VeeamMalwareEventsV2_CL\n | sort by TimeGenerated desc"
},
{
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2017-07-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "identity": {
- "type": "SystemAssigned"
- },
- "tags": {
- "hidden-SentinelTemplateName": "Veeam-CollectSecurityComplianceAnalyzerResult",
- "hidden-SentinelTemplateVersion": "1.0",
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
- },
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]"
- ],
- "properties": {
- "state": "Enabled",
- "definition": {
- "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "$connections": {
- "type": "Object"
- },
- "functionAppName": {
- "defaultValue": "[[parameters('functionAppName')]",
- "type": "String"
- },
- "workspaceId": {
- "defaultValue": "[[parameters('workspaceId')]",
- "type": "String"
- },
- "resourceGroupName": {
- "defaultValue": "[[parameters('resourceGroupName')]",
- "type": "String"
- },
- "subscriptionId": {
- "defaultValue": "[[subscription().subscriptionId]",
- "type": "String"
- },
- "VbrHostName": {
- "defaultValue": "vbr1",
- "type": "String"
- }
- },
- "triggers": {
- "Every_24_hours": {
- "recurrence": {
- "interval": 24,
- "frequency": "Hour"
- },
- "evaluatedRecurrence": {
- "interval": 24,
- "frequency": "Hour"
- },
- "type": "Recurrence"
- }
- },
- "actions": {
- "Watchlists_-_Get_VBR_Settings": {
- "type": "ApiConnection",
- "inputs": {
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
- }
- },
- "method": "get",
- "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems"
- }
- },
- "Parse_VBR_settings": {
- "runAfter": {
- "Watchlists_-_Get_VBR_Settings": [
- "Succeeded"
- ]
- },
- "type": "ParseJson",
- "inputs": {
- "content": "@body('Watchlists_-_Get_VBR_Settings')",
- "schema": {
- "type": "object",
- "properties": {
- "properties": {
- "type": "object",
- "properties": {
- "watchlistItems": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "properties.itemsKeyValue": {
- "type": "object",
- "properties": {
- "Veeam Server Name": {
- "type": "string"
- },
- "Base URL": {
- "type": "string"
- },
- "Collect Security and Compliance Analyzer Results": {
- "type": "string"
- },
- "Key Vault Password ID": {
- "type": "string"
- },
- "Key Vault Username ID": {
- "type": "string"
- }
- }
- }
- }
- }
- }
- }
- }
- }
- }
- }
- },
- "For_each_VBR": {
- "foreach": "@body('Parse_VBR_settings')?['properties']?['watchlistItems']",
- "actions": {
- "Parse_current_VBR": {
- "type": "ParseJson",
- "inputs": {
- "content": "@items('For_each_VBR')",
- "schema": {
- "type": "object",
- "properties": {
- "properties.itemsKeyValue": {
- "type": "object",
- "properties": {
- "Veeam Server Name": {
- "type": "string"
- },
- "Base URL": {
- "type": "string"
- },
- "Collect Security and Compliance Analyzer Results": {
- "type": "string"
- },
- "Key Vault Password ID": {
- "type": "string"
- },
- "Key Vault Username ID": {
- "type": "string"
- }
- }
- }
- }
- }
- }
- },
- "If_best_practice_analysis_collection_is_enabled": {
- "actions": {
- "Collect_Best_Practice_Analysis_into_VeeamBestPracticeAnalysisTable_CL": {
- "type": "Function",
- "inputs": {
- "queries": {
- "vbrHostName": "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Veeam Server Name']"
- },
- "function": {
- "id": "[[concat(variables('functionAppId'), '/functions/GetSecurityComplianceAnalyzerResultsAsync')]"
- }
- }
- }
- },
- "runAfter": {
- "Parse_current_VBR": [
- "Succeeded"
- ]
- },
- "else": {
- "actions": {
- "Print_baseUrl": {
- "type": "Compose",
- "inputs": "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Base URL']"
- }
- }
- },
- "expression": {
- "and": [
- {
- "equals": [
- "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']",
- "true"
- ]
- }
- ]
- },
- "type": "If"
- }
- },
- "runAfter": {
- "Parse_VBR_settings": [
- "Succeeded"
- ]
- },
- "type": "Foreach"
- }
+ "description": "Critical Malware Events",
+ "query": "VeeamMalwareEventsV2_CL\n | where Severity == \"Critical\"\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Security Compliance Results",
+ "query": "VeeamSecurityComplianceAnalyzerV2_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Veeam ONE Alarms",
+ "query": "VeeamOneTriggeredAlarmsV2_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Authorization Events",
+ "query": "VeeamAuthorizationEventsV2_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Coveware Security Findings",
+ "query": "VeeamCovewareFindingsV2_CL\n | sort by TimeGenerated desc"
+ },
+ {
+ "description": "Session events",
+ "query": "VeeamSessionsV2_CL\n | sort by TimeGenerated desc"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "VeeamMalwareEventsV2_CL",
+ "lastDataReceivedQuery": "VeeamMalwareEventsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamSecurityComplianceAnalyzerV2_CL",
+ "lastDataReceivedQuery": "VeeamSecurityComplianceAnalyzerV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamOneTriggeredAlarmsV2_CL",
+ "lastDataReceivedQuery": "VeeamOneTriggeredAlarmsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamAuthorizationEventsV2_CL",
+ "lastDataReceivedQuery": "VeeamAuthorizationEventsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamCovewareFindingsV2_CL",
+ "lastDataReceivedQuery": "VeeamCovewareFindingsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ },
+ {
+ "name": "VeeamSessionsV2_CL",
+ "lastDataReceivedQuery": "VeeamSessionsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriteria": [
+ {
+ "type": "HasDataConnectors"
+ }
+ ],
+ "availability": {
+ "isPreview": true,
+ "status": 1
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "Read and Write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true,
+ "action": false
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "read": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Veeam Data Access",
+ "description": "Access to Veeam systems is required to collect security and operational data. The connector supports data ingestion from Veeam Backup & Replication, Veeam ONE, and Coveware platforms."
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "Prerequisites",
+ "description": "Follow the instructions to configure the Veeam Data Connector.",
+ "instructions": [
+ {
+ "type": "InfoMessage",
+ "parameters": {
+ "text": "**Note:** This data connector depends on parsers based on Kusto Functions to work as expected. These parsers are installed with the Microsoft Sentinel Solution for Veeam."
}
- },
- "parameters": {
- "$connections": {
- "value": {
- "azuresentinel": {
- "connectionName": "[[parameters('AzureSentinelConnectionName')]",
- "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]",
- "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]",
- "connectionProperties": {
- "authentication": {
- "type": "ManagedServiceIdentity"
- }
- }
- }
- }
+ }
+ ]
+ },
+ {
+ "title": "1. Configuration steps for Veeam Data Connector",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "1. Configure your Veeam systems to export security and operational data.\n2. Set up data collection endpoints to ingest data into the custom Log Analytics tables.\n3. Ensure proper permissions are configured for data access.\n4. Verify connectivity and data flow to Microsoft Sentinel."
}
}
- }
+ ]
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
+ "title": "2. Coveware API Configuration",
+ "description": "Configure Coveware API credentials for security findings data collection.",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 2.1 Obtain Coveware API Credentials\n1. Log in to your Coveware management console\n2. Navigate to API settings or integrations section\n3. Create or configure an API application\n4. Generate or obtain a Bearer token for API access\n5. Note your Coveware API base URL"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Coveware API URL",
+ "placeholder": "https://api.coveware.com",
+ "type": "text",
+ "name": "covewareApiUrl",
+ "validations": {
+ "required": true
+ }
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Coveware Bearer Token",
+ "placeholder": "Your Coveware API Bearer Token",
+ "type": "password",
+ "name": "covewareBearerToken",
+ "validations": {
+ "required": true
+ }
+ }
+ }
+ ]
+ },
+ {
+ "title": "3. Veeam API Configuration",
+ "description": "Configure Veeam API credentials for all Veeam services (Malware Events, Security Analyzer, and Authorization Events).",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 3.1 Obtain Veeam API Access Token\n1. Access your Veeam Backup & Replication management console\n2. Navigate to the REST API settings or authentication section\n3. Generate or obtain a Bearer token for API access\n4. Ensure the token has appropriate permissions for:\n - Malware Detection API (v1.3-rev1)\n - Security & Compliance Analyzer API (v1.3-rev1)\n - Authorization Events API (v1.3-rev1)\n - Sessions API (v1.3-rev1)\n5. Note the API base URL (typically https://your-veeam-server.com:9419)\n6. This token will be used for both on-premises and CDN-hosted APIs"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Veeam API URL",
+ "placeholder": "https://your-veeam-server.com:9419",
+ "type": "text",
+ "name": "veeamApiUrl",
+ "validations": {
+ "required": true
+ }
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Veeam Bearer Token",
+ "placeholder": "Your Veeam API Bearer Token",
+ "type": "password",
+ "name": "veeamBearerToken",
+ "validations": {
+ "required": true
+ }
+ }
+ }
+ ]
+ },
+ {
+ "title": "4. Veeam ONE API Configuration",
+ "description": "Configure Veeam ONE API credentials for triggered alarms data collection.",
+ "instructions": [
+ {
+ "type": "Markdown",
+ "parameters": {
+ "content": "#### 4.1 Obtain Veeam ONE API Access Key\n1. Access your Veeam ONE management console\n2. Navigate to Administration -> Users and Roles\n3. Create or use an existing user with API access permissions\n4. Generate or obtain a Bearer token for API access\n5. Note the Veeam ONE server URL and port (typically https://your-veeam-one-server:1239)"
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Veeam ONE API URL",
+ "placeholder": "https://your-veeam-one-server:1239",
+ "type": "text",
+ "name": "veeamOneApiUrl",
+ "validations": {
+ "required": true
+ }
+ }
+ },
+ {
+ "type": "Textbox",
+ "parameters": {
+ "label": "Veeam ONE API Bearer Token",
+ "placeholder": "Your Veeam ONE API Bearer Token",
+ "type": "password",
+ "name": "veeamOneBearerToken",
+ "validations": {
+ "required": true
+ }
+ }
+ }
+ ]
+ },
+ {
+ "title": "5. Connect",
+ "description": "Enable the Veeam Data Connector.",
+ "instructions": [
+ {
+ "type": "ConnectionToggleButton",
+ "parameters": {
+ "connectLabel": "Connect",
+ "disconnectLabel": "Disconnect",
+ "name": "toggle"
+ }
+ }
+ ]
+ }
+ ]
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition2')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "properties": {
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition2'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnectorDefinition2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "source": {
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
+ },
+ "author": {
+ "name": "Veeam Software",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Veeam Software",
+ "email": "microsoftappsupport@veeam.com",
+ "tier": "Partner",
+ "link": "https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/"
+ },
+ "dependencies": {
+ "criteria": [
+ {
+ "version": "[variables('dataConnectorCCPVersion')]",
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "kind": "ResourcesDataConnector"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections2'), variables('dataConnectorCCPVersion'))]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "displayName": "Veeam Data Connector (via Codeless Connector Framework)",
+ "contentKind": "ResourcesDataConnector",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('dataConnectorCCPVersion')]",
+ "parameters": {
+ "guidValue": {
+ "defaultValue": "[[newGuid()]",
+ "type": "securestring"
+ },
+ "innerWorkspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "connectorDefinitionName": {
+ "defaultValue": "Veeam Data Connector (via Codeless Connector Framework)",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "workspace": {
+ "defaultValue": "[parameters('workspace')]",
+ "type": "securestring"
+ },
+ "dcrConfig": {
+ "defaultValue": {
+ "dataCollectionEndpoint": "data collection Endpoint",
+ "dataCollectionRuleImmutableId": "data collection rule immutableId"
+ },
+ "type": "object"
+ },
+ "covewareApiUrl": {
+ "defaultValue": "covewareApiUrl",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "covewareBearerToken": {
+ "defaultValue": "covewareBearerToken",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "veeamApiUrl": {
+ "defaultValue": "veeamApiUrl",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "veeamBearerToken": {
+ "defaultValue": "veeamBearerToken",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "veeamOneApiUrl": {
+ "defaultValue": "veeamOneApiUrl",
+ "type": "securestring",
+ "minLength": 1
+ },
+ "veeamOneBearerToken": {
+ "defaultValue": "veeamOneBearerToken",
+ "type": "securestring",
+ "minLength": 1
+ }
+ },
+ "variables": {
+ "_dataConnectorContentIdConnections2": "[variables('_dataConnectorContentIdConnections2')]"
+ },
+ "resources": [
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections2')))]",
+ "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
- "parentId": "[variables('playbookId3')]",
- "contentId": "[variables('_playbookContentId3')]",
- "kind": "Playbook",
- "version": "[variables('playbookVersion3')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections2'))]",
+ "contentId": "[variables('_dataConnectorContentIdConnections2')]",
+ "kind": "ResourcesDataConnector",
+ "version": "[variables('dataConnectorCCPVersion')]",
"source": {
- "kind": "Solution",
- "name": "Veeam",
- "sourceId": "[variables('_solutionId')]"
+ "sourceId": "[variables('_solutionId')]",
+ "name": "[variables('_solutionName')]",
+ "kind": "Solution"
},
"author": {
"name": "Veeam Software",
@@ -2958,82 +3419,339 @@
"link": "https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/"
}
}
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'MalwareEventsPoller', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('veeamBearerToken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "Bearer"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('veeamApiUrl'),'/api/v1/malwareDetection/events')]",
+ "httpMethod": "GET",
+ "rateLimitQPS": 5,
+ "queryWindowInMin": 5,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Content-Type": "application/json",
+ "Accept": "application/json",
+ "x-api-version": "1.3-rev1"
+ },
+ "queryParameters": {
+ "detectedAfterTimeUtcFilter": "{_QueryWindowStartTime}",
+ "detectedBeforeTimeUtcFilter": "{_QueryWindowEndTime}",
+ "orderColumn": "detectionTimeUtc",
+ "orderAsc": "true"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ],
+ "format": "json"
+ },
+ "paging": {
+ "pagingType": "Offset",
+ "offsetParaName": "skip",
+ "pageSize": 1000,
+ "pageSizeParameterName": "limit"
+ },
+ "connectorDefinitionName": "VeeamConnector",
+ "dataType": "VeeamMalwareEventsV2_CL",
+ "dcrConfig": {
+ "streamName": "Custom-VeeamMalwareEventsV2_CL",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'CovewareFindingPoller', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('covewareBearerToken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "Bearer"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('covewareApiUrl'),'/recon/v1/findings')]",
+ "httpMethod": "GET",
+ "rateLimitQPS": 5,
+ "queryWindowInMin": 360,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Content-Type": "application/json",
+ "Accept": "application/json"
+ },
+ "queryParameters": {
+ "earliest-event-time": "{_QueryWindowStartTime}"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ],
+ "format": "json"
+ },
+ "paging": {
+ "pagingType": "Offset",
+ "offsetParaName": "offset",
+ "pageSize": 250,
+ "pageSizeParameterName": "page-size"
+ },
+ "connectorDefinitionName": "VeeamConnector",
+ "dataType": "VeeamCovewareFindingsV2_CL",
+ "dcrConfig": {
+ "streamName": "Custom-VeeamCovewareFindingsV2_CL",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'OneTriggeredAlarmsPoller', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('veeamOneBearerToken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "Bearer"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('veeamOneApiUrl'),'/api/v2.3/alarms/triggeredAlarms')]",
+ "httpMethod": "GET",
+ "rateLimitQPS": 5,
+ "queryWindowInMin": 5,
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Content-Type": "application/json",
+ "Accept": "application/json"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.items"
+ ],
+ "format": "json"
+ },
+ "paging": {
+ "pagingType": "Offset",
+ "offsetParaName": "Offset",
+ "pageSize": 1000,
+ "pageSizeParameterName": "Limit"
+ },
+ "connectorDefinitionName": "VeeamConnector",
+ "dataType": "VeeamOneTriggeredAlarmsV2_CL",
+ "dcrConfig": {
+ "streamName": "Custom-VeeamOneTriggeredAlarmsV2_CL",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'SecurityComplianceAnalyzerPoller', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('veeamBearerToken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "Bearer"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('veeamApiUrl'),'/api/v1/securityAnalyzer/bestPractices')]",
+ "httpMethod": "GET",
+ "rateLimitQPS": 2,
+ "queryWindowInMin": 60,
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Content-Type": "application/json",
+ "Accept": "application/json",
+ "x-api-version": "1.3-rev1"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.items"
+ ],
+ "format": "json"
+ },
+ "connectorDefinitionName": "VeeamConnector",
+ "dataType": "VeeamSecurityComplianceAnalyzerV2_CL",
+ "dcrConfig": {
+ "streamName": "Custom-VeeamSecurityComplianceAnalyzerV2_CL",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'AuthorizationEventsPoller', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('veeamBearerToken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "Bearer"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('veeamApiUrl'),'/api/v1/authorization/events')]",
+ "httpMethod": "GET",
+ "rateLimitQPS": 2,
+ "queryWindowInMin": 5,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Content-Type": "application/json",
+ "Accept": "application/json",
+ "x-api-version": "1.3-rev1"
+ },
+ "queryParameters": {
+ "createdAfterFilter": "{_QueryWindowStartTime}",
+ "createdBeforeFilter": "{_QueryWindowEndTime}",
+ "orderColumn": "creationTime",
+ "orderAsc": "true"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ],
+ "format": "json"
+ },
+ "paging": {
+ "pagingType": "Offset",
+ "offsetParaName": "skip",
+ "pageSize": 1000,
+ "pageSizeParameterName": "limit"
+ },
+ "connectorDefinitionName": "VeeamConnector",
+ "dataType": "VeeamAuthorizationEventsV2_CL",
+ "dcrConfig": {
+ "streamName": "Custom-VeeamAuthorizationEventsV2_CL",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ }
+ }
+ },
+ {
+ "name": "[[concat(parameters('innerWorkspace'),'/Microsoft.SecurityInsights/', 'SessionsPoller', parameters('guidValue'))]",
+ "apiVersion": "2023-02-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "RestApiPoller",
+ "properties": {
+ "auth": {
+ "type": "APIKey",
+ "ApiKey": "[[parameters('veeamBearerToken')]",
+ "ApiKeyName": "Authorization",
+ "ApiKeyIdentifier": "Bearer"
+ },
+ "request": {
+ "apiEndpoint": "[[concat(parameters('veeamApiUrl'),'/api/v1/sessions')]",
+ "httpMethod": "GET",
+ "rateLimitQPS": 2,
+ "queryWindowInMin": 15,
+ "queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
+ "retryCount": 3,
+ "timeoutInSeconds": 30,
+ "headers": {
+ "Content-Type": "application/json",
+ "Accept": "application/json",
+ "x-api-version": "1.3-rev1"
+ },
+ "queryParameters": {
+ "createdAfterFilter": "{_QueryWindowStartTime}",
+ "createdBeforeFilter": "{_QueryWindowEndTime}",
+ "orderColumn": "creationTime",
+ "orderAsc": "true",
+ "skip": "0"
+ }
+ },
+ "response": {
+ "eventsJsonPaths": [
+ "$.data"
+ ],
+ "format": "json"
+ },
+ "paging": {
+ "pagingType": "Offset",
+ "offsetParaName": "skip",
+ "pageSize": 1000,
+ "pageSizeParameterName": "limit"
+ },
+ "connectorDefinitionName": "VeeamConnector",
+ "dataType": "VeeamSessionsV2_CL",
+ "dcrConfig": {
+ "streamName": "Custom-VeeamSessionsV2_CL",
+ "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
+ "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
+ }
+ }
}
- ],
- "metadata": {
- "title": "Veeam-CollectSecurityComplianceAnalyzerResult",
- "description": "A Microsoft Sentinel playbook that automatically collects Veeam Security Compliance Analyzer results from Veeam Backup & Replication servers on schedule. The playbook gets Veeam Backup & Replication settings from watchlist and calls the GetSecurityComplianceAnalyzerResults function for each enabled server, ingesting the data into custom tables.",
- "prerequisites": [
- "1. Microsoft Sentinel workspace configured.",
- "2. Permissions to create Logic Apps and API Connections.",
- "3. Permissions to assign roles to the Resource Group.",
- "4. Veeam Azure Function App deployed and configured.",
- "5. VBR Settings watchlist configured in Microsoft Sentinel.",
- "6. Hybrid Connection and Key Vault secrets configured for each VBR Server."
- ],
- "tags": [
- "Automation",
- "Veeam",
- "BestPractice",
- "Analysis",
- "Collection"
- ],
- "lastUpdateTime": "2025-08-25T00:00:00Z",
- "parameterTemplateVersion": "1.0.0",
- "postDeployment": [
- "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.",
- "2. Ensure the VBR Settings watchlist is properly configured with the 'Collect Security and Compliance Analyzer Results' flag set to true on servers from which you want to collect data."
- ],
- "releaseNotes": {
- "version": "1.0",
- "title": "[variables('blanks')]",
- "notes": [
- "Initial version"
- ]
- }
- }
+ ]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
+ "contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections2'),'-', variables('dataConnectorCCPVersion'))))]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId3')]",
- "contentKind": "Playbook",
- "displayName": "Veeam-CollectSecurityComplianceAnalyzerResult",
- "contentProductId": "[variables('_playbookcontentProductId3')]",
- "id": "[variables('_playbookcontentProductId3')]",
- "version": "[variables('playbookVersion3')]"
+ "version": "[variables('dataConnectorCCPVersion')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName4')]",
+ "name": "[variables('playbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Veeam-CollectMalwareEvents Playbook with template version 3.0.2",
+ "description": "Veeam-ChangeCollectionTime Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion4')]",
+ "contentVersion": "[variables('playbookVersion1')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "Veeam-CollectMalwareEvents",
"type": "string",
+ "defaultValue": "Veeam-ChangeCollectionTime",
"metadata": {
"description": "Name of the playbook (Logic App) to be created"
}
},
- "functionAppName": {
- "defaultValue": "",
- "type": "string",
- "metadata": {
- "description": "Name of the Azure Function App for Veeam integration"
- }
- },
"workspaceId": {
"defaultValue": "",
"type": "string",
@@ -3042,22 +3760,63 @@
}
},
"AzureSentinelConnectionName": {
- "defaultValue": "azuresentinel-connection",
"type": "string",
+ "defaultValue": "azuresentinel-connection",
"metadata": {
"description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)"
}
},
- "resourceGroupName": {
- "defaultValue": "[resourceGroup().name]",
+ "subscriptionId": {
"type": "string",
+ "defaultValue": "[subscription().subscriptionId]",
"metadata": {
- "description": "Name of the resource group containing the Microsoft Sentinel workspace"
+ "description": "Azure subscription ID"
}
- }
- },
+ },
+ "resourceGroupName": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().name]",
+ "metadata": {
+ "description": "Name of the resource group containing the Logic Apps to be updated"
+ }
+ },
+ "environmentResourceManagerUrl": {
+ "type": "string",
+ "defaultValue": "[environment().resourceManager]",
+ "metadata": {
+ "description": "Resource Manager URL for the Azure environment"
+ }
+ },
+ "logicAppsApiVersion": {
+ "type": "string",
+ "defaultValue": "2019-05-01",
+ "metadata": {
+ "description": "API version to use for Logic Apps operations"
+ }
+ },
+ "watchlistName": {
+ "type": "string",
+ "defaultValue": "collection_schedule_settings",
+ "metadata": {
+ "description": "Name of the watchlist containing collection schedule settings"
+ }
+ },
+ "defaultRecurrenceInterval": {
+ "type": "string",
+ "defaultValue": "12",
+ "metadata": {
+ "description": "Default recurrence interval to use when not specified in watchlist"
+ }
+ },
+ "defaultRecurrenceFrequency": {
+ "type": "string",
+ "defaultValue": "Hour",
+ "metadata": {
+ "description": "Default recurrence frequency to use when not specified in watchlist"
+ }
+ }
+ },
"variables": {
- "functionAppId": "[[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
"connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"_connection-1": "[[variables('connection-1')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
@@ -3067,7 +3826,7 @@
"resources": [
{
"type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
+ "apiVersion": "2018-07-01-preview",
"name": "[[parameters('AzureSentinelConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
"properties": {
@@ -3080,20 +3839,17 @@
},
{
"type": "Microsoft.Logic/workflows",
- "apiVersion": "2017-07-01",
+ "apiVersion": "2019-05-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
"identity": {
"type": "SystemAssigned"
},
"tags": {
- "hidden-SentinelTemplateName": "Veeam-CollectMalwareEvents",
+ "hidden-SentinelTemplateName": "Veeam-ChangeCollectionTime",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]"
- ],
"properties": {
"state": "Enabled",
"definition": {
@@ -3103,10 +3859,6 @@
"$connections": {
"type": "Object"
},
- "functionAppName": {
- "defaultValue": "[[parameters('functionAppName')]",
- "type": "String"
- },
"workspaceId": {
"defaultValue": "[[parameters('workspaceId')]",
"type": "String"
@@ -3118,23 +3870,41 @@
"subscriptionId": {
"defaultValue": "[[subscription().subscriptionId]",
"type": "String"
+ },
+ "watchlistName": {
+ "defaultValue": "[[parameters('watchlistName')]",
+ "type": "String"
+ },
+ "environmentResourceManagerUrl": {
+ "defaultValue": "[[parameters('environmentResourceManagerUrl')]",
+ "type": "String"
+ },
+ "logicAppsApiVersion": {
+ "defaultValue": "[[parameters('logicAppsApiVersion')]",
+ "type": "String"
}
},
"triggers": {
- "Every_1_day": {
- "recurrence": {
- "interval": 1,
- "frequency": "Day"
- },
- "evaluatedRecurrence": {
- "interval": 1,
- "frequency": "Day"
- },
- "type": "Recurrence"
+ "manual": {
+ "type": "Request",
+ "kind": "Http",
+ "inputs": {
+ "schema": {
+ "type": "object",
+ "properties": {
+ "recurrenceInterval": {
+ "default": "[[parameters('defaultRecurrenceInterval')]"
+ },
+ "recurrenceFrequency": {
+ "default": "[[parameters('defaultRecurrenceFrequency')]"
+ }
+ }
+ }
+ }
}
},
"actions": {
- "Watchlists_-_Get_VBR_Settings": {
+ "Watchlists_-_Get_all_Collection_Times": {
"type": "ApiConnection",
"inputs": {
"host": {
@@ -3143,18 +3913,13 @@
}
},
"method": "get",
- "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems"
+ "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent(parameters('watchlistName'))}/watchlistItems"
}
},
- "Parse_VBR_settings": {
- "runAfter": {
- "Watchlists_-_Get_VBR_Settings": [
- "Succeeded"
- ]
- },
+ "Parse_settings": {
"type": "ParseJson",
"inputs": {
- "content": "@body('Watchlists_-_Get_VBR_Settings')",
+ "content": "@body('Watchlists_-_Get_all_Collection_Times')",
"schema": {
"type": "object",
"properties": {
@@ -3162,65 +3927,124 @@
"type": "object",
"properties": {
"watchlistItems": {
- "type": "array",
- "items": {
- "type": "object",
- "properties": {
- "properties.itemsKeyValue": {
- "type": "object",
- "properties": {
- "Veeam Server Name": {
- "type": "string"
- },
- "Base URL": {
- "type": "string"
- },
- "Collect Malware Events": {
- "type": "string"
- },
- "Key Vault Password ID": {
- "type": "string"
- },
- "Key Vault Username ID": {
- "type": "string"
- }
- }
- }
- }
- }
+ "type": "array"
}
}
}
}
}
+ },
+ "runAfter": {
+ "Watchlists_-_Get_all_Collection_Times": [
+ "Succeeded"
+ ]
}
},
- "For_each_VBR_server": {
- "foreach": "@body('Parse_VBR_settings')?['properties']?['watchlistItems']",
+ "For_each": {
+ "type": "Foreach",
+ "foreach": "@body('Parse_settings')?['properties']?['watchlistItems']",
"actions": {
- "Parse_current_VBR_server": {
+ "Parse_setting": {
"type": "ParseJson",
"inputs": {
- "content": "@items('For_each_VBR_server')",
+ "content": "@items('For_each')",
"schema": {
"type": "object",
"properties": {
+ "properties.watchlistItemType": {
+ "type": "string"
+ },
+ "properties.watchlistItemId": {
+ "type": "string"
+ },
+ "properties.tenantId": {
+ "type": "string"
+ },
+ "properties.isDeleted": {
+ "type": "boolean"
+ },
+ "properties.created": {
+ "type": "string"
+ },
+ "properties.updated": {
+ "type": "string"
+ },
+ "properties.createdBy": {
+ "type": "object",
+ "properties": {
+ "email": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "objectId": {
+ "type": "string"
+ }
+ }
+ },
+ "properties.updatedBy": {
+ "type": "object",
+ "properties": {
+ "email": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "objectId": {
+ "type": "string"
+ }
+ }
+ },
"properties.itemsKeyValue": {
"type": "object",
"properties": {
- "Veeam Server Name": {
+ "CollectionPlaybookName": {
"type": "string"
},
- "Base URL": {
+ "RecurrenceInterval": {
"type": "string"
},
- "Collect Malware Events": {
+ "TimeUnit": {
+ "type": "string"
+ }
+ }
+ },
+ "properties.entityMapping": {
+ "type": "object"
+ },
+ "etag": {
+ "type": "string"
+ },
+ "id": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "systemData": {
+ "type": "object",
+ "properties": {
+ "createdBy": {
"type": "string"
},
- "Key Vault Password ID": {
+ "createdByType": {
"type": "string"
},
- "Key Vault Username ID": {
+ "createdAt": {
+ "type": "string"
+ },
+ "lastModifiedBy": {
+ "type": "string"
+ },
+ "lastModifiedByType": {
+ "type": "string"
+ },
+ "lastModifiedAt": {
"type": "string"
}
}
@@ -3229,52 +4053,209 @@
}
}
},
- "If_malware_event_collection_is_enabled": {
- "actions": {
- "Collect_Malware_Events_into_VeeamMalwareEventsTable_CL": {
- "type": "Function",
- "inputs": {
- "queries": {
- "vbrHostName": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name']"
- },
- "function": {
- "id": "[[concat(variables('functionAppId'), '/functions/GetAllMalwareEventsAsync')]"
- }
- }
- }
- },
- "runAfter": {
- "Parse_current_VBR_server": [
- "Succeeded"
- ]
+ "Get_Current_Workflow_Definition": {
+ "type": "Http",
+ "inputs": {
+ "uri": "@concat(parameters('environmentResourceManagerUrl'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Logic/workflows/', body('Parse_setting')?['properties.itemsKeyValue']?['CollectionPlaybookName'], '?api-version=', parameters('logicAppsApiVersion'))",
+ "method": "GET",
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
},
- "else": {
- "actions": {
- "Print_baseUrl": {
- "type": "Compose",
- "inputs": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Base URL']"
+ "runAfter": {
+ "Parse_setting": [
+ "Succeeded"
+ ]
+ }
+ },
+ "Parse_Workflow_Definition": {
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Get_Current_Workflow_Definition')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "properties": {
+ "type": "object",
+ "properties": {
+ "provisioningState": {
+ "type": "string"
+ },
+ "createdTime": {
+ "type": "string"
+ },
+ "changedTime": {
+ "type": "string"
+ },
+ "state": {
+ "type": "string"
+ },
+ "version": {
+ "type": "string"
+ },
+ "accessEndpoint": {
+ "type": "string"
+ },
+ "definition": {
+ "type": "object",
+ "properties": {
+ "$schema": {
+ "type": "string"
+ },
+ "contentVersion": {
+ "type": "string"
+ },
+ "parameters": {
+ "type": "object"
+ },
+ "triggers": {
+ "type": "object"
+ },
+ "actions": {
+ "type": "object"
+ },
+ "outputs": {
+ "type": "object"
+ }
+ }
+ },
+ "parameters": {
+ "type": "object"
+ },
+ "endpointsConfiguration": {
+ "type": "object"
+ }
+ }
+ },
+ "id": {
+ "type": "string"
+ },
+ "name": {
+ "type": "string"
+ },
+ "type": {
+ "type": "string"
+ },
+ "location": {
+ "type": "string"
+ },
+ "tags": {
+ "type": "object"
+ },
+ "identity": {
+ "type": "object",
+ "properties": {
+ "type": {
+ "type": "string"
+ },
+ "principalId": {
+ "type": "string"
+ },
+ "tenantId": {
+ "type": "string"
+ }
+ }
+ }
}
}
},
- "expression": {
- "and": [
- {
- "equals": [
- "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events']",
- "true"
- ]
- }
+ "runAfter": {
+ "Get_Current_Workflow_Definition": [
+ "Succeeded"
+ ]
+ }
+ },
+ "Compose_Updated_Definition": {
+ "type": "Compose",
+ "inputs": {
+ "location": "@body('Parse_Workflow_Definition')?['location']",
+ "identity": "@body('Parse_Workflow_Definition')?['identity']",
+ "properties": {
+ "state": "Enabled",
+ "definition": {
+ "$schema": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['$schema']",
+ "contentVersion": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['contentVersion']",
+ "parameters": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['parameters']",
+ "triggers": {
+ "Every_@{int(coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['RecurrenceInterval'], '12'))}_@{coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['TimeUnit'], 'Hour')}": {
+ "recurrence": {
+ "interval": "@int(coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['RecurrenceInterval'], '12'))",
+ "frequency": "@coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['TimeUnit'], 'Hour')"
+ },
+ "evaluatedRecurrence": {
+ "interval": "@int(coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['RecurrenceInterval'], '12'))",
+ "frequency": "@coalesce(body('Parse_setting')?['properties.itemsKeyValue']?['TimeUnit'], 'Hour')"
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['actions']",
+ "outputs": "@body('Parse_Workflow_Definition')?['properties']?['definition']?['outputs']"
+ },
+ "parameters": "@body('Parse_Workflow_Definition')?['properties']?['parameters']"
+ }
+ },
+ "runAfter": {
+ "Parse_Workflow_Definition": [
+ "Succeeded"
]
+ }
+ },
+ "Update_Events_Workflow": {
+ "type": "Http",
+ "inputs": {
+ "uri": "@concat(parameters('environmentResourceManagerUrl'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Logic/workflows/', body('Parse_setting')?['properties.itemsKeyValue']?['CollectionPlaybookName'], '?api-version=', parameters('logicAppsApiVersion'))",
+ "method": "PUT",
+ "headers": {
+ "Content-Type": "application/json"
+ },
+ "body": "@outputs('Compose_Updated_Definition')",
+ "authentication": {
+ "type": "ManagedServiceIdentity"
+ }
},
- "type": "If"
+ "runAfter": {
+ "Compose_Updated_Definition": [
+ "Succeeded"
+ ]
+ }
}
},
"runAfter": {
- "Parse_VBR_settings": [
+ "Parse_settings": [
"Succeeded"
]
+ }
+ },
+ "Response_Success": {
+ "type": "Response",
+ "inputs": {
+ "statusCode": 200,
+ "body": {
+ "message": "Successfully updated collection schedule",
+ "processedWorkflows": "@length(body('Parse_settings')?['properties']?['watchlistItems'])"
+ }
},
- "type": "Foreach"
+ "runAfter": {
+ "For_each": [
+ "Succeeded"
+ ]
+ }
+ },
+ "Response_Error": {
+ "type": "Response",
+ "inputs": {
+ "statusCode": 500,
+ "body": {
+ "message": "Failed to update collection schedule",
+ "error": "@actions('For_each')?['error']"
+ }
+ },
+ "runAfter": {
+ "For_each": [
+ "Failed"
+ ]
+ }
}
}
},
@@ -3284,7 +4265,7 @@
"azuresentinel": {
"connectionName": "[[parameters('AzureSentinelConnectionName')]",
"connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]",
- "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]",
+ "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"connectionProperties": {
"authentication": {
"type": "ManagedServiceIdentity"
@@ -3294,17 +4275,20 @@
}
}
}
- }
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]"
+ ]
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId4')]",
- "contentId": "[variables('_playbookContentId4')]",
+ "parentId": "[variables('playbookId1')]",
+ "contentId": "[variables('_playbookContentId1')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion4')]",
+ "version": "[variables('playbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Veeam",
@@ -3324,27 +4308,33 @@
}
],
"metadata": {
- "title": "Veeam-CollectMalwareEvents",
- "description": "A Microsoft Sentinel playbook that automatically collects malware events from Veeam Backup & Replication servers on a schedule. The playbook gets Veeam Backup & Replication settings from watchlist and calls the GetMalwareEvents function for each enabled server, ingesting the data into custom tables.",
+ "_generator": {
+ "name": "bicep",
+ "version": "0.36.177.2456",
+ "templateHash": "5498632779764501884"
+ },
+ "title": "Veeam-ChangeCollectionTime",
+ "description": "This Microsoft Sentinel playbook adjusts the recurrence intervals for Veeam collection playbooks based on settings in the collection_schedule_settings watchlist.",
"prerequisites": [
"1. Microsoft Sentinel workspace configured.",
"2. Permissions to create Logic Apps and API Connections.",
- "3. Permissions to assign roles to the Resource Group.",
- "4. Veeam Azure Function App deployed and configured.",
- "5. VBR Settings watchlist configured in Microsoft Sentinel.",
- "6. Hybrid Connection and Key Vault secrets configured for each VBR Server."
+ "3. Permissions to assign roles to the Resource Group and Log Analytics workspace.",
+ "4. Collection schedule settings watchlist configured in Microsoft Sentinel.",
+ "5. Logic App Contributor permissions for managing other workflows."
],
"tags": [
"Automation",
"Veeam",
- "Malware",
- "Collection"
+ "Schedule",
+ "Collection",
+ "Configuration"
],
- "lastUpdateTime": "2025-08-25T00:00:00Z",
+ "lastUpdateTime": "2025-08-20T00:00:01Z",
"parameterTemplateVersion": "1.0.0",
"postDeployment": [
"1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.",
- "2. Ensure the VBR Settings watchlist is properly configured with the 'Collect Malware Events' flag set to true on servers from which you want to collect data."
+ "2. Assign the Logic App Contributor role to the Logic App's managed identity on the Resource Group.",
+ "3. Configure the collection_schedule_settings watchlist with required schedule data."
],
"releaseNotes": {
"version": "1.0",
@@ -3360,30 +4350,30 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId4')]",
+ "contentId": "[variables('_playbookContentId1')]",
"contentKind": "Playbook",
- "displayName": "Veeam-CollectMalwareEvents",
- "contentProductId": "[variables('_playbookcontentProductId4')]",
- "id": "[variables('_playbookcontentProductId4')]",
- "version": "[variables('playbookVersion4')]"
- }
- },
+ "displayName": "Veeam-ChangeCollectionTime",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ },
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName5')]",
+ "name": "[variables('playbookTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Veeam-CollectVeeamONEAlarms Playbook with template version 3.0.2",
+ "description": "Veeam-CollectVeeamAuthorizationEvents Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion5')]",
+ "contentVersion": "[variables('playbookVersion2')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "Veeam-CollectVeeamONEAlarms",
+ "defaultValue": "Veeam-CollectVeeamAuthorizationEvents",
"type": "string",
"metadata": {
"description": "Name of the playbook (Logic App) to be created"
@@ -3449,7 +4439,7 @@
"type": "SystemAssigned"
},
"tags": {
- "hidden-SentinelTemplateName": "Veeam-CollectVeeamONEAlarms",
+ "hidden-SentinelTemplateName": "Veeam-CollectVeeamAuthorizationEvents",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
@@ -3481,26 +4471,26 @@
"defaultValue": "[[subscription().subscriptionId]",
"type": "String"
},
- "VoneHostName": {
- "defaultValue": "vone1",
+ "VbrHostName": {
+ "defaultValue": "vbr1",
"type": "String"
}
},
"triggers": {
- "Every_1_day": {
+ "Every_24_hours": {
"recurrence": {
- "interval": 1,
- "frequency": "Day"
+ "interval": 24,
+ "frequency": "Hour"
},
"evaluatedRecurrence": {
- "interval": 1,
- "frequency": "Day"
+ "interval": 24,
+ "frequency": "Hour"
},
"type": "Recurrence"
}
},
"actions": {
- "Watchlists_-_Get_Veeam_ONE_Settings": {
+ "Watchlists_-_Get_VBR_Settings": {
"type": "ApiConnection",
"inputs": {
"host": {
@@ -3509,18 +4499,18 @@
}
},
"method": "get",
- "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vone_settings')}/watchlistItems"
+ "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems"
}
},
- "Parse_Veeam_ONE_settings": {
+ "Parse_VBR_settings": {
"runAfter": {
- "Watchlists_-_Get_Veeam_ONE_Settings": [
+ "Watchlists_-_Get_VBR_Settings": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
- "content": "@body('Watchlists_-_Get_Veeam_ONE_Settings')",
+ "content": "@body('Watchlists_-_Get_VBR_Settings')",
"schema": {
"type": "object",
"properties": {
@@ -3541,7 +4531,7 @@
"Base URL": {
"type": "string"
},
- "Collect Alarms": {
+ "Collect Authorization Events": {
"type": "string"
},
"Key Vault Password ID": {
@@ -3561,13 +4551,13 @@
}
}
},
- "For_each_Veeam_ONE_server": {
- "foreach": "@body('Parse_Veeam_ONE_settings')?['properties']?['watchlistItems']",
+ "For_each_VBR": {
+ "foreach": "@body('Parse_VBR_settings')?['properties']?['watchlistItems']",
"actions": {
- "Parse_current_Veeam_ONE_server": {
+ "Parse_current_VBR": {
"type": "ParseJson",
"inputs": {
- "content": "@items('For_each_Veeam_ONE_server')",
+ "content": "@items('For_each_VBR')",
"schema": {
"type": "object",
"properties": {
@@ -3580,7 +4570,7 @@
"Base URL": {
"type": "string"
},
- "Collect Alarms": {
+ "Collect Authorization Events": {
"type": "string"
},
"Key Vault Password ID": {
@@ -3595,22 +4585,22 @@
}
}
},
- "If_alarm_collection_is_enabled": {
+ "If_authorization_events_collection_is_enabled": {
"actions": {
- "Collect_Vone_Alarms_into_VoneAlarmsTable_CL": {
+ "Collect_Authorization_Events_into_VeeamAuthorizationEventsTable_CL": {
"type": "Function",
"inputs": {
"queries": {
- "voneHostName": "@body('Parse_current_Veeam_ONE_server')?['properties.itemsKeyValue']?['Veeam Server Name']"
+ "vbrHostName": "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Veeam Server Name']"
},
"function": {
- "id": "[[concat(variables('functionAppId'), '/functions/GetAllTriggeredAlarmsAsync')]"
+ "id": "[[concat(variables('functionAppId'), '/functions/GetAllAuthorizationEventsAsync')]"
}
}
}
},
"runAfter": {
- "Parse_current_Veeam_ONE_server": [
+ "Parse_current_VBR": [
"Succeeded"
]
},
@@ -3618,7 +4608,7 @@
"actions": {
"Print_baseUrl": {
"type": "Compose",
- "inputs": "@body('Parse_current_Veeam_ONE_server')?['properties.itemsKeyValue']?['Base URL']"
+ "inputs": "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Base URL']"
}
}
},
@@ -3626,7 +4616,7 @@
"and": [
{
"equals": [
- "@body('Parse_current_Veeam_ONE_server')?['properties.itemsKeyValue']?['Collect Alarms']",
+ "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Collect Authorization Events']",
"true"
]
}
@@ -3636,7 +4626,7 @@
}
},
"runAfter": {
- "Parse_Veeam_ONE_settings": [
+ "Parse_VBR_settings": [
"Succeeded"
]
},
@@ -3665,12 +4655,12 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId5')]",
- "contentId": "[variables('_playbookContentId5')]",
+ "parentId": "[variables('playbookId2')]",
+ "contentId": "[variables('_playbookContentId2')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion5')]",
+ "version": "[variables('playbookVersion2')]",
"source": {
"kind": "Solution",
"name": "Veeam",
@@ -3690,28 +4680,27 @@
}
],
"metadata": {
- "title": "Veeam-CollectVeeamONEAlarms",
- "description": "This Microsoft Sentinel playbook automatically collects Veeam ONE alarms on a schedule. Retrieves Veeam ONE settings from the watchlist and calls the GetVoneAlarms function for each enabled server, ingesting the data into custom tables.",
+ "title": "Veeam-CollectVeeamAuthorizationEvents",
+ "description": "This Microsoft Sentinel playbook automatically collects Veeam authorization events Veeam Backup & Replication servers on schedule. The playbook gets Veeam Backup & Replication settings from watchlist and calls the GetAllAuthorizationEventsAsync function for each enabled server, ingesting the data into custom tables.",
"prerequisites": [
"1. Microsoft Sentinel workspace configured.",
"2. Permissions to create Logic Apps and API Connections.",
"3. Permissions to assign roles to the Resource Group.",
"4. Veeam Azure Function App deployed and configured.",
- "5. Veeam ONE Settings watchlist configured in Microsoft Sentinel.",
- "6. Hybrid Connection and Key Vault secrets configured for each Veeam ONE Server."
+ "5. VBR Settings watchlist configured in Microsoft Sentinel.",
+ "6. Hybrid Connection and Key Vault secrets configured for each VBR Server."
],
"tags": [
"Automation",
"Veeam",
- "VeeamONE",
- "Alarms",
+ "Authorization",
"Collection"
],
"lastUpdateTime": "2025-08-25T00:00:00Z",
"parameterTemplateVersion": "1.0.0",
"postDeployment": [
"1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.",
- "2. Ensure the Veeam ONE Settings watchlist is properly configured with the 'Collect Alarms' flag set to true on servers from which you want to collect data."
+ "2. Ensure the VBR Settings watchlist is properly configured with the 'Collect Authorization Events' flag set to true on servers from which you want to collect data."
],
"releaseNotes": {
"version": "1.0",
@@ -3727,30 +4716,30 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId5')]",
+ "contentId": "[variables('_playbookContentId2')]",
"contentKind": "Playbook",
- "displayName": "Veeam-CollectVeeamONEAlarms",
- "contentProductId": "[variables('_playbookcontentProductId5')]",
- "id": "[variables('_playbookcontentProductId5')]",
- "version": "[variables('playbookVersion5')]"
+ "displayName": "Veeam-CollectVeeamAuthorizationEvents",
+ "contentProductId": "[variables('_playbookcontentProductId2')]",
+ "id": "[variables('_playbookcontentProductId2')]",
+ "version": "[variables('playbookVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName6')]",
+ "name": "[variables('playbookTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Veeam-CollectCovewareFindings Playbook with template version 3.0.2",
+ "description": "Veeam-CollectSecurityComplianceAnalyzerResult Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion6')]",
+ "contentVersion": "[variables('playbookVersion3')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "Veeam-CollectCovewareFindings",
+ "defaultValue": "Veeam-CollectSecurityComplianceAnalyzerResult",
"type": "string",
"metadata": {
"description": "Name of the playbook (Logic App) to be created"
@@ -3816,7 +4805,7 @@
"type": "SystemAssigned"
},
"tags": {
- "hidden-SentinelTemplateName": "Veeam-CollectCovewareFindings",
+ "hidden-SentinelTemplateName": "Veeam-CollectSecurityComplianceAnalyzerResult",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
@@ -3848,26 +4837,26 @@
"defaultValue": "[[subscription().subscriptionId]",
"type": "String"
},
- "Coveware Server Name": {
- "defaultValue": "CovewareServer01",
+ "VbrHostName": {
+ "defaultValue": "vbr1",
"type": "String"
}
},
"triggers": {
- "Every_6_hours": {
+ "Every_24_hours": {
"recurrence": {
- "interval": 6,
+ "interval": 24,
"frequency": "Hour"
},
"evaluatedRecurrence": {
- "interval": 6,
+ "interval": 24,
"frequency": "Hour"
},
"type": "Recurrence"
}
},
"actions": {
- "Watchlists_-_Get_Coveware_Settings": {
+ "Watchlists_-_Get_VBR_Settings": {
"type": "ApiConnection",
"inputs": {
"host": {
@@ -3876,18 +4865,18 @@
}
},
"method": "get",
- "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('coveware_settings')}/watchlistItems"
+ "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems"
}
},
- "Parse_Coveware_Settings": {
+ "Parse_VBR_settings": {
"runAfter": {
- "Watchlists_-_Get_Coveware_Settings": [
+ "Watchlists_-_Get_VBR_Settings": [
"Succeeded"
]
},
"type": "ParseJson",
"inputs": {
- "content": "@body('Watchlists_-_Get_Coveware_Settings')",
+ "content": "@body('Watchlists_-_Get_VBR_Settings')",
"schema": {
"type": "object",
"properties": {
@@ -3902,13 +4891,13 @@
"properties.itemsKeyValue": {
"type": "object",
"properties": {
- "Coveware Server Name": {
+ "Veeam Server Name": {
"type": "string"
},
"Base URL": {
"type": "string"
},
- "Collect Coveware Findings": {
+ "Collect Security and Compliance Analyzer Results": {
"type": "string"
},
"Key Vault Password ID": {
@@ -3928,26 +4917,26 @@
}
}
},
- "For_each_Coveware_Server": {
- "foreach": "@body('Parse_Coveware_Settings')?['properties']?['watchlistItems']",
+ "For_each_VBR": {
+ "foreach": "@body('Parse_VBR_settings')?['properties']?['watchlistItems']",
"actions": {
- "Parse_current_Coveware_Server": {
+ "Parse_current_VBR": {
"type": "ParseJson",
"inputs": {
- "content": "@items('For_each_Coveware_Server')",
+ "content": "@items('For_each_VBR')",
"schema": {
"type": "object",
"properties": {
"properties.itemsKeyValue": {
"type": "object",
"properties": {
- "Coveware Server Name": {
+ "Veeam Server Name": {
"type": "string"
},
"Base URL": {
"type": "string"
},
- "Collect Coveware Findings": {
+ "Collect Security and Compliance Analyzer Results": {
"type": "string"
},
"Key Vault Password ID": {
@@ -3962,22 +4951,22 @@
}
}
},
- "If_Coveware_findings_collection_is_enabled": {
+ "If_best_practice_analysis_collection_is_enabled": {
"actions": {
- "Collect_Coveware_Findings_into_CovewareFindingsTable_CL": {
+ "Collect_Best_Practice_Analysis_into_VeeamBestPracticeAnalysisTable_CL": {
"type": "Function",
"inputs": {
"queries": {
- "covewareServerName": "@body('Parse_current_Coveware_Server')?['properties.itemsKeyValue']?['Coveware Server Name']"
+ "vbrHostName": "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Veeam Server Name']"
},
"function": {
- "id": "[[concat(variables('functionAppId'), '/functions/GetAllCovewareFindingsAsync')]"
+ "id": "[[concat(variables('functionAppId'), '/functions/GetSecurityComplianceAnalyzerResultsAsync')]"
}
}
}
},
"runAfter": {
- "Parse_current_Coveware_Server": [
+ "Parse_current_VBR": [
"Succeeded"
]
},
@@ -3985,7 +4974,7 @@
"actions": {
"Print_baseUrl": {
"type": "Compose",
- "inputs": "@body('Parse_current_Coveware_Server')?['properties.itemsKeyValue']?['Base URL']"
+ "inputs": "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Base URL']"
}
}
},
@@ -3993,7 +4982,7 @@
"and": [
{
"equals": [
- "@body('Parse_current_Coveware_Server')?['properties.itemsKeyValue']?['Collect Coveware Findings']",
+ "@body('Parse_current_VBR')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']",
"true"
]
}
@@ -4003,7 +4992,7 @@
}
},
"runAfter": {
- "Parse_Coveware_Settings": [
+ "Parse_VBR_settings": [
"Succeeded"
]
},
@@ -4032,12 +5021,12 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId6')]",
- "contentId": "[variables('_playbookContentId6')]",
+ "parentId": "[variables('playbookId3')]",
+ "contentId": "[variables('_playbookContentId3')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion6')]",
+ "version": "[variables('playbookVersion3')]",
"source": {
"kind": "Solution",
"name": "Veeam",
@@ -4057,26 +5046,28 @@
}
],
"metadata": {
- "title": "Veeam-CollectCovewareFindings",
- "description": "This Microsoft Sentinel playbook automatically collects Coveware findings on a schedule. Retrieves Coveware settings from watchlist and calls the GetCovewareFindings function for each enabled server, ingesting the data into custom tables.",
+ "title": "Veeam-CollectSecurityComplianceAnalyzerResult",
+ "description": "A Microsoft Sentinel playbook that automatically collects Veeam Security Compliance Analyzer results from Veeam Backup & Replication servers on schedule. The playbook gets Veeam Backup & Replication settings from watchlist and calls the GetSecurityComplianceAnalyzerResults function for each enabled server, ingesting the data into custom tables.",
"prerequisites": [
"1. Microsoft Sentinel workspace configured.",
"2. Permissions to create Logic Apps and API Connections.",
"3. Permissions to assign roles to the Resource Group.",
"4. Veeam Azure Function App deployed and configured.",
- "5. Coveware Settings watchlist configured in Microsoft Sentinel."
+ "5. VBR Settings watchlist configured in Microsoft Sentinel.",
+ "6. Hybrid Connection and Key Vault secrets configured for each VBR Server."
],
"tags": [
"Automation",
"Veeam",
- "Coveware",
+ "BestPractice",
+ "Analysis",
"Collection"
],
"lastUpdateTime": "2025-08-25T00:00:00Z",
"parameterTemplateVersion": "1.0.0",
"postDeployment": [
"1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.",
- "2. Ensure the Coveware Settings watchlist is properly configured with 'Collect Coveware Findings' flag set to true."
+ "2. Ensure the VBR Settings watchlist is properly configured with the 'Collect Security and Compliance Analyzer Results' flag set to true on servers from which you want to collect data."
],
"releaseNotes": {
"version": "1.0",
@@ -4092,38 +5083,38 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId6')]",
+ "contentId": "[variables('_playbookContentId3')]",
"contentKind": "Playbook",
- "displayName": "Veeam-CollectCovewareFindings",
- "contentProductId": "[variables('_playbookcontentProductId6')]",
- "id": "[variables('_playbookcontentProductId6')]",
- "version": "[variables('playbookVersion6')]"
+ "displayName": "Veeam-CollectSecurityComplianceAnalyzerResult",
+ "contentProductId": "[variables('_playbookcontentProductId3')]",
+ "id": "[variables('_playbookcontentProductId3')]",
+ "version": "[variables('playbookVersion3')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName7')]",
+ "name": "[variables('playbookTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Veeam-CollectConfigurationBackups Playbook with template version 3.0.2",
+ "description": "Veeam-CollectMalwareEvents Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion7')]",
+ "contentVersion": "[variables('playbookVersion4')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "Veeam-CollectConfigurationBackups",
+ "defaultValue": "Veeam-CollectMalwareEvents",
"type": "string",
"metadata": {
"description": "Name of the playbook (Logic App) to be created"
}
},
"functionAppName": {
- "type": "string",
"defaultValue": "",
+ "type": "string",
"metadata": {
"description": "Name of the Azure Function App for Veeam integration"
}
@@ -4135,30 +5126,23 @@
"description": "Workspace ID (GUID) of the Log Analytics workspace that contains Microsoft Sentinel"
}
},
- "subscriptionId": {
+ "AzureSentinelConnectionName": {
+ "defaultValue": "azuresentinel-connection",
"type": "string",
- "defaultValue": "[subscription().subscriptionId]",
"metadata": {
- "description": "Subscription ID where resources are deployed"
+ "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)"
}
},
"resourceGroupName": {
- "type": "string",
"defaultValue": "[resourceGroup().name]",
- "metadata": {
- "description": "Resource group name where Function App is deployed"
- }
- },
- "AzureSentinelConnectionName": {
- "defaultValue": "azuresentinel-connection",
"type": "string",
"metadata": {
- "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)"
+ "description": "Name of the resource group containing the Microsoft Sentinel workspace"
}
}
},
"variables": {
- "functionAppId": "[[resourceId(parameters('subscriptionId'), parameters('resourceGroupName'), 'Microsoft.Web/sites', parameters('functionAppName'))]",
+ "functionAppId": "[[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]",
"connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]",
"_connection-1": "[[variables('connection-1')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
@@ -4188,7 +5172,7 @@
"type": "SystemAssigned"
},
"tags": {
- "hidden-SentinelTemplateName": "Veeam-StartConfigurationBackup",
+ "hidden-SentinelTemplateName": "Veeam-CollectMalwareEvents",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
@@ -4217,17 +5201,21 @@
"type": "String"
},
"subscriptionId": {
- "defaultValue": "[[parameters('subscriptionId')]",
+ "defaultValue": "[[subscription().subscriptionId]",
"type": "String"
}
},
"triggers": {
- "Every_24_Hours": {
- "type": "Recurrence",
+ "Every_1_day": {
"recurrence": {
- "interval": 24,
- "frequency": "Hour"
- }
+ "interval": 1,
+ "frequency": "Day"
+ },
+ "evaluatedRecurrence": {
+ "interval": 1,
+ "frequency": "Day"
+ },
+ "type": "Recurrence"
}
},
"actions": {
@@ -4272,7 +5260,7 @@
"Base URL": {
"type": "string"
},
- "Collect Configuration Backups": {
+ "Collect Malware Events": {
"type": "string"
},
"Key Vault Password ID": {
@@ -4311,7 +5299,7 @@
"Base URL": {
"type": "string"
},
- "Collect Configuration Backups": {
+ "Collect Malware Events": {
"type": "string"
},
"Key Vault Password ID": {
@@ -4326,240 +5314,16 @@
}
}
},
- "If_configuration_backup_collection_is_enabled": {
+ "If_malware_event_collection_is_enabled": {
"actions": {
- "StartConfigurationBackupAsync": {
+ "Collect_Malware_Events_into_VeeamMalwareEventsTable_CL": {
"type": "Function",
"inputs": {
"queries": {
"vbrHostName": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name']"
},
"function": {
- "id": "[[concat(variables('functionAppId'), '/functions/StartConfigurationBackupAsync')]"
- }
- }
- },
- "Parse_sessionId": {
- "runAfter": {
- "StartConfigurationBackupAsync": [
- "Succeeded"
- ]
- },
- "type": "ParseJson",
- "inputs": {
- "content": "@outputs('StartConfigurationBackupAsync')",
- "schema": {
- "type": "object",
- "properties": {
- "statusCode": {
- "type": "integer"
- },
- "headers": {
- "type": "object",
- "properties": {
- "Date": {
- "type": "string"
- },
- "Transfer-Encoding": {
- "type": "string"
- },
- "Strict-Transport-Security": {
- "type": "string"
- },
- "x-ms-middleware-request-id": {
- "type": "string"
- },
- "Content-Type": {
- "type": "string"
- },
- "Content-Length": {
- "type": "string"
- }
- }
- },
- "body": {
- "type": "object",
- "properties": {
- "sessionType": {
- "type": "integer"
- },
- "state": {
- "type": "integer"
- },
- "id": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "jobId": {
- "type": "string"
- },
- "creationTime": {
- "type": "string"
- },
- "progressPercent": {
- "type": "integer"
- },
- "result": {
- "type": "object",
- "properties": {
- "result": {
- "type": "integer"
- },
- "message": {
- "type": "string"
- },
- "isCanceled": {
- "type": "boolean"
- }
- }
- },
- "usn": {
- "type": "integer"
- }
- }
- }
- }
- }
- }
- },
- "Until_state_is_not_stopped": {
- "actions": {
- "GetSession": {
- "type": "Function",
- "inputs": {
- "queries": {
- "vbrHostName": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name']",
- "sessionId": "@body('Parse_sessionId')?['body']?['id']"
- },
- "function": {
- "id": "[[concat(variables('functionAppId'), '/functions/GetSessionAsync')]"
- }
- }
- },
- "Parse_session": {
- "runAfter": {
- "GetSession": [
- "Succeeded"
- ]
- },
- "type": "ParseJson",
- "inputs": {
- "content": "@outputs('GetSession')",
- "schema": {
- "type": "object",
- "properties": {
- "statusCode": {
- "type": "integer"
- },
- "headers": {
- "type": "object",
- "properties": {
- "Date": {
- "type": "string"
- },
- "Transfer-Encoding": {
- "type": "string"
- },
- "Request-Context": {
- "type": "string"
- },
- "Content-Type": {
- "type": "string"
- },
- "Content-Length": {
- "type": "string"
- }
- }
- },
- "body": {
- "type": "object",
- "properties": {
- "sessionType": {
- "type": "integer"
- },
- "state": {
- "type": "integer"
- },
- "id": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "jobId": {
- "type": "string"
- },
- "creationTime": {
- "type": "string"
- },
- "progressPercent": {
- "type": "integer"
- },
- "result": {
- "type": "object",
- "properties": {
- "result": {
- "type": "integer"
- },
- "message": {
- "type": "string"
- },
- "isCanceled": {
- "type": "boolean"
- }
- }
- },
- "usn": {
- "type": "integer"
- }
- }
- }
- }
- }
- }
- },
- "Delay": {
- "runAfter": {
- "Parse_session": [
- "Succeeded"
- ]
- },
- "type": "Wait",
- "inputs": {
- "interval": {
- "count": 1,
- "unit": "Minute"
- }
- }
- }
- },
- "runAfter": {
- "Parse_sessionId": [
- "Succeeded"
- ]
- },
- "expression": "@equals(body('Parse_session')?['body']?['state'],1)",
- "limit": {
- "timeout": "PT30M"
- },
- "type": "Until"
- },
- "IngestSessionDataBySessionIdAsync": {
- "runAfter": {
- "Until_state_is_not_stopped": [
- "Succeeded"
- ]
- },
- "type": "Function",
- "inputs": {
- "queries": {
- "vbrHostName": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name']",
- "sessionId": "@body('Parse_sessionId')?['body']?['id']"
- },
- "function": {
- "id": "[[concat(variables('functionAppId'), '/functions/IngestSessionDataBySessionIdAsync')]"
+ "id": "[[concat(variables('functionAppId'), '/functions/GetAllMalwareEventsAsync')]"
}
}
}
@@ -4571,9 +5335,9 @@
},
"else": {
"actions": {
- "Print_server_info": {
+ "Print_baseUrl": {
"type": "Compose",
- "inputs": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name']"
+ "inputs": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Base URL']"
}
}
},
@@ -4581,7 +5345,7 @@
"and": [
{
"equals": [
- "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups']",
+ "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events']",
"true"
]
}
@@ -4620,12 +5384,12 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId7')]",
- "contentId": "[variables('_playbookContentId7')]",
+ "parentId": "[variables('playbookId4')]",
+ "contentId": "[variables('_playbookContentId4')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion7')]",
+ "version": "[variables('playbookVersion4')]",
"source": {
"kind": "Solution",
"name": "Veeam",
@@ -4645,8 +5409,8 @@
}
],
"metadata": {
- "title": "Veeam-CollectConfigurationBackups",
- "description": "A Microsoft Sentinel playbook that automatically runs configuration backup sessions on Veeam Backup & Replication servers on schedule. The playbook gets Veeam Backup & Replication settings from the watchlist, runs the configuration backup session, and collects the session result.",
+ "title": "Veeam-CollectMalwareEvents",
+ "description": "A Microsoft Sentinel playbook that automatically collects malware events from Veeam Backup & Replication servers on a schedule. The playbook gets Veeam Backup & Replication settings from watchlist and calls the GetMalwareEvents function for each enabled server, ingesting the data into custom tables.",
"prerequisites": [
"1. Microsoft Sentinel workspace configured.",
"2. Permissions to create Logic Apps and API Connections.",
@@ -4658,21 +5422,15 @@
"tags": [
"Automation",
"Veeam",
- "Configuration",
- "Backup",
- "Scheduled"
+ "Malware",
+ "Collection"
],
"lastUpdateTime": "2025-08-25T00:00:00Z",
"parameterTemplateVersion": "1.0.0",
"postDeployment": [
"1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.",
- "2. Ensure the VBR Settings watchlist is properly configured with the 'Collect Configuration Backups' flag set to true on servers from which you want to collect data."
+ "2. Ensure the VBR Settings watchlist is properly configured with the 'Collect Malware Events' flag set to true on servers from which you want to collect data."
],
- "_generator": {
- "name": "bicep",
- "version": "0.36.177.2456",
- "templateHash": "8701067040678761767"
- },
"releaseNotes": {
"version": "1.0",
"title": "[variables('blanks')]",
@@ -4687,48 +5445,62 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_playbookContentId7')]",
+ "contentId": "[variables('_playbookContentId4')]",
"contentKind": "Playbook",
- "displayName": "Veeam-CollectConfigurationBackups",
- "contentProductId": "[variables('_playbookcontentProductId7')]",
- "id": "[variables('_playbookcontentProductId7')]",
- "version": "[variables('playbookVersion7')]"
+ "displayName": "Veeam-CollectMalwareEvents",
+ "contentProductId": "[variables('_playbookcontentProductId4')]",
+ "id": "[variables('_playbookcontentProductId4')]",
+ "version": "[variables('playbookVersion4')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('playbookTemplateSpecName8')]",
+ "name": "[variables('playbookTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Veeam-FindCleanRestorePoints Playbook with template version 3.0.2",
+ "description": "Veeam-CollectVeeamONEAlarms Playbook with template version 3.1.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion8')]",
+ "contentVersion": "[variables('playbookVersion5')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "Veeam-FindCleanRestorePoints",
+ "defaultValue": "Veeam-CollectVeeamONEAlarms",
"type": "string",
"metadata": {
"description": "Name of the playbook (Logic App) to be created"
}
},
"functionAppName": {
- "type": "string",
"defaultValue": "",
+ "type": "string",
"metadata": {
"description": "Name of the Azure Function App for Veeam integration"
}
},
- "AzureSentinelConnectionName": {
+ "workspaceId": {
+ "defaultValue": "",
"type": "string",
+ "metadata": {
+ "description": "Workspace ID (GUID) of the Log Analytics workspace that contains Microsoft Sentinel"
+ }
+ },
+ "AzureSentinelConnectionName": {
"defaultValue": "azuresentinel-connection",
+ "type": "string",
"metadata": {
"description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)"
}
+ },
+ "resourceGroupName": {
+ "defaultValue": "[resourceGroup().name]",
+ "type": "string",
+ "metadata": {
+ "description": "Name of the resource group containing the Microsoft Sentinel workspace"
+ }
}
},
"variables": {
@@ -4762,7 +5534,7 @@
"type": "SystemAssigned"
},
"tags": {
- "hidden-SentinelTemplateName": "Veeam-FindCleanRestorePoints",
+ "hidden-SentinelTemplateName": "Veeam-CollectVeeamONEAlarms",
"hidden-SentinelTemplateVersion": "1.0",
"hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
},
@@ -4777,276 +5549,196 @@
"parameters": {
"$connections": {
"type": "Object"
+ },
+ "functionAppName": {
+ "defaultValue": "[[parameters('functionAppName')]",
+ "type": "String"
+ },
+ "workspaceId": {
+ "defaultValue": "[[parameters('workspaceId')]",
+ "type": "String"
+ },
+ "resourceGroupName": {
+ "defaultValue": "[[parameters('resourceGroupName')]",
+ "type": "String"
+ },
+ "subscriptionId": {
+ "defaultValue": "[[subscription().subscriptionId]",
+ "type": "String"
+ },
+ "VoneHostName": {
+ "defaultValue": "vone1",
+ "type": "String"
}
},
"triggers": {
- "Microsoft_Sentinel_incident": {
- "type": "ApiConnectionWebhook",
+ "Every_1_day": {
+ "recurrence": {
+ "interval": 1,
+ "frequency": "Day"
+ },
+ "evaluatedRecurrence": {
+ "interval": 1,
+ "frequency": "Day"
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "Watchlists_-_Get_Veeam_ONE_Settings": {
+ "type": "ApiConnection",
"inputs": {
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
- "body": {
- "callback_url": "@{listCallbackUrl()}"
- },
- "path": "/incident-creation"
+ "method": "get",
+ "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vone_settings')}/watchlistItems"
}
- }
- },
- "actions": {
- "Parse_custom_fields": {
- "foreach": "@triggerBody()?['object']?['properties']?['Alerts']",
+ },
+ "Parse_Veeam_ONE_settings": {
+ "runAfter": {
+ "Watchlists_-_Get_Veeam_ONE_Settings": [
+ "Succeeded"
+ ]
+ },
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@body('Watchlists_-_Get_Veeam_ONE_Settings')",
+ "schema": {
+ "type": "object",
+ "properties": {
+ "properties": {
+ "type": "object",
+ "properties": {
+ "watchlistItems": {
+ "type": "array",
+ "items": {
+ "type": "object",
+ "properties": {
+ "properties.itemsKeyValue": {
+ "type": "object",
+ "properties": {
+ "Veeam Server Name": {
+ "type": "string"
+ },
+ "Base URL": {
+ "type": "string"
+ },
+ "Collect Alarms": {
+ "type": "string"
+ },
+ "Key Vault Password ID": {
+ "type": "string"
+ },
+ "Key Vault Username ID": {
+ "type": "string"
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+ },
+ "For_each_Veeam_ONE_server": {
+ "foreach": "@body('Parse_Veeam_ONE_settings')?['properties']?['watchlistItems']",
"actions": {
- "Parse_JSON": {
+ "Parse_current_Veeam_ONE_server": {
"type": "ParseJson",
"inputs": {
- "content": "@items('Parse_custom_fields')?['properties']?['additionalData']?['Custom Details']",
+ "content": "@items('For_each_Veeam_ONE_server')",
"schema": {
"type": "object",
"properties": {
- "VbrHostName": {
- "type": "array",
- "items": {
- "type": "string"
- }
- },
- "MachineDisplayName": {
- "type": "array",
- "items": {
- "type": "string"
- }
- },
- "MachineUuid": {
- "type": "array",
- "items": {
- "type": "string"
- }
- },
- "BackupObjectId": {
- "type": "array",
- "items": {
- "type": "string"
+ "properties.itemsKeyValue": {
+ "type": "object",
+ "properties": {
+ "Veeam Server Name": {
+ "type": "string"
+ },
+ "Base URL": {
+ "type": "string"
+ },
+ "Collect Alarms": {
+ "type": "string"
+ },
+ "Key Vault Password ID": {
+ "type": "string"
+ },
+ "Key Vault Username ID": {
+ "type": "string"
+ }
}
}
}
}
}
},
- "For_each_alert": {
- "foreach": "@outputs('Parse_JSON')?['body']?['VbrHostName']",
+ "If_alarm_collection_is_enabled": {
"actions": {
- "Set_variable_VbrHostName": {
- "type": "SetVariable",
+ "Collect_Vone_Alarms_into_VoneAlarmsTable_CL": {
+ "type": "Function",
"inputs": {
- "name": "VbrHostName",
- "value": "@items('For_each_alert')"
+ "queries": {
+ "voneHostName": "@body('Parse_current_Veeam_ONE_server')?['properties.itemsKeyValue']?['Veeam Server Name']"
+ },
+ "function": {
+ "id": "[[concat(variables('functionAppId'), '/functions/GetAllTriggeredAlarmsAsync')]"
+ }
}
}
},
"runAfter": {
- "Parse_JSON": [
+ "Parse_current_Veeam_ONE_server": [
"Succeeded"
]
},
- "type": "Foreach"
- },
- "For_each_alert_2": {
- "foreach": "@outputs('Parse_JSON')?['body']?['MachineDisplayName']",
- "actions": {
- "Set_variable_MachineDisplayName": {
- "type": "SetVariable",
- "inputs": {
- "name": "MachineDisplayName",
- "value": "@item()"
+ "else": {
+ "actions": {
+ "Print_baseUrl": {
+ "type": "Compose",
+ "inputs": "@body('Parse_current_Veeam_ONE_server')?['properties.itemsKeyValue']?['Base URL']"
}
}
},
- "runAfter": {
- "For_each_alert": [
- "Succeeded"
+ "expression": {
+ "and": [
+ {
+ "equals": [
+ "@body('Parse_current_Veeam_ONE_server')?['properties.itemsKeyValue']?['Collect Alarms']",
+ "true"
+ ]
+ }
]
},
- "type": "Foreach"
+ "type": "If"
}
},
"runAfter": {
- "Initialize_MachineDisplayName": [
+ "Parse_Veeam_ONE_settings": [
"Succeeded"
]
},
"type": "Foreach"
- },
- "Initialize_VbrHostName": {
- "type": "InitializeVariable",
- "inputs": {
- "variables": [
- {
- "name": "VbrHostName",
- "type": "string"
- }
- ]
- }
- },
- "GetLastCleanRestorePoint": {
- "runAfter": {
- "Parse_custom_fields": [
- "Succeeded"
- ]
- },
- "type": "Function",
- "inputs": {
- "queries": {
- "vbrHostName": "@variables('VbrHostName')",
- "VmName": "@variables('MachineDisplayName')"
- },
- "function": {
- "id": "[[concat(variables('functionAppId'), '/functions/GetCleanRestorePointsAsync')]"
- }
- }
- },
- "Are_there_any_clean_restore_points": {
- "actions": {
- "Parse_restore_point": {
- "type": "ParseJson",
- "inputs": {
- "content": "@body('GetLastCleanRestorePoint')",
- "schema": {
- "type": "object",
- "properties": {
- "platformName": {
- "type": "integer"
- },
- "type": {
- "type": "integer"
- },
- "malwareStatus": {
- "type": "integer"
- },
- "id": {
- "type": "string"
- },
- "name": {
- "type": "string"
- },
- "platformId": {
- "type": "string"
- },
- "creationTime": {
- "type": "string"
- },
- "backupId": {
- "type": "string"
- },
- "sessionId": {
- "type": "string"
- },
- "allowedOperations": {
- "type": "array",
- "items": {
- "type": "integer"
- }
- },
- "backupFileId": {
- "type": "string"
- }
- }
- }
- }
- },
- "Add_last_restore_point_comment": {
- "runAfter": {
- "Parse_restore_point": [
- "Succeeded"
- ]
- },
- "type": "ApiConnection",
- "inputs": {
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
- }
- },
- "method": "post",
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "Last clean restore point was created on @{variables('VbrHostName')} on @{body('Parse_restore_point')?['creationTime']}
" - }, - "path": "/Incidents/Comment" - } - } - }, - "runAfter": { - "GetLastCleanRestorePoint": [ - "Succeeded", - "TimedOut", - "Skipped", - "Failed" - ] - }, - "else": { - "actions": { - "Add_no_restore_points_comment": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "No restore points were found on @{variables('VbrHostName')}
" - }, - "path": "/Incidents/Comment" - } - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@outputs('GetLastCleanRestorePoint')?['statusCode']", - 404 - ] - } - } - ] - }, - "type": "If" - }, - "Initialize_MachineDisplayName": { - "runAfter": { - "Initialize_VbrHostName": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "MachineDisplayName", - "type": "string" - } - ] - } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionName": "[[parameters('AzureSentinelConnectionName')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]", - "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionName": "[[parameters('AzureSentinelConnectionName')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]", + "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" } } } @@ -5058,12 +5750,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]", "properties": { - "parentId": "[variables('playbookId8')]", - "contentId": "[variables('_playbookContentId8')]", + "parentId": "[variables('playbookId5')]", + "contentId": "[variables('_playbookContentId5')]", "kind": "Playbook", - "version": "[variables('playbookVersion8')]", + "version": "[variables('playbookVersion5')]", "source": { "kind": "Solution", "name": "Veeam", @@ -5083,32 +5775,29 @@ } ], "metadata": { - "title": "Veeam-FindCleanRestorePoints", - "description": "A Microsoft Sentinel playbook with the incident trigger, that finds the last clean restore point for VM, specified in the incident by VbrHostName and MachineDisplayName. If finds a clean restore point, adds its date as incident's comment, and if a clean restore point is not found, adds a comment indicating that.", + "title": "Veeam-CollectVeeamONEAlarms", + "description": "This Microsoft Sentinel playbook automatically collects Veeam ONE alarms on a schedule. Retrieves Veeam ONE settings from the watchlist and calls the GetVoneAlarms function for each enabled server, ingesting the data into custom tables.", "prerequisites": [ "1. Microsoft Sentinel workspace configured.", "2. Permissions to create Logic Apps and API Connections.", "3. Permissions to assign roles to the Resource Group.", "4. Veeam Azure Function App deployed and configured.", - "5. Hybrid Connection and Key Vault secrets configured for each VBR Server." + "5. Veeam ONE Settings watchlist configured in Microsoft Sentinel.", + "6. Hybrid Connection and Key Vault secrets configured for each Veeam ONE Server." ], "tags": [ "Automation", "Veeam", - "Backup", - "RestorePoints", - "Recovery" + "VeeamONE", + "Alarms", + "Collection" ], "lastUpdateTime": "2025-08-25T00:00:00Z", "parameterTemplateVersion": "1.0.0", "postDeployment": [ - "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace." + "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.", + "2. Ensure the Veeam ONE Settings watchlist is properly configured with the 'Collect Alarms' flag set to true on servers from which you want to collect data." ], - "_generator": { - "name": "bicep", - "version": "0.36.177.2456", - "templateHash": "8701067040678761767" - }, "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -5123,48 +5812,62 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId8')]", + "contentId": "[variables('_playbookContentId5')]", "contentKind": "Playbook", - "displayName": "Veeam-FindCleanRestorePoints", - "contentProductId": "[variables('_playbookcontentProductId8')]", - "id": "[variables('_playbookcontentProductId8')]", - "version": "[variables('playbookVersion8')]" + "displayName": "Veeam-CollectVeeamONEAlarms", + "contentProductId": "[variables('_playbookcontentProductId5')]", + "id": "[variables('_playbookcontentProductId5')]", + "version": "[variables('playbookVersion5')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName9')]", + "name": "[variables('playbookTemplateSpecName6')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Veeam-PerformScanBackup Playbook with template version 3.0.2", + "description": "Veeam-CollectCovewareFindings Playbook with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion9')]", + "contentVersion": "[variables('playbookVersion6')]", "parameters": { "PlaybookName": { - "defaultValue": "Veeam-PerformScanBackup", + "defaultValue": "Veeam-CollectCovewareFindings", "type": "string", "metadata": { "description": "Name of the playbook (Logic App) to be created" } }, "functionAppName": { - "type": "string", "defaultValue": "", + "type": "string", "metadata": { "description": "Name of the Azure Function App for Veeam integration" } }, - "AzureSentinelConnectionName": { + "workspaceId": { + "defaultValue": "", "type": "string", + "metadata": { + "description": "Workspace ID (GUID) of the Log Analytics workspace that contains Microsoft Sentinel" + } + }, + "AzureSentinelConnectionName": { "defaultValue": "azuresentinel-connection", + "type": "string", "metadata": { "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)" } + }, + "resourceGroupName": { + "defaultValue": "[resourceGroup().name]", + "type": "string", + "metadata": { + "description": "Name of the resource group containing the Microsoft Sentinel workspace" + } } }, "variables": { @@ -5198,7 +5901,7 @@ "type": "SystemAssigned" }, "tags": { - "hidden-SentinelTemplateName": "Veeam-PerformScanBackup", + "hidden-SentinelTemplateName": "Veeam-CollectCovewareFindings", "hidden-SentinelTemplateVersion": "1.0", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" }, @@ -5211,79 +5914,98 @@ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { - "IsYara": { - "defaultValue": true, - "type": "Bool" + "$connections": { + "type": "Object" }, - "TimeRange": { - "defaultValue": "1w1d", + "functionAppName": { + "defaultValue": "[[parameters('functionAppName')]", "type": "String" }, - "VbrHostName": { - "defaultValue": "vbr1", + "workspaceId": { + "defaultValue": "[[parameters('workspaceId')]", "type": "String" }, - "$connections": { - "type": "Object" + "resourceGroupName": { + "defaultValue": "[[parameters('resourceGroupName')]", + "type": "String" + }, + "subscriptionId": { + "defaultValue": "[[subscription().subscriptionId]", + "type": "String" + }, + "Coveware Server Name": { + "defaultValue": "CovewareServer01", + "type": "String" } }, "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", + "Every_6_hours": { + "recurrence": { + "interval": 6, + "frequency": "Hour" + }, + "evaluatedRecurrence": { + "interval": 6, + "frequency": "Hour" + }, + "type": "Recurrence" + } + }, + "actions": { + "Watchlists_-_Get_Coveware_Settings": { + "type": "ApiConnection", "inputs": { "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "body": { - "callback_url": "@listCallbackUrl()" - }, - "path": "/incident-creation" + "method": "get", + "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('coveware_settings')}/watchlistItems" } - } - }, - "actions": { - "Parse_sessionId": { + }, + "Parse_Coveware_Settings": { "runAfter": { - "Add_comment_to_incident": [ + "Watchlists_-_Get_Coveware_Settings": [ "Succeeded" ] }, "type": "ParseJson", "inputs": { - "content": "@outputs('StartBackupScanAV')", + "content": "@body('Watchlists_-_Get_Coveware_Settings')", "schema": { "type": "object", "properties": { - "statusCode": { - "type": "integer" - }, - "headers": { - "type": "object", - "properties": { - "Date": { - "type": "string" - }, - "Transfer-Encoding": { - "type": "string" - }, - "Request-Context": { - "type": "string" - }, - "Content-Type": { - "type": "string" - }, - "Content-Length": { - "type": "string" - } - } - }, - "body": { + "properties": { "type": "object", "properties": { - "sessionId": { - "type": "string" + "watchlistItems": { + "type": "array", + "items": { + "type": "object", + "properties": { + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Coveware Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Coveware Findings": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + } + } + } + } + } } } } @@ -5291,320 +6013,86 @@ } } }, - "Until_state_is_not_Stopped": { + "For_each_Coveware_Server": { + "foreach": "@body('Parse_Coveware_Settings')?['properties']?['watchlistItems']", "actions": { - "Parse_session": { - "runAfter": { - "GetSession_": [ - "Succeeded" - ] - }, + "Parse_current_Coveware_Server": { "type": "ParseJson", "inputs": { - "content": "@body('GetSession_')", + "content": "@items('For_each_Coveware_Server')", "schema": { "type": "object", "properties": { - "sessionType": { - "type": "integer" - }, - "state": { - "type": "integer" - }, - "platformName": { - "type": "integer" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "jobId": { - "type": "string" - }, - "creationTime": { - "type": "string" - }, - "progressPercent": { - "type": "integer" - }, - "result": { + "properties.itemsKeyValue": { "type": "object", "properties": { - "result": { - "type": "integer" + "Coveware Server Name": { + "type": "string" }, - "message": { + "Base URL": { "type": "string" }, - "isCanceled": { - "type": "boolean" + "Collect Coveware Findings": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" } } - }, - "usn": { - "type": "integer" - }, - "platformId": { - "type": "string" - } - } - } - } - }, - "GetSession_": { - "type": "Function", - "inputs": { - "queries": { - "vbrHostName": "@variables('VbrHostName')", - "sessionId": "@body('Parse_sessionId')?['body']?['sessionId']" - }, - "function": { - "id": "[[format('{0}/functions/GetSessionAsync', variables('functionAppId'))]" - } - } - }, - "Delay": { - "runAfter": { - "Parse_session": [ - "Succeeded" - ] - }, - "type": "Wait", - "inputs": { - "interval": { - "count": 3, - "unit": "Minute" - } - } - } - }, - "runAfter": { - "Parse_sessionId": [ - "Succeeded" - ] - }, - "expression": "@equals(body('Parse_session')?['state'],1)", - "limit": { - "timeout": "PT3H" - }, - "type": "Until" - }, - "Get_variables_from_custom_fields": { - "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", - "actions": { - "Parse_custom_fields": { - "type": "ParseJson", - "inputs": { - "content": "@items('Get_variables_from_custom_fields')?['properties']?['additionalData']?['Custom Details']", - "schema": { - "type": "object", - "properties": { - "VbrHostName": { - "type": "array", - "items": { - "type": "string" - } - }, - "MachineDisplayName": { - "type": "array", - "items": { - "type": "string" - } - }, - "MachineUuid": { - "type": "array", - "items": { - "type": "string" - } - }, - "BackupObjectId": { - "type": "array", - "items": { - "type": "string" - } } } } } }, - "Get_VbrHostName": { - "foreach": "@outputs('Parse_custom_fields')?['body']?['VbrHostName']", + "If_Coveware_findings_collection_is_enabled": { "actions": { - "Set_VbrHostName": { - "type": "SetVariable", + "Collect_Coveware_Findings_into_CovewareFindingsTable_CL": { + "type": "Function", "inputs": { - "name": "VbrHostName", - "value": "@items('Get_VbrHostName')" + "queries": { + "covewareServerName": "@body('Parse_current_Coveware_Server')?['properties.itemsKeyValue']?['Coveware Server Name']" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/GetAllCovewareFindingsAsync')]" + } } } }, "runAfter": { - "Parse_custom_fields": [ + "Parse_current_Coveware_Server": [ "Succeeded" ] }, - "type": "Foreach" - }, - "Get_BackupObjectId": { - "foreach": "@outputs('Parse_custom_fields')?['body']?['BackupObjectId']", - "actions": { - "Set_BackupObjectId": { - "type": "SetVariable", - "inputs": { - "name": "BackupObjectId", - "value": "@items('Get_BackupObjectId')" + "else": { + "actions": { + "Print_baseUrl": { + "type": "Compose", + "inputs": "@body('Parse_current_Coveware_Server')?['properties.itemsKeyValue']?['Base URL']" } } }, - "runAfter": { - "Get_VbrHostName": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Get_MachineDispalyName": { - "foreach": "@body('Parse_custom_fields')?['MachineDisplayName']", - "actions": { - "Set_MachineDispalyName": { - "type": "SetVariable", - "inputs": { - "name": "MachineDisplayName", - "value": "@items('Get_MachineDispalyName')" + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_current_Coveware_Server')?['properties.itemsKeyValue']?['Collect Coveware Findings']", + "true" + ] } - } - }, - "runAfter": { - "Get_BackupObjectId": [ - "Succeeded" ] }, - "type": "Foreach" + "type": "If" } }, "runAfter": { - "Initialize_MachineDisplayName": [ + "Parse_Coveware_Settings": [ "Succeeded" ] }, "type": "Foreach" - }, - "Initialize_VbrHostName": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "VbrHostName", - "type": "string", - "value": "none" - } - ] - } - }, - "StartBackupScanAV": { - "runAfter": { - "Get_variables_from_custom_fields": [ - "Succeeded" - ] - }, - "type": "Function", - "inputs": { - "queries": { - "VbrHostName": "@variables('VbrHostName')", - "backupObjectId": "@variables('BackupObjectId')", - "vmName": "@variables('MachineDisplayName')" - }, - "function": { - "id": "[[format('{0}/functions/StartBackupScanAV', variables('functionAppId'))]" - } - } - }, - "Initialize_BackupObjectId": { - "runAfter": { - "Initialize_VbrHostName": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "BackupObjectId", - "type": "string", - "value": "none" - } - ] - } - }, - "Initialize_MachineDisplayName": { - "runAfter": { - "Initialize_BackupObjectId": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "MachineDisplayName", - "type": "string", - "value": "none" - } - ] - } - }, - "Add_comment_to_incident_(V3)": { - "runAfter": { - "Result": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "AV scan for @{variables('MachineDisplayName')} has finished. Details: @{body('Parse_session')?['result']?['message']}.
Incident has been resolved, so you can close it.
" - }, - "path": "/Incidents/Comment" - } - }, - "Result": { - "runAfter": { - "Until_state_is_not_Stopped": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "@body('Parse_session')?['result']" - }, - "Add_comment_to_incident": { - "runAfter": { - "StartBackupScanAV": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "AV scan for @{variables('MachineDisplayName')} has been started.
" - }, - "path": "/Incidents/Comment" - } } } }, @@ -5614,7 +6102,7 @@ "azuresentinel": { "connectionName": "[[parameters('AzureSentinelConnectionName')]", "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]", - "id": "[[format('/subscriptions/{0}/providers/Microsoft.Web/locations/{1}/managedApis/azuresentinel', subscription().subscriptionId, variables('workspace-location-inline'))]", + "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", "connectionProperties": { "authentication": { "type": "ManagedServiceIdentity" @@ -5629,12 +6117,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]", "properties": { - "parentId": "[variables('playbookId9')]", - "contentId": "[variables('_playbookContentId9')]", + "parentId": "[variables('playbookId6')]", + "contentId": "[variables('_playbookContentId6')]", "kind": "Playbook", - "version": "[variables('playbookVersion9')]", + "version": "[variables('playbookVersion6')]", "source": { "kind": "Solution", "name": "Veeam", @@ -5654,26 +6142,26 @@ } ], "metadata": { - "title": "Veeam-PerformScanBackup", - "description": "This Microsoft Sentinel playbook with an incident trigger performs antivirus scan on Veeam backup using VbrHostName, BackupObjectId, MachineDisplayName custom incident fields to identify backup. Indicates results as incident comments.", + "title": "Veeam-CollectCovewareFindings", + "description": "This Microsoft Sentinel playbook automatically collects Coveware findings on a schedule. Retrieves Coveware settings from watchlist and calls the GetCovewareFindings function for each enabled server, ingesting the data into custom tables.", "prerequisites": [ "1. Microsoft Sentinel workspace configured.", "2. Permissions to create Logic Apps and API Connections.", "3. Permissions to assign roles to the Resource Group.", "4. Veeam Azure Function App deployed and configured.", - "5. Hybrid Connection and Key Vault secrets configured for each VBR Server." + "5. Coveware Settings watchlist configured in Microsoft Sentinel." ], "tags": [ "Automation", "Veeam", - "Backup", - "Antivirus", - "Scan" + "Coveware", + "Collection" ], "lastUpdateTime": "2025-08-25T00:00:00Z", "parameterTemplateVersion": "1.0.0", "postDeployment": [ - "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace." + "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.", + "2. Ensure the Coveware Settings watchlist is properly configured with 'Collect Coveware Findings' flag set to true." ], "releaseNotes": { "version": "1.0", @@ -5689,30 +6177,30 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId9')]", + "contentId": "[variables('_playbookContentId6')]", "contentKind": "Playbook", - "displayName": "Veeam-PerformScanBackup", - "contentProductId": "[variables('_playbookcontentProductId9')]", - "id": "[variables('_playbookcontentProductId9')]", - "version": "[variables('playbookVersion9')]" + "displayName": "Veeam-CollectCovewareFindings", + "contentProductId": "[variables('_playbookcontentProductId6')]", + "id": "[variables('_playbookcontentProductId6')]", + "version": "[variables('playbookVersion6')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName10')]", + "name": "[variables('playbookTemplateSpecName7')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Veeam-PerformInstantVMRecovery Playbook with template version 3.0.2", + "description": "Veeam-CollectConfigurationBackups Playbook with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion10')]", + "contentVersion": "[variables('playbookVersion7')]", "parameters": { "PlaybookName": { - "defaultValue": "Veeam-PerformInstantVMRecovery", + "defaultValue": "Veeam-CollectConfigurationBackups", "type": "string", "metadata": { "description": "Name of the playbook (Logic App) to be created" @@ -5725,16 +6213,37 @@ "description": "Name of the Azure Function App for Veeam integration" } }, - "AzureSentinelConnectionName": { + "workspaceId": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace ID (GUID) of the Log Analytics workspace that contains Microsoft Sentinel" + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID where resources are deployed" + } + }, + "resourceGroupName": { "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Resource group name where Function App is deployed" + } + }, + "AzureSentinelConnectionName": { "defaultValue": "azuresentinel-connection", + "type": "string", "metadata": { "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)" } } }, "variables": { - "functionAppId": "[[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]", + "functionAppId": "[[resourceId(parameters('subscriptionId'), parameters('resourceGroupName'), 'Microsoft.Web/sites', parameters('functionAppName'))]", "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "_connection-1": "[[variables('connection-1')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", @@ -5764,7 +6273,7 @@ "type": "SystemAssigned" }, "tags": { - "hidden-SentinelTemplateName": "Veeam-PerformInstantVMRecovery", + "hidden-SentinelTemplateName": "Veeam-StartConfigurationBackup", "hidden-SentinelTemplateVersion": "1.0", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" }, @@ -5775,482 +6284,403 @@ "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.1.0", + "contentVersion": "1.0.0.0", "parameters": { "$connections": { "type": "Object" + }, + "functionAppName": { + "defaultValue": "[[parameters('functionAppName')]", + "type": "String" + }, + "workspaceId": { + "defaultValue": "[[parameters('workspaceId')]", + "type": "String" + }, + "resourceGroupName": { + "defaultValue": "[[parameters('resourceGroupName')]", + "type": "String" + }, + "subscriptionId": { + "defaultValue": "[[parameters('subscriptionId')]", + "type": "String" } }, "triggers": { - "Microsoft_Sentinel_incident": { - "type": "ApiConnectionWebhook", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "body": { - "callback_url": "@listCallbackUrl()" - }, - "path": "/incident-creation" + "Every_24_Hours": { + "type": "Recurrence", + "recurrence": { + "interval": 24, + "frequency": "Hour" } } }, "actions": { - "Initialize_VbrHostName": { - "type": "InitializeVariable", + "Watchlists_-_Get_VBR_Settings": { + "type": "ApiConnection", "inputs": { - "variables": [ - { - "name": "VbrHostName", - "type": "string", - "value": "none" + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } - ] + }, + "method": "get", + "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems" } }, - "Initialize_MachineDisplayName": { + "Parse_VBR_settings": { "runAfter": { - "Initialize_VbrHostName": [ + "Watchlists_-_Get_VBR_Settings": [ "Succeeded" ] }, - "type": "InitializeVariable", + "type": "ParseJson", "inputs": { - "variables": [ - { - "name": "MachineDisplayName", - "type": "string", - "value": "none" - } - ] - } - }, - "Get_variables_from_custom_fields": { - "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", - "actions": { - "Parse_custom_fields": { - "type": "ParseJson", - "inputs": { - "content": "@items('Get_variables_from_custom_fields')?['properties']?['additionalData']?['Custom Details']", - "schema": { + "content": "@body('Watchlists_-_Get_VBR_Settings')", + "schema": { + "type": "object", + "properties": { + "properties": { "type": "object", "properties": { - "VbrHostName": { - "type": "array", - "items": { - "type": "string" - } - }, - "MachineDisplayName": { - "type": "array", - "items": { - "type": "string" - } - }, - "MachineUuid": { - "type": "array", - "items": { - "type": "string" - } - }, - "BackupObjectId": { + "watchlistItems": { "type": "array", "items": { - "type": "string" + "type": "object", + "properties": { + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Configuration Backups": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + } + } + } + } } } } } } - }, - "Get_VbrHostName": { - "foreach": "@outputs('Parse_custom_fields')?['body']?['VbrHostName']", - "actions": { - "Set_VbrHostName": { - "type": "SetVariable", - "inputs": { - "name": "VbrHostName", - "value": "@items('Get_VbrHostName')" - } - } - }, - "runAfter": { - "Parse_custom_fields": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Get_MachineDispalyName": { - "foreach": "@body('Parse_custom_fields')?['MachineDisplayName']", - "actions": { - "Set_MachineDispalyName": { - "type": "SetVariable", - "inputs": { - "name": "MachineDisplayName", - "value": "@items('Get_MachineDispalyName')" - } - } - }, - "runAfter": { - "Get_VbrHostName": [ - "Succeeded" - ] - }, - "type": "Foreach" - } - }, - "runAfter": { - "Initialize_MachineDisplayName": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "GetLastCleanRestorePointForVMAsync": { - "runAfter": { - "Get_variables_from_custom_fields": [ - "Succeeded" - ] - }, - "type": "Function", - "inputs": { - "queries": { - "VbrHostName": "@variables('VbrHostName')", - "vmName": "@variables('MachineDisplayName')" - }, - "function": { - "id": "[[concat(variables('functionAppId'), '/functions/GetCleanRestorePointsAsync')]" } } }, - "Does_clean_restore_point_exist": { - "runAfter": { - "GetLastCleanRestorePointForVMAsync": [ - "Succeeded", - "TimedOut", - "Skipped", - "Failed" - ] - }, - "else": { - "actions": { - "Add_comment": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "For_each_VBR_server": { + "foreach": "@body('Parse_VBR_settings')?['properties']?['watchlistItems']", + "actions": { + "Parse_current_VBR_server": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_VBR_server')", + "schema": { + "type": "object", + "properties": { + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Configuration Backups": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + } + } } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "No clean restore points were found for @{variables('MachineDisplayName')}.
" - }, - "path": "/Incidents/Comment" - } - }, - "Terminate": { - "runAfter": { - "Add_comment": [ - "Succeeded" - ] - }, - "type": "Terminate", - "inputs": { - "runStatus": "Cancelled" - } - } - } - }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@outputs('GetLastCleanRestorePointForVMAsync')?['statusCode']", - 404 - ] - } - } - ] - }, - "type": "If" - }, - "Parse_restorePointId": { - "runAfter": { - "Does_clean_restore_point_exist": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('GetLastCleanRestorePointForVMAsync')", - "schema": { - "type": "object", - "properties": { - "platformName": { - "type": "integer" - }, - "type": { - "type": "integer" - }, - "malwareStatus": { - "type": "integer" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "platformId": { - "type": "string" - }, - "creationTime": { - "type": "string" - }, - "backupId": { - "type": "string" - }, - "sessionId": { - "type": "string" - }, - "allowedOperations": { - "type": "array", - "items": { - "type": "integer" } - }, - "backupFileId": { - "type": "string" } } - } - } - }, - "StartInstantVMRecoveryAsync": { - "runAfter": { - "Parse_restorePointId": [ - "Succeeded" - ] - }, - "type": "Function", - "inputs": { - "queries": { - "VbrHostName": "@variables('VbrHostName')", - "restorePointId": "@body('Parse_restorePointId')?['id']" }, - "function": { - "id": "[[concat(variables('functionAppId'), '/functions/StartInstantVMRecoveryAsync')]" - } - } - }, - "Parse_sessionId": { - "runAfter": { - "StartInstantVMRecoveryAsync": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('StartInstantVMRecoveryAsync')", - "schema": { - "type": "object", - "properties": { - "data": { - "type": "object", - "properties": { - "sessionType": { - "type": "integer" - }, - "state": { - "type": "integer" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "jobId": { - "type": "string" - }, - "creationTime": { - "type": "string" - }, - "progressPercent": { - "type": "integer" - }, - "result": { - "type": "object", - "properties": { - "result": { - "type": "integer" - }, - "message": { - "type": "string" - } - } + "If_configuration_backup_collection_is_enabled": { + "actions": { + "StartConfigurationBackupAsync": { + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name']" }, - "usn": { - "type": "integer" + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/StartConfigurationBackupAsync')]" } } - } - } - } - } - }, - "Add_comment_to_incident": { - "runAfter": { - "Parse_sessionId": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "Instant VM recovery has started for @{variables('MachineDisplayName')} and restore point @{body('Parse_restorePointId')?['id']}.
" - }, - "path": "/Incidents/Comment" - } - }, - "Until_state_is_not_Stopped": { - "actions": { - "GetSession_": { - "type": "Function", - "inputs": { - "queries": { - "vbrHostName": "@variables('VbrHostName')", - "sessionId": "@body('Parse_sessionId')?['data']?['id']" }, - "function": { - "id": "[[concat(variables('functionAppId'), '/functions/GetSessionAsync')]" - } - } - }, - "Parse_session": { - "runAfter": { - "GetSession_": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('GetSession_')", - "schema": { - "type": "object", - "properties": { - "data": { + "Parse_sessionId": { + "runAfter": { + "StartConfigurationBackupAsync": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@outputs('StartConfigurationBackupAsync')", + "schema": { "type": "object", "properties": { - "sessionType": { - "type": "integer" - }, - "state": { + "statusCode": { "type": "integer" }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "jobId": { - "type": "string" - }, - "creationTime": { - "type": "string" - }, - "progressPercent": { - "type": "integer" + "headers": { + "type": "object", + "properties": { + "Date": { + "type": "string" + }, + "Transfer-Encoding": { + "type": "string" + }, + "Strict-Transport-Security": { + "type": "string" + }, + "x-ms-middleware-request-id": { + "type": "string" + }, + "Content-Type": { + "type": "string" + }, + "Content-Length": { + "type": "string" + } + } }, - "result": { + "body": { "type": "object", "properties": { - "result": { + "sessionType": { "type": "integer" }, - "message": { + "state": { + "type": "integer" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "jobId": { + "type": "string" + }, + "creationTime": { "type": "string" + }, + "progressPercent": { + "type": "integer" + }, + "result": { + "type": "object", + "properties": { + "result": { + "type": "integer" + }, + "message": { + "type": "string" + }, + "isCanceled": { + "type": "boolean" + } + } + }, + "usn": { + "type": "integer" } } - }, - "usn": { - "type": "integer" } } } } - } - } - }, - "Delay": { - "runAfter": { - "Parse_session": [ - "Succeeded" - ] - }, - "type": "Wait", - "inputs": { - "interval": { - "count": 3, - "unit": "Minute" - } - } - } - }, - "runAfter": { - "Add_comment_to_incident": [ - "Succeeded" - ] - }, - "expression": "@equals(body('Parse_session')?['state'],1)", - "limit": { - "timeout": "PT3H" - }, - "type": "Until" - }, - "Result": { - "runAfter": { - "Until_state_is_not_Stopped": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "@body('Parse_session')?['result']" - }, - "Add_comment_to_incident_(V3)": { - "runAfter": { - "Result": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "Instant VM recovery for @{variables('MachineDisplayName')} has finished. Details: @{body('Parse_session')?['result']}.
Alarm with ID @{variables('TriggeredAlarmId')} has been successfully resolved on @{variables('VoneHostName')}.
" + "message": "Last clean restore point was created on @{variables('VbrHostName')} on @{body('Parse_restore_point')?['creationTime']}
" }, "path": "/Incidents/Comment" } } }, "runAfter": { - "ResolveTriggeredAlarm": [ + "GetLastCleanRestorePoint": [ "Succeeded", "TimedOut", "Skipped", @@ -6574,7 +7072,7 @@ }, "else": { "actions": { - "Add_failure_comment": { + "Add_no_restore_points_comment": { "type": "ApiConnection", "inputs": { "host": { @@ -6585,7 +7083,7 @@ "method": "post", "body": { "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "Alarm with ID @{variables('TriggeredAlarmId')} has not been resolved on @{variables('VoneHostName')}. Reason: Function call failed or returned an error.
" + "message": "No restore points were found on @{variables('VbrHostName')}
" }, "path": "/Incidents/Comment" } @@ -6597,22 +7095,30 @@ { "not": { "equals": [ - "@outputs('ResolveTriggeredAlarm')?['statusCode']", + "@outputs('GetLastCleanRestorePoint')?['statusCode']", 404 ] } - }, - { - "not": { - "equals": [ - "@outputs('ResolveTriggeredAlarm')?['statusCode']", - 500 - ] - } } ] }, "type": "If" + }, + "Initialize_MachineDisplayName": { + "runAfter": { + "Initialize_VbrHostName": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "MachineDisplayName", + "type": "string" + } + ] + } } } }, @@ -6637,12 +7143,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", "properties": { - "parentId": "[variables('playbookId11')]", - "contentId": "[variables('_playbookContentId11')]", + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", "kind": "Playbook", - "version": "[variables('playbookVersion11')]", + "version": "[variables('playbookVersion8')]", "source": { "kind": "Solution", "name": "Veeam", @@ -6662,8 +7168,8 @@ } ], "metadata": { - "title": "Veeam-ResolveTriggeredAlarm", - "description": "A Microsoft Sentinel playbook with an incident trigger that resolves Veeam ONE alarms (identified by TriggeredAlarmId custom incident field) on the Veeam ONE server specified by the VoneHostName custom incident field.", + "title": "Veeam-FindCleanRestorePoints", + "description": "A Microsoft Sentinel playbook with the incident trigger, that finds the last clean restore point for VM, specified in the incident by VbrHostName and MachineDisplayName. If finds a clean restore point, adds its date as incident's comment, and if a clean restore point is not found, adds a comment indicating that.", "prerequisites": [ "1. Microsoft Sentinel workspace configured.", "2. Permissions to create Logic Apps and API Connections.", @@ -6674,9 +7180,9 @@ "tags": [ "Automation", "Veeam", - "VeeamONE", - "Alarm", - "Resolution" + "Backup", + "RestorePoints", + "Recovery" ], "lastUpdateTime": "2025-08-25T00:00:00Z", "parameterTemplateVersion": "1.0.0", @@ -6702,50 +7208,72 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId11')]", + "contentId": "[variables('_playbookContentId8')]", "contentKind": "Playbook", - "displayName": "Veeam-ResolveTriggeredAlarm", - "contentProductId": "[variables('_playbookcontentProductId11')]", - "id": "[variables('_playbookcontentProductId11')]", - "version": "[variables('playbookVersion11')]" + "displayName": "Veeam-FindCleanRestorePoints", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName12')]", + "name": "[variables('playbookTemplateSpecName9')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Veeam-StartSecurityComplianceAnalyzer Playbook with template version 3.0.2", + "description": "Veeam-PerformScanBackup Playbook with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion12')]", + "contentVersion": "[variables('playbookVersion9')]", "parameters": { "PlaybookName": { - "defaultValue": "Veeam-StartSecurityComplianceAnalyzer", + "defaultValue": "Veeam-PerformScanBackup", "type": "string", "metadata": { "description": "Name of the playbook (Logic App) to be created" } }, "functionAppName": { - "defaultValue": "", "type": "string", + "defaultValue": "", "metadata": { "description": "Name of the Azure Function App for Veeam integration" } + }, + "AzureSentinelConnectionName": { + "type": "string", + "defaultValue": "azuresentinel-connection", + "metadata": { + "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)" + } } }, "variables": { "functionAppId": "[[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", "workspace-name": "[parameters('workspace')]", "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[parameters('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('AzureSentinelConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + }, + "parameterValueType": "Alternative" + } + }, { "type": "Microsoft.Logic/workflows", "apiVersion": "2017-07-01", @@ -6755,129 +7283,110 @@ "type": "SystemAssigned" }, "tags": { - "hidden-SentinelTemplateName": "Veeam-StartSecurityComplianceAnalyzer", + "hidden-SentinelTemplateName": "Veeam-PerformScanBackup", "hidden-SentinelTemplateVersion": "1.0", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]" + ], "properties": { "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { - "functionAppName": { - "defaultValue": "[[parameters('functionAppName')]", + "IsYara": { + "defaultValue": true, + "type": "Bool" + }, + "TimeRange": { + "defaultValue": "1w1d", "type": "String" }, "VbrHostName": { - "defaultValue": "DefaultVbrHostName", + "defaultValue": "vbr1", "type": "String" + }, + "$connections": { + "type": "Object" } }, "triggers": { - "When_a_HTTP_request_is_received": { - "type": "Request", - "kind": "Http" - } - }, - "actions": { - "StartSecurityComplianceAnalyzer": { - "type": "Function", + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", "inputs": { - "queries": { - "vbrHostName": "@parameters('VbrHostName')" + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } }, - "function": { - "id": "[[concat(variables('functionAppId'), '/functions/StartSecurityComplianceAnalyzerAsync')]" - } + "body": { + "callback_url": "@listCallbackUrl()" + }, + "path": "/incident-creation" } - }, + } + }, + "actions": { "Parse_sessionId": { + "runAfter": { + "Add_comment_to_incident": [ + "Succeeded" + ] + }, "type": "ParseJson", "inputs": { - "content": "@body('StartSecurityComplianceAnalyzer')", + "content": "@outputs('StartBackupScanAV')", "schema": { "type": "object", "properties": { - "sessionType": { - "type": "integer" - }, - "state": { - "type": "integer" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "jobId": { - "type": "string" - }, - "creationTime": { - "type": "string" - }, - "progressPercent": { + "statusCode": { "type": "integer" }, - "result": { + "headers": { "type": "object", "properties": { - "result": { - "type": "integer" + "Date": { + "type": "string" }, - "message": { + "Transfer-Encoding": { "type": "string" }, - "isCanceled": { - "type": "boolean" + "Request-Context": { + "type": "string" + }, + "Content-Type": { + "type": "string" + }, + "Content-Length": { + "type": "string" } } }, - "usn": { - "type": "integer" + "body": { + "type": "object", + "properties": { + "sessionId": { + "type": "string" + } + } } } } - }, - "runAfter": { - "StartSecurityComplianceAnalyzer": [ - "Succeeded" - ] - } - }, - "Compose": { - "type": "Compose", - "inputs": "@body('Parse_sessionId')?['id']", - "runAfter": { - "Parse_sessionId": [ - "Succeeded" - ] } }, - "Until_state_is_not_stopped": { - "type": "Until", - "expression": "@equals(body('Parse_session')?['state'],1)", - "limit": { - "timeout": "PT30M" - }, + "Until_state_is_not_Stopped": { "actions": { - "GetSession": { - "type": "Function", - "inputs": { - "queries": { - "vbrHostName": "@parameters('VbrHostName')", - "sessionId": "@body('Parse_sessionId')?['id']" - }, - "function": { - "id": "[[concat(variables('functionAppId'), '/functions/GetSessionAsync')]" - } - } - }, "Parse_session": { + "runAfter": { + "GetSession_": [ + "Succeeded" + ] + }, "type": "ParseJson", "inputs": { - "content": "@outputs('GetSession')", + "content": "@body('GetSession_')", "schema": { "type": "object", "properties": { @@ -6887,6 +7396,9 @@ "state": { "type": "integer" }, + "platformName": { + "type": "integer" + }, "id": { "type": "string" }, @@ -6918,75 +7430,296 @@ }, "usn": { "type": "integer" + }, + "platformId": { + "type": "string" } } } - }, - "runAfter": { - "GetSession": [ - "Succeeded" - ] + } + }, + "GetSession_": { + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@variables('VbrHostName')", + "sessionId": "@body('Parse_sessionId')?['body']?['sessionId']" + }, + "function": { + "id": "[[format('{0}/functions/GetSessionAsync', variables('functionAppId'))]" + } } }, "Delay": { + "runAfter": { + "Parse_session": [ + "Succeeded" + ] + }, "type": "Wait", "inputs": { "interval": { - "count": 1, + "count": 3, "unit": "Minute" } + } + } + }, + "runAfter": { + "Parse_sessionId": [ + "Succeeded" + ] + }, + "expression": "@equals(body('Parse_session')?['state'],1)", + "limit": { + "timeout": "PT3H" + }, + "type": "Until" + }, + "Get_variables_from_custom_fields": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Parse_custom_fields": { + "type": "ParseJson", + "inputs": { + "content": "@items('Get_variables_from_custom_fields')?['properties']?['additionalData']?['Custom Details']", + "schema": { + "type": "object", + "properties": { + "VbrHostName": { + "type": "array", + "items": { + "type": "string" + } + }, + "MachineDisplayName": { + "type": "array", + "items": { + "type": "string" + } + }, + "MachineUuid": { + "type": "array", + "items": { + "type": "string" + } + }, + "BackupObjectId": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + }, + "Get_VbrHostName": { + "foreach": "@outputs('Parse_custom_fields')?['body']?['VbrHostName']", + "actions": { + "Set_VbrHostName": { + "type": "SetVariable", + "inputs": { + "name": "VbrHostName", + "value": "@items('Get_VbrHostName')" + } + } }, "runAfter": { - "Parse_session": [ + "Parse_custom_fields": [ "Succeeded" ] - } + }, + "type": "Foreach" + }, + "Get_BackupObjectId": { + "foreach": "@outputs('Parse_custom_fields')?['body']?['BackupObjectId']", + "actions": { + "Set_BackupObjectId": { + "type": "SetVariable", + "inputs": { + "name": "BackupObjectId", + "value": "@items('Get_BackupObjectId')" + } + } + }, + "runAfter": { + "Get_VbrHostName": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_MachineDispalyName": { + "foreach": "@body('Parse_custom_fields')?['MachineDisplayName']", + "actions": { + "Set_MachineDispalyName": { + "type": "SetVariable", + "inputs": { + "name": "MachineDisplayName", + "value": "@items('Get_MachineDispalyName')" + } + } + }, + "runAfter": { + "Get_BackupObjectId": [ + "Succeeded" + ] + }, + "type": "Foreach" } }, "runAfter": { - "Compose": [ + "Initialize_MachineDisplayName": [ "Succeeded" ] + }, + "type": "Foreach" + }, + "Initialize_VbrHostName": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "VbrHostName", + "type": "string", + "value": "none" + } + ] } }, - "GetSecurityComplianceAnalyzerResultsAsync": { + "StartBackupScanAV": { + "runAfter": { + "Get_variables_from_custom_fields": [ + "Succeeded" + ] + }, "type": "Function", "inputs": { "queries": { - "vbrHostName": "@parameters('VbrHostName')" + "VbrHostName": "@variables('VbrHostName')", + "backupObjectId": "@variables('BackupObjectId')", + "vmName": "@variables('MachineDisplayName')" }, "function": { - "id": "[[concat(variables('functionAppId'), '/functions/GetSecurityComplianceAnalyzerResultsAsync')]" + "id": "[[format('{0}/functions/StartBackupScanAV', variables('functionAppId'))]" } - }, + } + }, + "Initialize_BackupObjectId": { "runAfter": { - "Until_state_is_not_stopped": [ + "Initialize_VbrHostName": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "BackupObjectId", + "type": "string", + "value": "none" + } + ] } }, - "Compose_output": { - "type": "Compose", - "inputs": "@body('Parse_session')", + "Initialize_MachineDisplayName": { "runAfter": { - "GetSecurityComplianceAnalyzerResultsAsync": [ + "Initialize_BackupObjectId": [ "Succeeded" ] - } - } - } - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "MachineDisplayName", + "type": "string", + "value": "none" + } + ] + } + }, + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Result": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "AV scan for @{variables('MachineDisplayName')} has finished. Details: @{body('Parse_session')?['result']?['message']}.
Incident has been resolved, so you can close it.
" + }, + "path": "/Incidents/Comment" + } + }, + "Result": { + "runAfter": { + "Until_state_is_not_Stopped": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@body('Parse_session')?['result']" + }, + "Add_comment_to_incident": { + "runAfter": { + "StartBackupScanAV": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "AV scan for @{variables('MachineDisplayName')} has been started.
" + }, + "path": "/Incidents/Comment" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionName": "[[parameters('AzureSentinelConnectionName')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]", + "id": "[[format('/subscriptions/{0}/providers/Microsoft.Web/locations/{1}/managedApis/azuresentinel', subscription().subscriptionId, variables('workspace-location-inline'))]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", "properties": { - "parentId": "[variables('playbookId12')]", - "contentId": "[variables('_playbookContentId12')]", + "parentId": "[variables('playbookId9')]", + "contentId": "[variables('_playbookContentId9')]", "kind": "Playbook", - "version": "[variables('playbookVersion12')]", + "version": "[variables('playbookVersion9')]", "source": { "kind": "Solution", "name": "Veeam", @@ -7006,25 +7739,27 @@ } ], "metadata": { - "title": "Veeam-StartSecurityComplianceAnalyzer", - "description": "This Microsoft Sentinel playbook initiates and monitors Veeam Security and Compliance Analyzer sessions via HTTP trigger.", + "title": "Veeam-PerformScanBackup", + "description": "This Microsoft Sentinel playbook with an incident trigger performs antivirus scan on Veeam backup using VbrHostName, BackupObjectId, MachineDisplayName custom incident fields to identify backup. Indicates results as incident comments.", "prerequisites": [ "1. Microsoft Sentinel workspace configured.", "2. Permissions to create Logic Apps and API Connections.", "3. Permissions to assign roles to the Resource Group.", "4. Veeam Azure Function App deployed and configured.", - "5. Hybrid Connection and Key Vault secrets configured for the VBR Server." + "5. Hybrid Connection and Key Vault secrets configured for each VBR Server." ], "tags": [ "Automation", "Veeam", - "BestPractice", - "Analyzer", - "HTTP" + "Backup", + "Antivirus", + "Scan" ], "lastUpdateTime": "2025-08-25T00:00:00Z", "parameterTemplateVersion": "1.0.0", - "postDeployment": [], + "postDeployment": [ + "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace." + ], "releaseNotes": { "version": "1.0", "title": "[variables('blanks')]", @@ -7039,30 +7774,30 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId12')]", + "contentId": "[variables('_playbookContentId9')]", "contentKind": "Playbook", - "displayName": "Veeam-StartSecurityComplianceAnalyzer", - "contentProductId": "[variables('_playbookcontentProductId12')]", - "id": "[variables('_playbookcontentProductId12')]", - "version": "[variables('playbookVersion12')]" + "displayName": "Veeam-PerformScanBackup", + "contentProductId": "[variables('_playbookcontentProductId9')]", + "id": "[variables('_playbookcontentProductId9')]", + "version": "[variables('playbookVersion9')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName13')]", + "name": "[variables('playbookTemplateSpecName10')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Veeam-PerformConfigurationBackupOnIncident Playbook with template version 3.0.2", + "description": "Veeam-PerformInstantVMRecovery Playbook with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion13')]", + "contentVersion": "[variables('playbookVersion10')]", "parameters": { "PlaybookName": { - "defaultValue": "Veeam-PerformConfigurationBackupOnIncident", + "defaultValue": "Veeam-PerformInstantVMRecovery", "type": "string", "metadata": { "description": "Name of the playbook (Logic App) to be created" @@ -7075,31 +7810,17 @@ "description": "Name of the Azure Function App for Veeam integration" } }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Subscription ID where resources are deployed" - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Resource group name where Function App is deployed" - } - }, "AzureSentinelConnectionName": { "type": "string", "defaultValue": "azuresentinel-connection", "metadata": { - "description": "The name to use for the Microsoft Sentinel Connector in the Logic App" + "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)" } } }, "variables": { - "functionAppId": "[[resourceId(parameters('subscriptionId'), parameters('resourceGroupName'), 'Microsoft.Web/sites', parameters('functionAppName'))]", - "connection-1": "[[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "functionAppId": "[[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", "_connection-1": "[[variables('connection-1')]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", "workspace-name": "[parameters('workspace')]", @@ -7124,22 +7845,22 @@ "apiVersion": "2017-07-01", "name": "[[parameters('PlaybookName')]", "location": "[[variables('workspace-location-inline')]", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]" - ], "identity": { "type": "SystemAssigned" }, "tags": { - "hidden-SentinelTemplateName": "Veeam-StartConfigurationBackup-Incident", + "hidden-SentinelTemplateName": "Veeam-PerformInstantVMRecovery", "hidden-SentinelTemplateVersion": "1.0", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]" + ], "properties": { "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "contentVersion": "1.0.0.0", + "contentVersion": "1.0.1.0", "parameters": { "$connections": { "type": "Object" @@ -7155,7 +7876,7 @@ } }, "body": { - "callback_url": "@{listCallbackUrl()}" + "callback_url": "@listCallbackUrl()" }, "path": "/incident-creation" } @@ -7168,12 +7889,13 @@ "variables": [ { "name": "VbrHostName", - "type": "string" + "type": "string", + "value": "none" } ] } }, - "Initialize_SessionId": { + "Initialize_MachineDisplayName": { "runAfter": { "Initialize_VbrHostName": [ "Succeeded" @@ -7183,19 +7905,20 @@ "inputs": { "variables": [ { - "name": "SessionId", - "type": "string" + "name": "MachineDisplayName", + "type": "string", + "value": "none" } ] } }, - "Parse_custom_fields": { + "Get_variables_from_custom_fields": { "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", "actions": { - "Parse_JSON": { + "Parse_custom_fields": { "type": "ParseJson", "inputs": { - "content": "@items('Parse_custom_fields')?['properties']?['additionalData']?['Custom Details']", + "content": "@items('Get_variables_from_custom_fields')?['properties']?['additionalData']?['Custom Details']", "schema": { "type": "object", "properties": { @@ -7204,15 +7927,33 @@ "items": { "type": "string" } + }, + "MachineDisplayName": { + "type": "array", + "items": { + "type": "string" + } + }, + "MachineUuid": { + "type": "array", + "items": { + "type": "string" + } + }, + "BackupObjectId": { + "type": "array", + "items": { + "type": "string" + } } } } } }, "Get_VbrHostName": { - "foreach": "@outputs('Parse_JSON')?['body']?['VbrHostName']", + "foreach": "@outputs('Parse_custom_fields')?['body']?['VbrHostName']", "actions": { - "Set_variable_VbrHostName": { + "Set_VbrHostName": { "type": "SetVariable", "inputs": { "name": "VbrHostName", @@ -7221,7 +7962,25 @@ } }, "runAfter": { - "Parse_JSON": [ + "Parse_custom_fields": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_MachineDispalyName": { + "foreach": "@body('Parse_custom_fields')?['MachineDisplayName']", + "actions": { + "Set_MachineDispalyName": { + "type": "SetVariable", + "inputs": { + "name": "MachineDisplayName", + "value": "@items('Get_MachineDispalyName')" + } + } + }, + "runAfter": { + "Get_VbrHostName": [ "Succeeded" ] }, @@ -7229,64 +7988,256 @@ } }, "runAfter": { - "Initialize_SessionId": [ + "Initialize_MachineDisplayName": [ "Succeeded" ] }, "type": "Foreach" }, - "Check_if_VbrHostName_found": { - "actions": { - "StartConfigurationBackupAsync": { - "type": "Function", - "inputs": { - "queries": { - "vbrHostName": "@variables('VbrHostName')" - }, - "function": { - "id": "[[concat(variables('functionAppId'), '/functions/StartConfigurationBackupAsync')]" - } - } + "GetLastCleanRestorePointForVMAsync": { + "runAfter": { + "Get_variables_from_custom_fields": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "queries": { + "VbrHostName": "@variables('VbrHostName')", + "vmName": "@variables('MachineDisplayName')" }, - "Parse_sessionId": { - "runAfter": { - "StartConfigurationBackupAsync": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@outputs('StartConfigurationBackupAsync')", - "schema": { - "type": "object", - "properties": { - "statusCode": { - "type": "integer" - }, - "headers": { + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/GetCleanRestorePointsAsync')]" + } + } + }, + "Does_clean_restore_point_exist": { + "runAfter": { + "GetLastCleanRestorePointForVMAsync": [ + "Succeeded", + "TimedOut", + "Skipped", + "Failed" + ] + }, + "else": { + "actions": { + "Add_comment": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "No clean restore points were found for @{variables('MachineDisplayName')}.
" + }, + "path": "/Incidents/Comment" + } + }, + "Terminate": { + "runAfter": { + "Add_comment": [ + "Succeeded" + ] + }, + "type": "Terminate", + "inputs": { + "runStatus": "Cancelled" + } + } + } + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@outputs('GetLastCleanRestorePointForVMAsync')?['statusCode']", + 404 + ] + } + } + ] + }, + "type": "If" + }, + "Parse_restorePointId": { + "runAfter": { + "Does_clean_restore_point_exist": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('GetLastCleanRestorePointForVMAsync')", + "schema": { + "type": "object", + "properties": { + "platformName": { + "type": "integer" + }, + "type": { + "type": "integer" + }, + "malwareStatus": { + "type": "integer" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "platformId": { + "type": "string" + }, + "creationTime": { + "type": "string" + }, + "backupId": { + "type": "string" + }, + "sessionId": { + "type": "string" + }, + "allowedOperations": { + "type": "array", + "items": { + "type": "integer" + } + }, + "backupFileId": { + "type": "string" + } + } + } + } + }, + "StartInstantVMRecoveryAsync": { + "runAfter": { + "Parse_restorePointId": [ + "Succeeded" + ] + }, + "type": "Function", + "inputs": { + "queries": { + "VbrHostName": "@variables('VbrHostName')", + "restorePointId": "@body('Parse_restorePointId')?['id']" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/StartInstantVMRecoveryAsync')]" + } + } + }, + "Parse_sessionId": { + "runAfter": { + "StartInstantVMRecoveryAsync": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('StartInstantVMRecoveryAsync')", + "schema": { + "type": "object", + "properties": { + "data": { + "type": "object", + "properties": { + "sessionType": { + "type": "integer" + }, + "state": { + "type": "integer" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "jobId": { + "type": "string" + }, + "creationTime": { + "type": "string" + }, + "progressPercent": { + "type": "integer" + }, + "result": { "type": "object", "properties": { - "Date": { - "type": "string" - }, - "Transfer-Encoding": { - "type": "string" - }, - "Strict-Transport-Security": { - "type": "string" - }, - "x-ms-middleware-request-id": { - "type": "string" - }, - "Content-Type": { - "type": "string" + "result": { + "type": "integer" }, - "Content-Length": { + "message": { "type": "string" } } }, - "body": { + "usn": { + "type": "integer" + } + } + } + } + } + } + }, + "Add_comment_to_incident": { + "runAfter": { + "Parse_sessionId": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Instant VM recovery has started for @{variables('MachineDisplayName')} and restore point @{body('Parse_restorePointId')?['id']}.
" + }, + "path": "/Incidents/Comment" + } + }, + "Until_state_is_not_Stopped": { + "actions": { + "GetSession_": { + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@variables('VbrHostName')", + "sessionId": "@body('Parse_sessionId')?['data']?['id']" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/GetSessionAsync')]" + } + } + }, + "Parse_session": { + "runAfter": { + "GetSession_": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('GetSession_')", + "schema": { + "type": "object", + "properties": { + "data": { "type": "object", "properties": { "sessionType": { @@ -7318,9 +8269,6 @@ }, "message": { "type": "string" - }, - "isCanceled": { - "type": "boolean" } } }, @@ -7333,241 +8281,61 @@ } } }, - "Set_SessionId": { + "Delay": { "runAfter": { - "Parse_sessionId": [ + "Parse_session": [ "Succeeded" ] }, - "type": "SetVariable", + "type": "Wait", "inputs": { - "name": "SessionId", - "value": "@body('Parse_sessionId')?['body']?['id']" - } - }, - "Add_backup_started_comment": { - "runAfter": { - "Set_SessionId": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "Configuration backup started on @{variables('VbrHostName')} with session ID: @{variables('SessionId')}
" - }, - "path": "/Incidents/Comment" - } - }, - "Until_state_is_not_stopped": { - "actions": { - "GetSession": { - "type": "Function", - "inputs": { - "queries": { - "vbrHostName": "@variables('VbrHostName')", - "sessionId": "@variables('SessionId')" - }, - "function": { - "id": "[[concat(variables('functionAppId'), '/functions/GetSessionAsync')]" - } - } - }, - "Parse_session": { - "runAfter": { - "GetSession": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@outputs('GetSession')", - "schema": { - "type": "object", - "properties": { - "statusCode": { - "type": "integer" - }, - "headers": { - "type": "object", - "properties": { - "Date": { - "type": "string" - }, - "Transfer-Encoding": { - "type": "string" - }, - "Request-Context": { - "type": "string" - }, - "Content-Type": { - "type": "string" - }, - "Content-Length": { - "type": "string" - } - } - }, - "body": { - "type": "object", - "properties": { - "sessionType": { - "type": "integer" - }, - "state": { - "type": "integer" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "jobId": { - "type": "string" - }, - "creationTime": { - "type": "string" - }, - "progressPercent": { - "type": "integer" - }, - "result": { - "type": "object", - "properties": { - "result": { - "type": "integer" - }, - "message": { - "type": "string" - }, - "isCanceled": { - "type": "boolean" - } - } - }, - "usn": { - "type": "integer" - } - } - } - } - } - } - }, - "Delay": { - "runAfter": { - "Parse_session": [ - "Succeeded" - ] - }, - "type": "Wait", - "inputs": { - "interval": { - "count": 1, - "unit": "Minute" - } - } - } - }, - "runAfter": { - "Add_backup_started_comment": [ - "Succeeded" - ] - }, - "expression": "@equals(body('Parse_session')?['body']?['state'],1)", - "limit": { - "timeout": "PT30M" - }, - "type": "Until" - }, - "IngestSessionDataBySessionIdAsync": { - "runAfter": { - "Until_state_is_not_stopped": [ - "Succeeded" - ] - }, - "type": "Function", - "inputs": { - "queries": { - "vbrHostName": "@variables('VbrHostName')", - "sessionId": "@variables('SessionId')" - }, - "function": { - "id": "[[concat(variables('functionAppId'), '/functions/IngestSessionDataBySessionIdAsync')]" - } - } - }, - "Add_backup_completed_comment": { - "runAfter": { - "IngestSessionDataBySessionIdAsync": [ - "Succeeded", - "Failed", - "Skipped", - "TimedOut" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "Configuration backup completed on @{variables('VbrHostName')}. Final result: @{body('Parse_session')?['body']?['result']?['result']}
Session data has been ingested into the workspace.
" - }, - "path": "/Incidents/Comment" + "interval": { + "count": 3, + "unit": "Minute" + } } } }, "runAfter": { - "Parse_custom_fields": [ + "Add_comment_to_incident": [ "Succeeded" ] }, - "else": { - "actions": { - "Add_no_hostname_comment": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "Warning: No VbrHostName found in incident custom fields. Configuration backup cannot be started.
Please ensure the incident contains a 'VbrHostName' custom field with the target Veeam server hostname.
" - }, - "path": "/Incidents/Comment" - } - } - } + "expression": "@equals(body('Parse_session')?['state'],1)", + "limit": { + "timeout": "PT3H" }, - "expression": { - "and": [ - { - "not": { - "equals": [ - "@variables('VbrHostName')", - "" - ] - } - } + "type": "Until" + }, + "Result": { + "runAfter": { + "Until_state_is_not_Stopped": [ + "Succeeded" ] }, - "type": "If" + "type": "Compose", + "inputs": "@body('Parse_session')?['result']" + }, + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Result": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Instant VM recovery for @{variables('MachineDisplayName')} has finished. Details: @{body('Parse_session')?['result']}.
Quick backup for @{variables('VbrHostName')} has started.
" + "message": "Alarm with ID @{variables('TriggeredAlarmId')} has been successfully resolved on @{variables('VoneHostName')}.
" }, "path": "/Incidents/Comment" } } }, + "runAfter": { + "ResolveTriggeredAlarm": [ + "Succeeded", + "TimedOut", + "Skipped", + "Failed" + ] + }, "else": { "actions": { - "Indicate_failure_with_comment": { + "Add_failure_comment": { "type": "ApiConnection", "inputs": { "host": { @@ -7991,203 +8670,34 @@ "method": "post", "body": { "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "Quick backup for @{variables('VbrHostName')} has failed to start.
" + "message": "Alarm with ID @{variables('TriggeredAlarmId')} has not been resolved on @{variables('VoneHostName')}. Reason: Function call failed or returned an error.
" }, "path": "/Incidents/Comment" } } } - } - }, - "Parse_session_ID": { - "runAfter": { - "Check_StartQuickBackup_Result": [ - "Succeeded" + }, + "expression": { + "and": [ + { + "not": { + "equals": [ + "@outputs('ResolveTriggeredAlarm')?['statusCode']", + 404 + ] + } + }, + { + "not": { + "equals": [ + "@outputs('ResolveTriggeredAlarm')?['statusCode']", + 500 + ] + } + } ] }, - "type": "ParseJson", - "inputs": { - "content": "@body('StartQuickBackupJobAsync')", - "schema": { - "type": "object", - "properties": { - "sessionType": { - "type": "integer" - }, - "state": { - "type": "integer" - }, - "platformName": { - "type": "integer" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "jobId": { - "type": "string" - }, - "creationTime": { - "type": "string" - }, - "progressPercent": { - "type": "integer" - }, - "result": { - "type": "object", - "properties": { - "result": { - "type": "integer" - }, - "message": { - "type": "string" - }, - "isCanceled": { - "type": "boolean" - } - } - }, - "usn": { - "type": "integer" - }, - "platformId": { - "type": "string" - } - } - } - } - }, - "Until_state_is_not_Stopped": { - "actions": { - "GetSession_": { - "type": "Function", - "inputs": { - "queries": { - "vbrHostName": "@variables('VbrHostName')", - "sessionId": "@body('Parse_session_ID')?['id']" - }, - "function": { - "id": "[[concat(variables('functionAppId'), '/functions/GetSessionAsync')]" - } - } - }, - "Parse_session": { - "runAfter": { - "GetSession_": [ - "Succeeded" - ] - }, - "type": "ParseJson", - "inputs": { - "content": "@body('GetSession_')", - "schema": { - "type": "object", - "properties": { - "sessionType": { - "type": "integer" - }, - "state": { - "type": "integer" - }, - "platformName": { - "type": "integer" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "jobId": { - "type": "string" - }, - "creationTime": { - "type": "string" - }, - "progressPercent": { - "type": "integer" - }, - "result": { - "type": "object", - "properties": { - "result": { - "type": "integer" - }, - "message": { - "type": "string" - }, - "isCanceled": { - "type": "boolean" - } - } - }, - "usn": { - "type": "integer" - }, - "platformId": { - "type": "string" - } - } - } - } - }, - "Delay": { - "runAfter": { - "Parse_session": [ - "Succeeded" - ] - }, - "type": "Wait", - "inputs": { - "interval": { - "count": 3, - "unit": "Minute" - } - } - } - }, - "runAfter": { - "Parse_session_ID": [ - "Succeeded" - ] - }, - "expression": "@equals(body('Parse_session')?['state'],1)", - "limit": { - "timeout": "PT3H" - }, - "type": "Until" - }, - "Result": { - "runAfter": { - "Until_state_is_not_Stopped": [ - "Succeeded" - ] - }, - "type": "Compose", - "inputs": "@body('Parse_session')?['result']" - }, - "Show_result_as_a_comment": { - "runAfter": { - "Result": [ - "Succeeded" - ] - }, - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "Quick backup has finished. Details: @{outputs('Result')}.
" - }, - "path": "/Incidents/Comment" - } + "type": "If" } } }, @@ -8212,12 +8722,12 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]", "properties": { - "parentId": "[variables('playbookId14')]", - "contentId": "[variables('_playbookContentId14')]", + "parentId": "[variables('playbookId11')]", + "contentId": "[variables('_playbookContentId11')]", "kind": "Playbook", - "version": "[variables('playbookVersion14')]", + "version": "[variables('playbookVersion11')]", "source": { "kind": "Solution", "name": "Veeam", @@ -8237,8 +8747,8 @@ } ], "metadata": { - "title": "Veeam-StartQuickBackup", - "description": "A Microsoft Sentinel playbook with an incident trigger, that performs quick backup support for affected backupObject (specifided by the BackupObjectId incidents custom field) when triggered by Microsoft Sentinel incidents. Indicates results as incident comments.", + "title": "Veeam-ResolveTriggeredAlarm", + "description": "A Microsoft Sentinel playbook with an incident trigger that resolves Veeam ONE alarms (identified by TriggeredAlarmId custom incident field) on the Veeam ONE server specified by the VoneHostName custom incident field.", "prerequisites": [ "1. Microsoft Sentinel workspace configured.", "2. Permissions to create Logic Apps and API Connections.", @@ -8249,12 +8759,12 @@ "tags": [ "Automation", "Veeam", - "QuickBackup", - "Support", - "IncidentResponse" + "VeeamONE", + "Alarm", + "Resolution" ], "lastUpdateTime": "2025-08-25T00:00:00Z", - "parameterTemplateVersion": "1.0.1", + "parameterTemplateVersion": "1.0.0", "postDeployment": [ "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace." ], @@ -8277,31 +8787,31 @@ "packageName": "[variables('_solutionName')]", "packageId": "[variables('_solutionId')]", "contentSchemaVersion": "3.0.0", - "contentId": "[variables('_playbookContentId14')]", + "contentId": "[variables('_playbookContentId11')]", "contentKind": "Playbook", - "displayName": "Veeam-StartQuickBackup", - "contentProductId": "[variables('_playbookcontentProductId14')]", - "id": "[variables('_playbookcontentProductId14')]", - "version": "[variables('playbookVersion14')]" + "displayName": "Veeam-ResolveTriggeredAlarm", + "contentProductId": "[variables('_playbookcontentProductId11')]", + "id": "[variables('_playbookcontentProductId11')]", + "version": "[variables('playbookVersion11')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", - "name": "[variables('playbookTemplateSpecName15')]", + "name": "[variables('playbookTemplateSpecName12')]", "location": "[parameters('workspace-location')]", "dependsOn": [ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Veeam-SetupConnections Playbook with template version 3.0.2", + "description": "Veeam-StartSecurityComplianceAnalyzer Playbook with template version 3.1.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion15')]", + "contentVersion": "[variables('playbookVersion12')]", "parameters": { "PlaybookName": { + "defaultValue": "Veeam-StartSecurityComplianceAnalyzer", "type": "string", - "defaultValue": "Veeam-SetupConnections", "metadata": { "description": "Name of the playbook (Logic App) to be created" } @@ -8312,87 +8822,15 @@ "metadata": { "description": "Name of the Azure Function App for Veeam integration" } - }, - "keyVaultName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Name of the Azure Key Vault" - } - }, - "relayNamespaceName": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Name of the Azure Relay namespace" - } - }, - "workspaceId": { - "defaultValue": "", - "type": "string", - "metadata": { - "description": "Workspace ID (GUID) of the Log Analytics workspace that contains Microsoft Sentinel" - } - }, - "AzureSentinelConnectionName": { - "type": "string", - "defaultValue": "azuresentinel-connection", - "metadata": { - "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)" - } - }, - "subscriptionId": { - "type": "string", - "defaultValue": "[subscription().subscriptionId]", - "metadata": { - "description": "Azure subscription ID" - } - }, - "resourceGroupName": { - "type": "string", - "defaultValue": "[resourceGroup().name]", - "metadata": { - "description": "Name of the resource group containing the Logic Apps to be updated" - } - }, - "keyVaultDomain": { - "type": "string", - "defaultValue": "[environment().suffixes.keyVaultDns]", - "metadata": { - "description": "The domain suffix for Azure Key Vault (dynamically assigned based on Azure environment)" - } - }, - "azureManagementDomain": { - "type": "string", - "defaultValue": "[environment().resourceManager]", - "metadata": { - "description": "The Azure Management API endpoint (dynamically assigned based on Azure environment)" - } } }, "variables": { - "newRecurrenceInterval": "12", - "newRecurrenceFrequency": "Hour", - "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "_connection-1": "[[variables('connection-1')]", + "functionAppId": "[[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]", "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", "workspace-name": "[parameters('workspace')]", "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" }, "resources": [ - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[parameters('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "displayName": "[[parameters('AzureSentinelConnectionName')]", - "api": { - "id": "[[variables('_connection-1')]" - }, - "parameterValueType": "Alternative" - } - }, { "type": "Microsoft.Logic/workflows", "apiVersion": "2017-07-01", @@ -8402,758 +8840,577 @@ "type": "SystemAssigned" }, "tags": { - "hidden-SentinelTemplateName": "Veeam-SetupConnectionsPlaybook", + "hidden-SentinelTemplateName": "Veeam-StartSecurityComplianceAnalyzer", "hidden-SentinelTemplateVersion": "1.0", "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" }, - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]" - ], "properties": { "state": "Enabled", "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "contentVersion": "1.0.0.0", "parameters": { - "$connections": { - "type": "Object" - }, - "subscriptionId": { - "type": "String", - "defaultValue": "[[parameters('subscriptionId')]" - }, - "resourceGroupName": { - "type": "String", - "defaultValue": "[[parameters('resourceGroupName')]" - }, - "keyVaultName": { - "type": "String", - "defaultValue": "[[parameters('keyVaultName')]" - }, - "relayNamespaceName": { - "type": "String", - "defaultValue": "[[parameters('relayNamespaceName')]" - }, "functionAppName": { - "type": "String", - "defaultValue": "[[parameters('functionAppName')]" - }, - "workspaceId": { - "type": "String", - "defaultValue": "[[parameters('workspaceId')]" - }, - "keyVaultDomain": { - "type": "String", - "defaultValue": "[[parameters('keyVaultDomain')]" + "defaultValue": "[[parameters('functionAppName')]", + "type": "String" }, - "azureManagementDomain": { - "type": "String", - "defaultValue": "[[parameters('azureManagementDomain')]" + "VbrHostName": { + "defaultValue": "DefaultVbrHostName", + "type": "String" } }, "triggers": { - "manual": { + "When_a_HTTP_request_is_received": { "type": "Request", - "kind": "Http", + "kind": "Http" + } + }, + "actions": { + "StartSecurityComplianceAnalyzer": { + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@parameters('VbrHostName')" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/StartSecurityComplianceAnalyzerAsync')]" + } + } + }, + "Parse_sessionId": { + "type": "ParseJson", "inputs": { + "content": "@body('StartSecurityComplianceAnalyzer')", "schema": { "type": "object", "properties": { - "recurrenceInterval": { - "default": "[[variables('newRecurrenceInterval')]" + "sessionType": { + "type": "integer" }, - "recurrenceFrequency": { - "default": "[[variables('newRecurrenceFrequency')]" + "state": { + "type": "integer" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "jobId": { + "type": "string" + }, + "creationTime": { + "type": "string" + }, + "progressPercent": { + "type": "integer" + }, + "result": { + "type": "object", + "properties": { + "result": { + "type": "integer" + }, + "message": { + "type": "string" + }, + "isCanceled": { + "type": "boolean" + } + } + }, + "usn": { + "type": "integer" } } } + }, + "runAfter": { + "StartSecurityComplianceAnalyzer": [ + "Succeeded" + ] } - } - }, - "actions": { - "Initialize_Variables": { - "type": "InitializeVariable", - "inputs": { - "variables": [ - { - "name": "VbrUsernameId", - "type": "string" - }, - { - "name": "VbrPasswordId", - "type": "string" - }, - { - "name": "VbrServerName", - "type": "string", - "value": "[variables('blanks')]" - }, - { - "name": "VbrBaseUrl", - "type": "string", - "value": "[variables('blanks')]" - }, - { - "name": "VoneUsernameId", - "type": "string" - }, - { - "name": "VonePasswordId", - "type": "string" - }, - { - "name": "VoneServerName", - "type": "string", - "value": "[variables('blanks')]" - }, - { - "name": "VoneBaseUrl", - "type": "string", - "value": "[variables('blanks')]" - } + }, + "Compose": { + "type": "Compose", + "inputs": "@body('Parse_sessionId')?['id']", + "runAfter": { + "Parse_sessionId": [ + "Succeeded" ] } }, - "For_each_VONE_server_set_missing_parameters": { - "type": "Foreach", - "foreach": "@body('Parse_VONE_Settings')?['properties']?['watchlistItems']", + "Until_state_is_not_stopped": { + "type": "Until", + "expression": "@equals(body('Parse_session')?['state'],1)", + "limit": { + "timeout": "PT30M" + }, "actions": { - "If_any_value_in_watchlist_is_missing": { - "type": "If", - "expression": { - "or": [ - { - "equals": [ - "@body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']", - "@null" - ] - }, - { - "equals": [ - "@body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']", - "" - ] - }, - { - "equals": [ - "@item()?['properties.itemsKeyValue']?['Key Vault Password ID']", - "" - ] - }, - { - "equals": [ - "@item()?['properties.itemsKeyValue']?['Key Vault Password ID']", - "@null" - ] - }, - { - "equals": [ - "@item()?['properties.itemsKeyValue']?['Key Vault Username ID']", - "" - ] - }, - { - "equals": [ - "@item()?['properties.itemsKeyValue']?['Key Vault Username ID']", - "@null" - ] - } - ] - }, - "actions": { - "Update_Watchlist_Item_With_KeyVault_IDs_VONE": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "body": { - "Veeam Server Name": "@body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name']", - "Base URL": "@body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Base URL']", - "Collect Alarms": "@if(\r\n or(\r\n empty(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms'], null), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms'], '')\r\n ),\r\n 'true', \r\n body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']\r\n)", - "Key Vault Password ID": "@if(\r\n or(\r\n empty(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID']), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID'], null), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID'], '')\r\n ),\r\n concat(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name'], 'Password'), \r\n body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID']\r\n)", - "Key Vault Username ID": "@if(\r\n or(\r\n empty(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID']), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID'], null), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID'], '')\r\n ),\r\n concat(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name'], 'Username'), \r\n body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID']\r\n)" - }, - "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vone_settings')}/watchlistItem/@{encodeURIComponent(items('For_each_VONE_server_set_missing_parameters')?['name'])}" - } + "GetSession": { + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@parameters('VbrHostName')", + "sessionId": "@body('Parse_sessionId')?['id']" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/GetSessionAsync')]" } - }, - "runAfter": { - "Parse_current_VONE_server": [ - "Succeeded" - ] } }, - "Parse_current_VONE_server": { + "Parse_session": { "type": "ParseJson", "inputs": { - "content": "@items('For_each_VONE_server_set_missing_parameters')", + "content": "@outputs('GetSession')", "schema": { "type": "object", "properties": { - "properties.watchlistItemType": { - "type": "string" - }, - "properties.watchlistItemId": { - "type": "string" - }, - "properties.tenantId": { - "type": "string" - }, - "properties.isDeleted": { - "type": "boolean" + "sessionType": { + "type": "integer" }, - "properties.created": { - "type": "string" + "state": { + "type": "integer" }, - "properties.updated": { + "id": { "type": "string" }, - "properties.createdBy": { - "type": "object", - "properties": { - "email": { - "type": "string" - }, - "name": { - "type": "string" - }, - "objectId": { - "type": "string" - } - } - }, - "properties.updatedBy": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "objectId": { - "type": "string" - } - } - }, - "properties.itemsKeyValue": { - "type": "object", - "properties": { - "Veeam Server Name": { - "type": "string" - }, - "Base URL": { - "type": "string" - }, - "Collect Alarms": { - "type": "string" - }, - "Key Vault Username ID": { - "type": "string" - }, - "Key Vault Password ID": { - "type": "string" - } - } - }, - "properties.entityMapping": { - "type": "object" - }, - "etag": { + "name": { "type": "string" }, - "id": { + "jobId": { "type": "string" }, - "name": { + "creationTime": { "type": "string" }, - "type": { - "type": "string" + "progressPercent": { + "type": "integer" }, - "systemData": { + "result": { "type": "object", "properties": { - "createdBy": { - "type": "string" - }, - "createdByType": { - "type": "string" - }, - "createdAt": { - "type": "string" - }, - "lastModifiedBy": { - "type": "string" + "result": { + "type": "integer" }, - "lastModifiedByType": { + "message": { "type": "string" }, - "lastModifiedAt": { - "type": "string" + "isCanceled": { + "type": "boolean" } } + }, + "usn": { + "type": "integer" } } } + }, + "runAfter": { + "GetSession": [ + "Succeeded" + ] + } + }, + "Delay": { + "type": "Wait", + "inputs": { + "interval": { + "count": 1, + "unit": "Minute" + } + }, + "runAfter": { + "Parse_session": [ + "Succeeded" + ] } } }, "runAfter": { - "Parse_VONE_Settings": [ + "Compose": [ "Succeeded" ] - }, - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } } }, - "Watchlists_-_Get_Updated_VONE_Settings": { - "type": "ApiConnection", + "GetSecurityComplianceAnalyzerResultsAsync": { + "type": "Function", "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } + "queries": { + "vbrHostName": "@parameters('VbrHostName')" }, - "method": "get", - "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vone_settings')}/watchlistItems" + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/GetSecurityComplianceAnalyzerResultsAsync')]" + } }, "runAfter": { - "For_each_VONE_server_set_missing_parameters": [ + "Until_state_is_not_stopped": [ "Succeeded" ] } }, - "Parse_Updated_VONE_Settings": { - "type": "ParseJson", - "inputs": { - "content": "@body('Watchlists_-_Get_Updated_VONE_Settings')", - "schema": { - "type": "object", - "properties": { - "id": { - "type": "string" - }, - "type": { - "type": "string" - }, - "properties": { - "type": "object", - "properties": { - "watchlistItems": { - "type": "array", - "items": { - "type": "object", - "properties": { - "properties.watchlistItemType": { - "type": "string" - }, - "properties.watchlistItemId": { - "type": "string" - }, - "properties.tenantId": { - "type": "string" - }, - "properties.isDeleted": { - "type": "boolean" - }, - "properties.created": { - "type": "string" - }, - "properties.updated": { - "type": "string" - }, - "properties.createdBy": { - "type": "object", - "properties": { - "email": { - "type": "string" - }, - "name": { - "type": "string" - }, - "objectId": { - "type": "string" - } - } - }, - "properties.updatedBy": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "objectId": { - "type": "string" - } - } - }, - "properties.itemsKeyValue": { - "type": "object", - "properties": { - "Veeam Server Name": { - "type": "string" - }, - "Base URL": { - "type": "string" - }, - "Collect Alarms": { - "type": "string" - }, - "Key Vault Username ID": { - "type": "string" - }, - "Key Vault Password ID": { - "type": "string" - } - } - }, - "properties.entityMapping": { - "type": "object" - }, - "etag": { - "type": "string" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - }, - "systemData": { - "type": "object", - "properties": { - "createdBy": { - "type": "string" - }, - "createdByType": { - "type": "string" - }, - "createdAt": { - "type": "string" - }, - "lastModifiedBy": { - "type": "string" - }, - "lastModifiedByType": { - "type": "string" - }, - "lastModifiedAt": { - "type": "string" - } - } - } - }, - "required": [ - "properties.watchlistItemType", - "properties.watchlistItemId", - "properties.tenantId", - "properties.isDeleted", - "properties.created", - "properties.updated", - "properties.createdBy", - "properties.updatedBy", - "properties.itemsKeyValue", - "properties.entityMapping", - "etag", - "id", - "name", - "type", - "systemData" - ] - } - } - } - } - } - } - }, + "Compose_output": { + "type": "Compose", + "inputs": "@body('Parse_session')", "runAfter": { - "Watchlists_-_Get_Updated_VONE_Settings": [ + "GetSecurityComplianceAnalyzerResultsAsync": [ "Succeeded" ] } + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId12')]", + "contentId": "[variables('_playbookContentId12')]", + "kind": "Playbook", + "version": "[variables('playbookVersion12')]", + "source": { + "kind": "Solution", + "name": "Veeam", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Veeam Software", + "email": "[variables('_email')]" + }, + "support": { + "name": "Veeam Software", + "email": "microsoftappsupport@veeam.com", + "tier": "Partner", + "link": "https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/" + } + } + } + ], + "metadata": { + "title": "Veeam-StartSecurityComplianceAnalyzer", + "description": "This Microsoft Sentinel playbook initiates and monitors Veeam Security and Compliance Analyzer sessions via HTTP trigger.", + "prerequisites": [ + "1. Microsoft Sentinel workspace configured.", + "2. Permissions to create Logic Apps and API Connections.", + "3. Permissions to assign roles to the Resource Group.", + "4. Veeam Azure Function App deployed and configured.", + "5. Hybrid Connection and Key Vault secrets configured for the VBR Server." + ], + "tags": [ + "Automation", + "Veeam", + "BestPractice", + "Analyzer", + "HTTP" + ], + "lastUpdateTime": "2025-08-25T00:00:00Z", + "parameterTemplateVersion": "1.0.0", + "postDeployment": [], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId12')]", + "contentKind": "Playbook", + "displayName": "Veeam-StartSecurityComplianceAnalyzer", + "contentProductId": "[variables('_playbookcontentProductId12')]", + "id": "[variables('_playbookcontentProductId12')]", + "version": "[variables('playbookVersion12')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName13')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Veeam-PerformConfigurationBackupOnIncident Playbook with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion13')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Veeam-PerformConfigurationBackupOnIncident", + "type": "string", + "metadata": { + "description": "Name of the playbook (Logic App) to be created" + } + }, + "functionAppName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Name of the Azure Function App for Veeam integration" + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Subscription ID where resources are deployed" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Resource group name where Function App is deployed" + } + }, + "AzureSentinelConnectionName": { + "type": "string", + "defaultValue": "azuresentinel-connection", + "metadata": { + "description": "The name to use for the Microsoft Sentinel Connector in the Logic App" + } + } + }, + "variables": { + "functionAppId": "[[resourceId(parameters('subscriptionId'), parameters('resourceGroupName'), 'Microsoft.Web/sites', parameters('functionAppName'))]", + "connection-1": "[[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[parameters('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('AzureSentinelConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + }, + "parameterValueType": "Alternative" + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]" + ], + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "Veeam-StartConfigurationBackup-Incident", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Initialize_VbrHostName": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "VbrHostName", + "type": "string" + } + ] + } }, - "For_each_VBR_server_set_missing_parameters": { - "type": "Foreach", - "foreach": "@body('Parse_VBR_Settings')?['properties']?['watchlistItems']", - "actions": { - "Parse_current_VBR_server": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each_VBR_server_set_missing_parameters')", - "schema": { - "type": "object", + "Initialize_SessionId": { + "runAfter": { + "Initialize_VbrHostName": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "SessionId", + "type": "string" + } + ] + } + }, + "Parse_custom_fields": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('Parse_custom_fields')?['properties']?['additionalData']?['Custom Details']", + "schema": { + "type": "object", "properties": { - "properties.itemsKeyValue": { - "type": "object", - "properties": { - "Veeam Server Name": { - "type": "string" - }, - "Base URL": { - "type": "string" - }, - "Collect Malware Events": { - "type": "string" - }, - "Collect Security and Compliance Analyzer Results": { - "type": "string" - }, - "Collect Authorization Events": { - "type": "string" - }, - "Collect Configuration Backups": { - "type": "string" - }, - "Key Vault Password ID": { - "type": "string" - }, - "Key Vault Username ID": { - "type": "string" - } + "VbrHostName": { + "type": "array", + "items": { + "type": "string" } } } } } }, - "Check_If_KeyVault_IDs_Missing": { - "type": "If", - "expression": { - "or": [ - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID']", - "" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID']", - "" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID']", - "@null" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID']", - "@null" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events']", - "" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events']", - "@null" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']", - "" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']", - "@null" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events']", - "" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events']", - "@null" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups']", - "" - ] - }, - { - "equals": [ - "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups']", - "@null" - ] - } - ] - }, + "Get_VbrHostName": { + "foreach": "@outputs('Parse_JSON')?['body']?['VbrHostName']", "actions": { - "Update_Watchlist_Item_With_KeyVault_IDs": { - "type": "ApiConnection", + "Set_variable_VbrHostName": { + "type": "SetVariable", "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "put", - "body": { - "Veeam Server Name": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name']", - "Base URL": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Base URL']", - "Collect Malware Events": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events'], null), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events'], '')), 'true', body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events'])", - "Collect Security and Compliance Analyzer Results": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results'], null), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results'], '')), 'true', body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results'])", - "Collect Authorization Events": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events'], null), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events'], '')), 'true', body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events'])", - "Collect Configuration Backups": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups'], null), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups'], '')), 'true', body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups'])", - "Key Vault Username ID": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID'], null)), concat(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name'], 'Username'), body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID'])", - "Key Vault Password ID": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID'], null)), concat(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name'], 'Password'), body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID'])" - }, - "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItem/@{encodeURIComponent(items('For_each_VBR_server_set_missing_parameters')?['name'])}" + "name": "VbrHostName", + "value": "@items('Get_VbrHostName')" } } }, "runAfter": { - "Parse_current_VBR_server": [ + "Parse_JSON": [ "Succeeded" ] - } + }, + "type": "Foreach" } }, "runAfter": { - "Parse_VBR_Settings": [ + "Initialize_SessionId": [ "Succeeded" ] }, - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } - } + "type": "Foreach" }, - "For_each_updated_VONE_server": { - "type": "Foreach", - "foreach": "@body('Parse_Updated_VONE_Settings')?['properties']?['watchlistItems']", + "Check_if_VbrHostName_found": { "actions": { - "Parse_current_updated_VONE_server": { + "StartConfigurationBackupAsync": { + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@variables('VbrHostName')" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/StartConfigurationBackupAsync')]" + } + } + }, + "Parse_sessionId": { + "runAfter": { + "StartConfigurationBackupAsync": [ + "Succeeded" + ] + }, "type": "ParseJson", "inputs": { - "content": "@items('For_each_updated_VONE_server')", + "content": "@outputs('StartConfigurationBackupAsync')", "schema": { "type": "object", "properties": { - "properties.watchlistItemType": { - "type": "string" - }, - "properties.watchlistItemId": { - "type": "string" - }, - "properties.tenantId": { - "type": "string" - }, - "properties.isDeleted": { - "type": "boolean" - }, - "properties.created": { - "type": "string" - }, - "properties.updated": { - "type": "string" + "statusCode": { + "type": "integer" }, - "properties.createdBy": { + "headers": { "type": "object", "properties": { - "email": { + "Date": { "type": "string" }, - "name": { + "Transfer-Encoding": { "type": "string" }, - "objectId": { + "Strict-Transport-Security": { "type": "string" - } - } - }, - "properties.updatedBy": { - "type": "object", - "properties": { - "name": { + }, + "x-ms-middleware-request-id": { "type": "string" }, - "objectId": { + "Content-Type": { + "type": "string" + }, + "Content-Length": { "type": "string" } } }, - "properties.itemsKeyValue": { + "body": { "type": "object", "properties": { - "Veeam Server Name": { - "type": "string" + "sessionType": { + "type": "integer" }, - "Base URL": { + "state": { + "type": "integer" + }, + "id": { "type": "string" }, - "Collect Alarms": { + "name": { "type": "string" }, - "Key Vault Username ID": { + "jobId": { "type": "string" }, - "Key Vault Password ID": { - "type": "string" - } - } - }, - "properties.entityMapping": { - "type": "object" - }, - "etag": { - "type": "string" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - }, - "systemData": { - "type": "object", - "properties": { - "createdBy": { - "type": "string" - }, - "createdByType": { + "creationTime": { "type": "string" }, - "createdAt": { - "type": "string" - }, - "lastModifiedBy": { - "type": "string" + "progressPercent": { + "type": "integer" }, - "lastModifiedByType": { - "type": "string" + "result": { + "type": "object", + "properties": { + "result": { + "type": "integer" + }, + "message": { + "type": "string" + }, + "isCanceled": { + "type": "boolean" + } + } }, - "lastModifiedAt": { - "type": "string" + "usn": { + "type": "integer" } } } @@ -9161,1196 +9418,3601 @@ } } }, - " Are_there_any_events_collected_from_VONE_server": { - "type": "If", - "expression": { - "and": [ - { - "equals": [ - "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']", - "true" - ] - }, - { - "not": { - "equals": [ - "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name']", - "ExampleServerName" - ] - } - } + "Set_SessionId": { + "runAfter": { + "Parse_sessionId": [ + "Succeeded" ] }, - "actions": { - "Set_VonePasswordId": { - "type": "SetVariable", - "inputs": { - "name": "VonePasswordId", - "value": "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID']" + "type": "SetVariable", + "inputs": { + "name": "SessionId", + "value": "@body('Parse_sessionId')?['body']?['id']" + } + }, + "Add_backup_started_comment": { + "runAfter": { + "Set_SessionId": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "Set_VoneUsernameId": { - "type": "SetVariable", - "inputs": { - "name": "VoneUsernameId", - "value": "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID']" - }, - "runAfter": { - "Set_VonePasswordId": [ - "Succeeded" - ] - } + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Configuration backup started on @{variables('VbrHostName')} with session ID: @{variables('SessionId')}
" }, - "Set_VoneServerName": { - "type": "SetVariable", + "path": "/Incidents/Comment" + } + }, + "Until_state_is_not_stopped": { + "actions": { + "GetSession": { + "type": "Function", "inputs": { - "name": "VoneServerName", - "value": "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name']" - }, - "runAfter": { - "Set_VoneUsernameId": [ - "Succeeded" - ] + "queries": { + "vbrHostName": "@variables('VbrHostName')", + "sessionId": "@variables('SessionId')" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/GetSessionAsync')]" + } } }, - "Extract_Host_and_Port_VONE": { - "type": "Compose", - "inputs": { - "host": "@split(replace(variables('VoneBaseUrl'), 'https://', ''), ':')[0]", - "port": "@if(and(greater(length(split(replace(variables('VoneBaseUrl'), 'https://', ''), ':')), 1), not(equals(last(split(replace(variables('VoneBaseUrl'), 'https://', ''), ':')), ''))), int(last(split(replace(variables('VoneBaseUrl'), 'https://', ''), ':'))), 1239)" - }, + "Parse_session": { "runAfter": { - "Set_VoneBaseUrl": [ + "GetSession": [ "Succeeded" ] - } - }, - "Setup_KeyVault_Secrets_VONE": { - "type": "Scope", - "actions": { - "Check_Username_Secret_Exists_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VoneUsernameId'), '?api-version=7.4')", - "method": "GET", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" - } - } - }, - "Create_Username_Secret_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VoneUsernameId'), '?api-version=7.4')", - "method": "PUT", + }, + "type": "ParseJson", + "inputs": { + "content": "@outputs('GetSession')", + "schema": { + "type": "object", + "properties": { + "statusCode": { + "type": "integer" + }, "headers": { - "Content-Type": "application/json" + "type": "object", + "properties": { + "Date": { + "type": "string" + }, + "Transfer-Encoding": { + "type": "string" + }, + "Request-Context": { + "type": "string" + }, + "Content-Type": { + "type": "string" + }, + "Content-Length": { + "type": "string" + } + } }, "body": { - "value": "UNDEFINED", - "attributes": { - "enabled": true - }, - "tags": { - "source": "playbook", - "vbrServer": "@variables('VoneServerName')", - "type": "username" + "type": "object", + "properties": { + "sessionType": { + "type": "integer" + }, + "state": { + "type": "integer" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "jobId": { + "type": "string" + }, + "creationTime": { + "type": "string" + }, + "progressPercent": { + "type": "integer" + }, + "result": { + "type": "object", + "properties": { + "result": { + "type": "integer" + }, + "message": { + "type": "string" + }, + "isCanceled": { + "type": "boolean" + } + } + }, + "usn": { + "type": "integer" + } } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" } - }, - "runAfter": { - "Check_Username_Secret_Exists_VONE": [ - "Failed" - ] - } - }, - "Check_Password_Secret_Exists_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VonePasswordId'), '?api-version=7.4')", - "method": "GET", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" - } - } - }, - "Create_Password_Secret_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VonePasswordId'), '?api-version=7.4')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "value": "UNDEFINED", - "attributes": { - "enabled": true - }, - "tags": { - "source": "playbook", - "vbrServer": "@variables('VoneServerName')", - "type": "password", - "status": "requires_update" - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" - } - }, - "runAfter": { - "Check_Password_Secret_Exists_VONE": [ - "Failed" - ] } } - }, - "runAfter": { - "Extract_Host_and_Port_VONE": [ - "Succeeded" - ] } }, - "Setup_Hybrid_Connection_VONE": { - "type": "Scope", - "actions": { - "Check_Hybrid_Connection_Exists_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '?api-version=2024-01-01')", - "method": "GET", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - } - }, - "Create_Hybrid_Connection_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '?api-version=2024-01-01')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "properties": { - "requiresClientAuthorization": true, - "userMetadata": "@concat('[{\"key\":\"endpoint\",\"value\":\"', outputs('Extract_Host_and_Port_VONE')?['host'], ':', outputs('Extract_Host_and_Port_VONE')?['port'], '\"}]')" - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Check_Hybrid_Connection_Exists_VONE": [ - "Failed" - ] - } - }, - "Create_Listener_Rule_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '/authorizationRules/defaultListener?api-version=2024-01-01')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "properties": { - "rights": [ - "Listen" - ] - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Create_Hybrid_Connection_VONE": [ - "Succeeded" - ] - } - }, - "Create_Sender_Rule_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '/authorizationRules/defaultSender?api-version=2024-01-01')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "properties": { - "rights": [ - "Send" - ] - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Create_Listener_Rule_VONE": [ - "Succeeded" - ] - } - }, - "Get_Sender_Key_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '/authorizationRules/defaultSender/listKeys?api-version=2024-01-01')", - "method": "POST", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Create_Sender_Rule_VONE": [ - "Succeeded", - "Skipped" - ] - } - }, - "Check_Function_App_Binding_Exists_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Web/sites/', parameters('functionAppName'), '/hybridConnectionNamespaces/', parameters('relayNamespaceName'), '/relays/', variables('VoneServerName'), '?api-version=2022-03-01')", - "method": "GET", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Get_Sender_Key_VONE": [ - "Succeeded", - "Skipped" - ] - } - }, - "Bind_To_Function_App_VONE": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Web/sites/', parameters('functionAppName'), '/hybridConnectionNamespaces/', parameters('relayNamespaceName'), '/relays/', variables('VoneServerName'), '?api-version=2022-03-01')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "properties": { - "hostname": "@outputs('Extract_Host_and_Port_VONE')?['host']", - "port": "@outputs('Extract_Host_and_Port_VONE')?['port']", - "relayArmUri": "@if(equals(body('Check_Hybrid_Connection_Exists_VONE')?['id'], null), body('Create_Hybrid_Connection_VONE')?['id'], body('Check_Hybrid_Connection_Exists_VONE')?['id'])", - "relayName": "@variables('VoneServerName')", - "sendKeyName": "defaultSender", - "sendKeyValue": "@body('Get_Sender_Key_VONE')?['primaryKey']", - "serviceBusNamespace": "@parameters('relayNamespaceName')", - "serviceBusSuffix": ".servicebus.windows.net" - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Check_Function_App_Binding_Exists_VONE": [ - "Failed" - ] - } - } - }, + "Delay": { "runAfter": { - "Setup_KeyVault_Secrets_VONE": [ + "Parse_session": [ "Succeeded" ] - } - }, - "Set_VoneBaseUrl": { - "type": "SetVariable", - "inputs": { - "name": "VoneBaseUrl", - "value": "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Base URL']" }, - "runAfter": { - "Set_VoneServerName": [ - "Succeeded" - ] + "type": "Wait", + "inputs": { + "interval": { + "count": 1, + "unit": "Minute" + } } } }, "runAfter": { - "Parse_current_updated_VONE_server": [ + "Add_backup_started_comment": [ + "Succeeded" + ] + }, + "expression": "@equals(body('Parse_session')?['body']?['state'],1)", + "limit": { + "timeout": "PT30M" + }, + "type": "Until" + }, + "IngestSessionDataBySessionIdAsync": { + "runAfter": { + "Until_state_is_not_stopped": [ "Succeeded" ] + }, + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@variables('VbrHostName')", + "sessionId": "@variables('SessionId')" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/IngestSessionDataBySessionIdAsync')]" + } } - } - }, - "runAfter": { - "Parse_Updated_VONE_Settings": [ - "Succeeded" - ] - }, - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } - } - }, - "For_each_updated_VBR_server": { - "type": "Foreach", - "foreach": "@body('Parse_updated_VBR_Settings')?['properties']?['watchlistItems']", - "actions": { - "Are_there_any_events_collected_from_VBR_server": { - "type": "If", - "expression": { - "and": [ - { - "not": { - "equals": [ - "@item()?['properties.itemsKeyValue']?['Veeam Server Name']", - "ExampleServerName" - ] - } - }, - { - "or": [ - { - "equals": [ - "@body('Parse_current_updated_VBR_Server')?['properties.itemsKeyValue']?['Collect Malware Events']", - "true" - ] - }, - { - "equals": [ - "@body('Parse_current_updated_VBR_Server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']", - "true" - ] - }, - { - "equals": [ - "@body('Parse_current_updated_VBR_Server')?['properties.itemsKeyValue']?['Collect Authorization Events']", - "true" - ] - } - ] - } + }, + "Add_backup_completed_comment": { + "runAfter": { + "IngestSessionDataBySessionIdAsync": [ + "Succeeded", + "Failed", + "Skipped", + "TimedOut" ] }, - "actions": { - "Extract_Host_and_Port_VBR": { - "type": "Compose", - "inputs": { - "host": "@split(replace(variables('VbrBaseUrl'), 'https://', ''), ':')[0]", - "port": "@if(and(greater(length(split(replace(variables('VbrBaseUrl'), 'https://', ''), ':')), 1), not(equals(last(split(replace(variables('VbrBaseUrl'), 'https://', ''), ':')), ''))), int(last(split(replace(variables('VbrBaseUrl'), 'https://', ''), ':'))), 9419)" - }, - "runAfter": { - "Set_VbrBaseUrl": [ - "Succeeded" - ] + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "Setup_KeyVault_Secrets_VBR": { - "type": "Scope", - "actions": { - "Check_Username_Secret_Exists_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VbrUsernameId'), '?api-version=7.4')", - "method": "GET", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" - } - } - }, - "Create_Username_Secret_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VbrUsernameId'), '?api-version=7.4')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "value": "UNDEFINED", - "attributes": { - "enabled": true - }, - "tags": { - "source": "playbook", - "vbrServer": "@variables('VbrServerName')", - "type": "username" - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" - } - }, - "runAfter": { - "Check_Username_Secret_Exists_VBR": [ - "Failed" - ] - } - }, - "Check_Password_Secret_Exists_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VbrPasswordId'), '?api-version=7.4')", - "method": "GET", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" - } - } - }, - "Create_Password_Secret_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VbrPasswordId'), '?api-version=7.4')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "value": "UNDEFINED", - "attributes": { - "enabled": true - }, - "tags": { - "source": "playbook", - "vbrServer": "@variables('VbrServerName')", - "type": "password", - "status": "requires_update" - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" - } - }, - "runAfter": { - "Check_Password_Secret_Exists_VBR": [ - "Failed" - ] - } + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Configuration backup completed on @{variables('VbrHostName')}. Final result: @{body('Parse_session')?['body']?['result']?['result']}
Session data has been ingested into the workspace.
" + }, + "path": "/Incidents/Comment" + } + } + }, + "runAfter": { + "Parse_custom_fields": [ + "Succeeded" + ] + }, + "else": { + "actions": { + "Add_no_hostname_comment": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "runAfter": { - "Extract_Host_and_Port_VBR": [ - "Succeeded" - ] - } - }, - "Setup_Hybrid_Connection_VBR": { - "type": "Scope", - "actions": { - "Check_Hybrid_Connection_Exists_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '?api-version=2024-01-01')", - "method": "GET", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - } - }, - "Create_Hybrid_Connection_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '?api-version=2024-01-01')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "properties": { - "requiresClientAuthorization": true, - "userMetadata": "@concat('[{\"key\":\"endpoint\",\"value\":\"', outputs('Extract_Host_and_Port_VBR')?['host'], ':', outputs('Extract_Host_and_Port_VBR')?['port'], '\"}]')" - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Check_Hybrid_Connection_Exists_VBR": [ - "Failed" - ] - } - }, - "Create_Listener_Rule_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '/authorizationRules/defaultListener?api-version=2024-01-01')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "properties": { - "rights": [ - "Listen" - ] - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Create_Hybrid_Connection_VBR": [ - "Succeeded" - ] - } - }, - "Create_Sender_Rule_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '/authorizationRules/defaultSender?api-version=2024-01-01')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "properties": { - "rights": [ - "Send" - ] - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Create_Listener_Rule_VBR": [ - "Succeeded" - ] - } - }, - "Get_Sender_Key_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '/authorizationRules/defaultSender/listKeys?api-version=2024-01-01')", - "method": "POST", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Create_Sender_Rule_VBR": [ - "Succeeded" - ] - } - }, - "Check_Function_App_Binding_Exists_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Web/sites/', parameters('functionAppName'), '/hybridConnectionNamespaces/', parameters('relayNamespaceName'), '/relays/', variables('VbrServerName'), '?api-version=2022-03-01')", - "method": "GET", - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Get_Sender_Key_VBR": [ - "Succeeded" - ] - } - }, - "Bind_To_Function_App_VBR": { - "type": "Http", - "inputs": { - "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Web/sites/', parameters('functionAppName'), '/hybridConnectionNamespaces/', parameters('relayNamespaceName'), '/relays/', variables('VbrServerName'), '?api-version=2022-03-01')", - "method": "PUT", - "headers": { - "Content-Type": "application/json" - }, - "body": { - "properties": { - "hostname": "@outputs('Extract_Host_and_Port_VBR')?['host']", - "port": "@outputs('Extract_Host_and_Port_VBR')?['port']", - "relayArmUri": "@if(equals(body('Check_Hybrid_Connection_Exists_VBR')?['id'], null), body('Create_Hybrid_Connection_VBR')?['id'], body('Check_Hybrid_Connection_Exists_VBR')?['id'])", - "relayName": "@variables('VbrServerName')", - "sendKeyName": "defaultSender", - "sendKeyValue": "@body('Get_Sender_Key_VBR')?['primaryKey']", - "serviceBusNamespace": "@parameters('relayNamespaceName')", - "serviceBusSuffix": ".servicebus.windows.net" - } - }, - "authentication": { - "type": "ManagedServiceIdentity", - "audience": "@parameters('azureManagementDomain')" - } - }, - "runAfter": { - "Check_Function_App_Binding_Exists_VBR": [ - "Failed" - ] - } - } - }, - "runAfter": { - "Setup_KeyVault_Secrets_VBR": [ - "Succeeded" - ] - } - }, - "Set_VbrPasswordId": { - "type": "SetVariable", - "inputs": { - "name": "VbrPasswordId", - "value": "@item()?['properties.itemsKeyValue']?['Key Vault Password ID']" - } - }, - "Set_VbrUsernameId": { - "type": "SetVariable", - "inputs": { - "name": "VbrUsernameId", - "value": "@item()?['properties.itemsKeyValue']?['Key Vault Username ID']" - }, - "runAfter": { - "Set_VbrPasswordId": [ - "Succeeded" - ] - } - }, - "Set_VbrServerName": { - "type": "SetVariable", - "inputs": { - "name": "VbrServerName", - "value": "@item()?['properties.itemsKeyValue']?['Veeam Server Name']" - }, - "runAfter": { - "Set_VbrUsernameId": [ - "Succeeded" - ] - } - }, - "Set_VbrBaseUrl": { - "type": "SetVariable", - "inputs": { - "name": "VbrBaseUrl", - "value": "@item()?['properties.itemsKeyValue']?['Base URL']" + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Warning: No VbrHostName found in incident custom fields. Configuration backup cannot be started.
Please ensure the incident contains a 'VbrHostName' custom field with the target Veeam server hostname.
" }, - "runAfter": { - "Set_VbrServerName": [ - "Succeeded" - ] - } - } - }, - "runAfter": { - "Parse_current_updated_VBR_Server": [ - "Succeeded" - ] - } - }, - "Parse_current_updated_VBR_Server": { - "type": "ParseJson", - "inputs": { - "content": "@items('For_each_updated_VBR_server')", - "schema": { - "type": "object", - "properties": { - "properties.watchlistItemType": { - "type": "string" - }, - "properties.watchlistItemId": { - "type": "string" - }, - "properties.tenantId": { - "type": "string" - }, - "properties.isDeleted": { - "type": "boolean" - }, - "properties.created": { - "type": "string" - }, - "properties.updated": { - "type": "string" - }, - "properties.createdBy": { - "type": "object", - "properties": { - "email": { - "type": "string" - }, - "name": { - "type": "string" - }, - "objectId": { - "type": "string" - } - } - }, - "properties.updatedBy": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "objectId": { - "type": "string" - } - } - }, - "properties.itemsKeyValue": { - "type": "object", - "properties": { - "Veeam Server Name": { - "type": "string" - }, - "Base URL": { - "type": "string" - }, - "Collect Malware Events": { - "type": "string" - }, - "Collect Security and Compliance Analyzer Results": { - "type": "string" - }, - "Collect Authorization Events": { - "type": "string" - }, - "Key Vault Username ID": { - "type": "string" - }, - "Key Vault Password ID": { - "type": "string" - } - } - }, - "properties.entityMapping": { - "type": "object" - }, - "etag": { - "type": "string" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - }, - "systemData": { - "type": "object", - "properties": { - "createdBy": { - "type": "string" - }, - "createdByType": { - "type": "string" - }, - "createdAt": { - "type": "string" - }, - "lastModifiedBy": { - "type": "string" - }, - "lastModifiedByType": { - "type": "string" - }, - "lastModifiedAt": { - "type": "string" - } - } - } - } + "path": "/Incidents/Comment" } } } }, - "runAfter": { - "Parse_updated_VBR_Settings": [ - "Succeeded" - ] - }, - "runtimeConfiguration": { - "concurrency": { - "repetitions": 1 - } + "expression": { + "and": [ + { + "not": { + "equals": [ + "@variables('VbrHostName')", + "" + ] + } + } + ] + }, + "type": "If" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionName": "[[parameters('AzureSentinelConnectionName')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]", + "id": "[[concat('/subscriptions/', parameters('subscriptionId'), '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } } - }, - "Watchlists_-_Get_Updated_VBR_Settings": { - "type": "ApiConnection", + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId13'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId13')]", + "contentId": "[variables('_playbookContentId13')]", + "kind": "Playbook", + "version": "[variables('playbookVersion13')]", + "source": { + "kind": "Solution", + "name": "Veeam", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Veeam Software", + "email": "[variables('_email')]" + }, + "support": { + "name": "Veeam Software", + "email": "microsoftappsupport@veeam.com", + "tier": "Partner", + "link": "https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/" + } + } + } + ], + "metadata": { + "title": "Veeam-PerformConfigurationBackupOnIncident", + "description": "A Microsoft Sentinel playbook that automatically runs configuration backup session when triggered by an incident. The playbook gets Veeam Backup & Replication settings from incident custom fields, runs the configuration backup session, and collects the session result.", + "prerequisites": [ + "1. Microsoft Sentinel workspace configured.", + "2. Permissions to create Logic Apps and API Connections.", + "3. Permissions to assign roles to the Resource Group.", + "4. Veeam Azure Function App deployed and configured.", + "5. Hybrid Connection and Key Vault secrets configured for each VBR Server." + ], + "tags": [ + "Automation", + "Veeam", + "Configuration", + "Backup", + "Incident" + ], + "lastUpdateTime": "2025-08-25T00:00:00Z", + "parameterTemplateVersion": "1.0.0", + "postDeployment": [ + "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace." + ], + "_generator": { + "name": "bicep", + "version": "0.36.177.2456", + "templateHash": "8701067040678761767" + }, + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId13')]", + "contentKind": "Playbook", + "displayName": "Veeam-PerformConfigurationBackupOnIncident", + "contentProductId": "[variables('_playbookcontentProductId13')]", + "id": "[variables('_playbookcontentProductId13')]", + "version": "[variables('playbookVersion13')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName14')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Veeam-StartQuickBackup Playbook with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion14')]", + "parameters": { + "PlaybookName": { + "defaultValue": "Veeam-StartQuickBackup", + "type": "string", + "metadata": { + "description": "Name of the playbook (Logic App) to be created" + } + }, + "functionAppName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Name of the Azure Function App for Veeam integration" + } + }, + "AzureSentinelConnectionName": { + "type": "string", + "defaultValue": "azuresentinel-connection", + "metadata": { + "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)" + } + } + }, + "variables": { + "functionAppId": "[[resourceId('Microsoft.Web/sites', parameters('functionAppName'))]", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[parameters('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('AzureSentinelConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + }, + "parameterValueType": "Alternative" + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "Veeam-StartQuickBackup", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.1", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", "inputs": { "host": { "connection": { "name": "@parameters('$connections')['azuresentinel']['connectionId']" } }, - "method": "get", - "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems" - }, + "body": { + "callback_url": "@listCallbackUrl()" + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Initialize_VbrHostName": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "VbrHostName", + "type": "string", + "value": "none" + } + ] + } + }, + "Initialize_BackupObjectId": { "runAfter": { - "For_each_VBR_server_set_missing_parameters": [ + "Initialize_VbrHostName": [ "Succeeded" ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "BackupObjectId", + "type": "string", + "value": "none" + } + ] } }, - "Parse_updated_VBR_Settings": { - "type": "ParseJson", - "inputs": { - "content": "@body('Watchlists_-_Get_Updated_VBR_Settings')", - "schema": { - "type": "object", - "properties": { - "properties": { + "Get_variables_from_custom_fields": { + "foreach": "@triggerBody()?['object']?['properties']?['Alerts']", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@item()?['properties']?['additionalData']?['Custom Details']", + "schema": { "type": "object", "properties": { - "watchlistItems": { + "VbrHostName": { "type": "array", "items": { - "type": "object", - "properties": { - "properties.itemsKeyValue": { - "type": "object", - "properties": { - "Veeam Server Name": { - "type": "string" - }, - "Base URL": { - "type": "string" - }, - "Collect Malware Events": { - "type": "string" - }, - "Collect Security and Compliance Analyzer Results": { - "type": "string" - }, - "Collect Authorization Events": { - "type": "string" - }, - "Key Vault Password ID": { - "type": "string" - }, - "Key Vault Username ID": { - "type": "string" - } - } - } - }, - "required": [ - "properties.itemsKeyValue" - ] + "type": "string" + } + }, + "MachineDisplayName": { + "type": "array", + "items": { + "type": "string" + } + }, + "MachineUuid": { + "type": "array", + "items": { + "type": "string" + } + }, + "BackupObjectId": { + "type": "array", + "items": { + "type": "string" } } } } } + }, + "Get_VbrHostName": { + "foreach": "@body('Parse_JSON')?['VbrHostName']", + "actions": { + "Set_variable": { + "type": "SetVariable", + "inputs": { + "name": "VbrHostName", + "value": "@{items('Get_VbrHostName')}" + } + } + }, + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_BackupObjectId": { + "foreach": "@body('Parse_JSON')?['BackupObjectId']", + "actions": { + "Set_BackupObjectId": { + "type": "SetVariable", + "inputs": { + "name": "BackupObjectId", + "value": "@items('Get_BackupObjectId')" + } + } + }, + "runAfter": { + "Get_VbrHostName": [ + "Succeeded" + ] + }, + "type": "Foreach" } }, "runAfter": { - "Watchlists_-_Get_Updated_VBR_Settings": [ + "Initialize_BackupObjectId": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "GetBackupObjectByIdAsync": { + "runAfter": { + "Get_variables_from_custom_fields": [ "Succeeded" ] + }, + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@variables('VbrHostName')", + "backupObjectId": "@variables('BackupObjectId')" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/GetBackupObjectByIdAsync')]" + } } }, - "Parse_VONE_Settings": { + "Parse_properties": { + "runAfter": { + "GetBackupObjectByIdAsync": [ + "Succeeded" + ] + }, "type": "ParseJson", "inputs": { - "content": "@body('Watchlists_-_Get_VONE_Settings_')", + "content": "@body('GetBackupObjectByIdAsync')", "schema": { "type": "object", "properties": { - "id": { + "ViType": { "type": "string" }, - "type": { + "VmHostName": { "type": "string" }, - "properties": { - "type": "object", - "properties": { - "watchlistItems": { - "type": "array", - "items": { - "type": "object", - "properties": { - "properties.watchlistItemType": { - "type": "string" - }, - "properties.watchlistItemId": { - "type": "string" - }, - "properties.tenantId": { - "type": "string" - }, - "properties.isDeleted": { - "type": "boolean" - }, - "properties.created": { - "type": "string" - }, - "properties.updated": { - "type": "string" - }, - "properties.createdBy": { - "type": "object", - "properties": { - "email": { - "type": "string" - }, - "name": { - "type": "string" - }, - "objectId": { - "type": "string" - } - } - }, - "properties.updatedBy": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "objectId": { - "type": "string" - } - } - }, - "properties.itemsKeyValue": { - "type": "object", - "properties": { - "Veeam Server Name": { - "type": "string" - }, - "Base URL": { - "type": "string" - }, - "Collect Alarms": { - "type": "string" - }, - "Key Vault Username ID": { - "type": "string" - }, - "Key Vault Password ID": { - "type": "string" - } - } - }, - "properties.entityMapping": { - "type": "object" - }, - "etag": { - "type": "string" - }, - "id": { - "type": "string" - }, - "name": { - "type": "string" - }, - "type": { - "type": "string" - }, - "systemData": { - "type": "object", - "properties": { - "createdBy": { - "type": "string" - }, - "createdByType": { - "type": "string" - }, - "createdAt": { - "type": "string" - }, - "lastModifiedBy": { - "type": "string" - }, - "lastModifiedByType": { - "type": "string" - }, - "lastModifiedAt": { - "type": "string" - } - } - } - }, - "required": [ - "properties.watchlistItemType", - "properties.watchlistItemId", - "properties.tenantId", - "properties.isDeleted", - "properties.created", - "properties.updated", - "properties.createdBy", - "properties.updatedBy", - "properties.itemsKeyValue", - "properties.entityMapping", - "etag", - "id", - "name", - "type", - "systemData" - ] - } - } - } + "VmName": { + "type": "string" + }, + "ObjectId": { + "type": "string" } } } - }, - "runAfter": { - "Watchlists_-_Get_VONE_Settings_": [ - "Succeeded" - ] } }, - "Watchlists_-_Get_VONE_Settings_": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "get", - "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vone_settings')}/watchlistItems" - }, + "StartQuickBackupJobAsync": { "runAfter": { - "Initialize_Variables": [ + "Parse_properties": [ "Succeeded" ] + }, + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@variables('VbrHostName')", + "ViType": "@body('Parse_properties')?['ViType']", + "VmHostName": "@body('Parse_properties')?['VmHostName']", + "VmName": "@body('Parse_properties')?['VmName']", + "ObjectId": "@body('Parse_properties')?['ObjectId']" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/StartQuickBackupJobAsync')]" + } } }, - "Watchlists_-_Get_VBR_Settings": { - "type": "ApiConnection", - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "Check_StartQuickBackup_Result": { + "runAfter": { + "StartQuickBackupJobAsync": [ + "Succeeded", + "Failed" + ] + }, + "type": "If", + "expression": { + "and": [ + { + "equals": [ + "@outputs('StartQuickBackupJobAsync')?['statusCode']", + 200 + ] } - }, - "method": "get", - "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems" + ] + }, + "actions": { + "Indicate_starting_with_comment": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Quick backup for @{variables('VbrHostName')} has started.
" + }, + "path": "/Incidents/Comment" + } + } }, + "else": { + "actions": { + "Indicate_failure_with_comment": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Quick backup for @{variables('VbrHostName')} has failed to start.
" + }, + "path": "/Incidents/Comment" + } + } + } + } + }, + "Parse_session_ID": { "runAfter": { - "Initialize_Variables": [ + "Check_StartQuickBackup_Result": [ "Succeeded" ] - } - }, - "Parse_VBR_Settings": { + }, "type": "ParseJson", "inputs": { - "content": "@body('Watchlists_-_Get_VBR_Settings')", + "content": "@body('StartQuickBackupJobAsync')", "schema": { "type": "object", "properties": { - "properties": { + "sessionType": { + "type": "integer" + }, + "state": { + "type": "integer" + }, + "platformName": { + "type": "integer" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "jobId": { + "type": "string" + }, + "creationTime": { + "type": "string" + }, + "progressPercent": { + "type": "integer" + }, + "result": { "type": "object", "properties": { - "watchlistItems": { - "type": "array", - "items": { - "type": "object", - "properties": { - "properties.itemsKeyValue": { - "type": "object", - "properties": { - "Veeam Server Name": { - "type": "string" - }, - "Base URL": { - "type": "string" - }, - "Collect Malware Events": { - "type": "string" - }, - "Collect Security and Compliance Analyzer Results": { - "type": "string" - }, - "Collect Authorization Events": { - "type": "string" - }, - "Key Vault Password ID": { - "type": "string" - }, - "Key Vault Username ID": { - "type": "string" - } - } - } - }, - "required": [ - "properties.itemsKeyValue" - ] - } + "result": { + "type": "integer" + }, + "message": { + "type": "string" + }, + "isCanceled": { + "type": "boolean" } } + }, + "usn": { + "type": "integer" + }, + "platformId": { + "type": "string" } } } - }, - "runAfter": { - "Watchlists_-_Get_VBR_Settings": [ - "Succeeded" - ] } - } - } - }, - "parameters": { - "$connections": { - "value": { - "azuresentinel": { - "connectionName": "[[parameters('AzureSentinelConnectionName')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" + }, + "Until_state_is_not_Stopped": { + "actions": { + "GetSession_": { + "type": "Function", + "inputs": { + "queries": { + "vbrHostName": "@variables('VbrHostName')", + "sessionId": "@body('Parse_session_ID')?['id']" + }, + "function": { + "id": "[[concat(variables('functionAppId'), '/functions/GetSessionAsync')]" + } } - } - } - } + }, + "Parse_session": { + "runAfter": { + "GetSession_": [ + "Succeeded" + ] + }, + "type": "ParseJson", + "inputs": { + "content": "@body('GetSession_')", + "schema": { + "type": "object", + "properties": { + "sessionType": { + "type": "integer" + }, + "state": { + "type": "integer" + }, + "platformName": { + "type": "integer" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "jobId": { + "type": "string" + }, + "creationTime": { + "type": "string" + }, + "progressPercent": { + "type": "integer" + }, + "result": { + "type": "object", + "properties": { + "result": { + "type": "integer" + }, + "message": { + "type": "string" + }, + "isCanceled": { + "type": "boolean" + } + } + }, + "usn": { + "type": "integer" + }, + "platformId": { + "type": "string" + } + } + } + } + }, + "Delay": { + "runAfter": { + "Parse_session": [ + "Succeeded" + ] + }, + "type": "Wait", + "inputs": { + "interval": { + "count": 3, + "unit": "Minute" + } + } + } + }, + "runAfter": { + "Parse_session_ID": [ + "Succeeded" + ] + }, + "expression": "@equals(body('Parse_session')?['state'],1)", + "limit": { + "timeout": "PT3H" + }, + "type": "Until" + }, + "Result": { + "runAfter": { + "Until_state_is_not_Stopped": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": "@body('Parse_session')?['result']" + }, + "Show_result_as_a_comment": { + "runAfter": { + "Result": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "Quick backup has finished. Details: @{outputs('Result')}.
" + }, + "path": "/Incidents/Comment" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionName": "[[parameters('AzureSentinelConnectionName')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]", + "id": "[[concat('/subscriptions/',subscription().subscriptionId, '/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId14')]", + "contentId": "[variables('_playbookContentId14')]", + "kind": "Playbook", + "version": "[variables('playbookVersion14')]", + "source": { + "kind": "Solution", + "name": "Veeam", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Veeam Software", + "email": "[variables('_email')]" + }, + "support": { + "name": "Veeam Software", + "email": "microsoftappsupport@veeam.com", + "tier": "Partner", + "link": "https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/" + } + } + } + ], + "metadata": { + "title": "Veeam-StartQuickBackup", + "description": "A Microsoft Sentinel playbook with an incident trigger, that performs quick backup support for affected backupObject (specifided by the BackupObjectId incidents custom field) when triggered by Microsoft Sentinel incidents. Indicates results as incident comments.", + "prerequisites": [ + "1. Microsoft Sentinel workspace configured.", + "2. Permissions to create Logic Apps and API Connections.", + "3. Permissions to assign roles to the Resource Group.", + "4. Veeam Azure Function App deployed and configured.", + "5. Hybrid Connection and Key Vault secrets configured for each VBR Server." + ], + "tags": [ + "Automation", + "Veeam", + "QuickBackup", + "Support", + "IncidentResponse" + ], + "lastUpdateTime": "2025-08-25T00:00:00Z", + "parameterTemplateVersion": "1.0.1", + "postDeployment": [ + "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace." + ], + "_generator": { + "name": "bicep", + "version": "0.36.177.2456", + "templateHash": "8701067040678761767" + }, + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId14')]", + "contentKind": "Playbook", + "displayName": "Veeam-StartQuickBackup", + "contentProductId": "[variables('_playbookcontentProductId14')]", + "id": "[variables('_playbookcontentProductId14')]", + "version": "[variables('playbookVersion14')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName15')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Veeam-SetupConnections Playbook with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion15')]", + "parameters": { + "PlaybookName": { + "type": "string", + "defaultValue": "Veeam-SetupConnections", + "metadata": { + "description": "Name of the playbook (Logic App) to be created" + } + }, + "functionAppName": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Name of the Azure Function App for Veeam integration" + } + }, + "keyVaultName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Name of the Azure Key Vault" + } + }, + "relayNamespaceName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Name of the Azure Relay namespace" + } + }, + "workspaceId": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace ID (GUID) of the Log Analytics workspace that contains Microsoft Sentinel" + } + }, + "AzureSentinelConnectionName": { + "type": "string", + "defaultValue": "azuresentinel-connection", + "metadata": { + "description": "The name to use for the Microsoft Sentinel Connector in the Logic App (This will exist as an API Connection in your subscription)" + } + }, + "subscriptionId": { + "type": "string", + "defaultValue": "[subscription().subscriptionId]", + "metadata": { + "description": "Azure subscription ID" + } + }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "Name of the resource group containing the Logic Apps to be updated" + } + }, + "keyVaultDomain": { + "type": "string", + "defaultValue": "[environment().suffixes.keyVaultDns]", + "metadata": { + "description": "The domain suffix for Azure Key Vault (dynamically assigned based on Azure environment)" + } + }, + "azureManagementDomain": { + "type": "string", + "defaultValue": "[environment().resourceManager]", + "metadata": { + "description": "The Azure Management API endpoint (dynamically assigned based on Azure environment)" + } + } + }, + "variables": { + "newRecurrenceInterval": "12", + "newRecurrenceFrequency": "Hour", + "connection-1": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "_connection-1": "[[variables('connection-1')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[parameters('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "displayName": "[[parameters('AzureSentinelConnectionName')]", + "api": { + "id": "[[variables('_connection-1')]" + }, + "parameterValueType": "Alternative" + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "Veeam-SetupConnectionsPlaybook", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "subscriptionId": { + "type": "String", + "defaultValue": "[[parameters('subscriptionId')]" + }, + "resourceGroupName": { + "type": "String", + "defaultValue": "[[parameters('resourceGroupName')]" + }, + "keyVaultName": { + "type": "String", + "defaultValue": "[[parameters('keyVaultName')]" + }, + "relayNamespaceName": { + "type": "String", + "defaultValue": "[[parameters('relayNamespaceName')]" + }, + "functionAppName": { + "type": "String", + "defaultValue": "[[parameters('functionAppName')]" + }, + "workspaceId": { + "type": "String", + "defaultValue": "[[parameters('workspaceId')]" + }, + "keyVaultDomain": { + "type": "String", + "defaultValue": "[[parameters('keyVaultDomain')]" + }, + "azureManagementDomain": { + "type": "String", + "defaultValue": "[[parameters('azureManagementDomain')]" + } + }, + "triggers": { + "manual": { + "type": "Request", + "kind": "Http", + "inputs": { + "schema": { + "type": "object", + "properties": { + "recurrenceInterval": { + "default": "[[variables('newRecurrenceInterval')]" + }, + "recurrenceFrequency": { + "default": "[[variables('newRecurrenceFrequency')]" + } + } + } + } + } + }, + "actions": { + "Initialize_Variables": { + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "VbrUsernameId", + "type": "string" + }, + { + "name": "VbrPasswordId", + "type": "string" + }, + { + "name": "VbrServerName", + "type": "string", + "value": "[variables('blanks')]" + }, + { + "name": "VbrBaseUrl", + "type": "string", + "value": "[variables('blanks')]" + }, + { + "name": "VoneUsernameId", + "type": "string" + }, + { + "name": "VonePasswordId", + "type": "string" + }, + { + "name": "VoneServerName", + "type": "string", + "value": "[variables('blanks')]" + }, + { + "name": "VoneBaseUrl", + "type": "string", + "value": "[variables('blanks')]" + } + ] + } + }, + "For_each_VONE_server_set_missing_parameters": { + "type": "Foreach", + "foreach": "@body('Parse_VONE_Settings')?['properties']?['watchlistItems']", + "actions": { + "If_any_value_in_watchlist_is_missing": { + "type": "If", + "expression": { + "or": [ + { + "equals": [ + "@body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']", + "@null" + ] + }, + { + "equals": [ + "@body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']", + "" + ] + }, + { + "equals": [ + "@item()?['properties.itemsKeyValue']?['Key Vault Password ID']", + "" + ] + }, + { + "equals": [ + "@item()?['properties.itemsKeyValue']?['Key Vault Password ID']", + "@null" + ] + }, + { + "equals": [ + "@item()?['properties.itemsKeyValue']?['Key Vault Username ID']", + "" + ] + }, + { + "equals": [ + "@item()?['properties.itemsKeyValue']?['Key Vault Username ID']", + "@null" + ] + } + ] + }, + "actions": { + "Update_Watchlist_Item_With_KeyVault_IDs_VONE": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "Veeam Server Name": "@body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name']", + "Base URL": "@body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Base URL']", + "Collect Alarms": "@if(\r\n or(\r\n empty(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms'], null), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms'], '')\r\n ),\r\n 'true', \r\n body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']\r\n)", + "Key Vault Password ID": "@if(\r\n or(\r\n empty(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID']), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID'], null), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID'], '')\r\n ),\r\n concat(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name'], 'Password'), \r\n body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID']\r\n)", + "Key Vault Username ID": "@if(\r\n or(\r\n empty(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID']), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID'], null), \r\n equals(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID'], '')\r\n ),\r\n concat(body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name'], 'Username'), \r\n body('Parse_current_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID']\r\n)" + }, + "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vone_settings')}/watchlistItem/@{encodeURIComponent(items('For_each_VONE_server_set_missing_parameters')?['name'])}" + } + } + }, + "runAfter": { + "Parse_current_VONE_server": [ + "Succeeded" + ] + } + }, + "Parse_current_VONE_server": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_VONE_server_set_missing_parameters')", + "schema": { + "type": "object", + "properties": { + "properties.watchlistItemType": { + "type": "string" + }, + "properties.watchlistItemId": { + "type": "string" + }, + "properties.tenantId": { + "type": "string" + }, + "properties.isDeleted": { + "type": "boolean" + }, + "properties.created": { + "type": "string" + }, + "properties.updated": { + "type": "string" + }, + "properties.createdBy": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.updatedBy": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Alarms": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + } + } + }, + "properties.entityMapping": { + "type": "object" + }, + "etag": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "systemData": { + "type": "object", + "properties": { + "createdBy": { + "type": "string" + }, + "createdByType": { + "type": "string" + }, + "createdAt": { + "type": "string" + }, + "lastModifiedBy": { + "type": "string" + }, + "lastModifiedByType": { + "type": "string" + }, + "lastModifiedAt": { + "type": "string" + } + } + } + } + } + } + } + }, + "runAfter": { + "Parse_VONE_Settings": [ + "Succeeded" + ] + }, + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Watchlists_-_Get_Updated_VONE_Settings": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vone_settings')}/watchlistItems" + }, + "runAfter": { + "For_each_VONE_server_set_missing_parameters": [ + "Succeeded" + ] + } + }, + "Parse_Updated_VONE_Settings": { + "type": "ParseJson", + "inputs": { + "content": "@body('Watchlists_-_Get_Updated_VONE_Settings')", + "schema": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "type": { + "type": "string" + }, + "properties": { + "type": "object", + "properties": { + "watchlistItems": { + "type": "array", + "items": { + "type": "object", + "properties": { + "properties.watchlistItemType": { + "type": "string" + }, + "properties.watchlistItemId": { + "type": "string" + }, + "properties.tenantId": { + "type": "string" + }, + "properties.isDeleted": { + "type": "boolean" + }, + "properties.created": { + "type": "string" + }, + "properties.updated": { + "type": "string" + }, + "properties.createdBy": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.updatedBy": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Alarms": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + } + } + }, + "properties.entityMapping": { + "type": "object" + }, + "etag": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "systemData": { + "type": "object", + "properties": { + "createdBy": { + "type": "string" + }, + "createdByType": { + "type": "string" + }, + "createdAt": { + "type": "string" + }, + "lastModifiedBy": { + "type": "string" + }, + "lastModifiedByType": { + "type": "string" + }, + "lastModifiedAt": { + "type": "string" + } + } + } + }, + "required": [ + "properties.watchlistItemType", + "properties.watchlistItemId", + "properties.tenantId", + "properties.isDeleted", + "properties.created", + "properties.updated", + "properties.createdBy", + "properties.updatedBy", + "properties.itemsKeyValue", + "properties.entityMapping", + "etag", + "id", + "name", + "type", + "systemData" + ] + } + } + } + } + } + } + }, + "runAfter": { + "Watchlists_-_Get_Updated_VONE_Settings": [ + "Succeeded" + ] + } + }, + "For_each_VBR_server_set_missing_parameters": { + "type": "Foreach", + "foreach": "@body('Parse_VBR_Settings')?['properties']?['watchlistItems']", + "actions": { + "Parse_current_VBR_server": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_VBR_server_set_missing_parameters')", + "schema": { + "type": "object", + "properties": { + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Malware Events": { + "type": "string" + }, + "Collect Security and Compliance Analyzer Results": { + "type": "string" + }, + "Collect Authorization Events": { + "type": "string" + }, + "Collect Configuration Backups": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + } + } + } + } + } + } + }, + "Check_If_KeyVault_IDs_Missing": { + "type": "If", + "expression": { + "or": [ + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID']", + "" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID']", + "" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID']", + "@null" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID']", + "@null" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events']", + "" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events']", + "@null" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']", + "" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']", + "@null" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events']", + "" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events']", + "@null" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups']", + "" + ] + }, + { + "equals": [ + "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups']", + "@null" + ] + } + ] + }, + "actions": { + "Update_Watchlist_Item_With_KeyVault_IDs": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "put", + "body": { + "Veeam Server Name": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name']", + "Base URL": "@body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Base URL']", + "Collect Malware Events": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events'], null), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events'], '')), 'true', body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Malware Events'])", + "Collect Security and Compliance Analyzer Results": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results'], null), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results'], '')), 'true', body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results'])", + "Collect Authorization Events": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events'], null), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events'], '')), 'true', body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Authorization Events'])", + "Collect Configuration Backups": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups'], null), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups'], '')), 'true', body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Collect Configuration Backups'])", + "Key Vault Username ID": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID'], null)), concat(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name'], 'Username'), body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Username ID'])", + "Key Vault Password ID": "@if(or(empty(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID']), equals(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID'], null)), concat(body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Veeam Server Name'], 'Password'), body('Parse_current_VBR_server')?['properties.itemsKeyValue']?['Key Vault Password ID'])" + }, + "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItem/@{encodeURIComponent(items('For_each_VBR_server_set_missing_parameters')?['name'])}" + } + } + }, + "runAfter": { + "Parse_current_VBR_server": [ + "Succeeded" + ] + } + } + }, + "runAfter": { + "Parse_VBR_Settings": [ + "Succeeded" + ] + }, + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_each_updated_VONE_server": { + "type": "Foreach", + "foreach": "@body('Parse_Updated_VONE_Settings')?['properties']?['watchlistItems']", + "actions": { + "Parse_current_updated_VONE_server": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_updated_VONE_server')", + "schema": { + "type": "object", + "properties": { + "properties.watchlistItemType": { + "type": "string" + }, + "properties.watchlistItemId": { + "type": "string" + }, + "properties.tenantId": { + "type": "string" + }, + "properties.isDeleted": { + "type": "boolean" + }, + "properties.created": { + "type": "string" + }, + "properties.updated": { + "type": "string" + }, + "properties.createdBy": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.updatedBy": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Alarms": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + } + } + }, + "properties.entityMapping": { + "type": "object" + }, + "etag": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "systemData": { + "type": "object", + "properties": { + "createdBy": { + "type": "string" + }, + "createdByType": { + "type": "string" + }, + "createdAt": { + "type": "string" + }, + "lastModifiedBy": { + "type": "string" + }, + "lastModifiedByType": { + "type": "string" + }, + "lastModifiedAt": { + "type": "string" + } + } + } + } + } + } + }, + " Are_there_any_events_collected_from_VONE_server": { + "type": "If", + "expression": { + "and": [ + { + "equals": [ + "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Collect Alarms']", + "true" + ] + }, + { + "not": { + "equals": [ + "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name']", + "ExampleServerName" + ] + } + } + ] + }, + "actions": { + "Set_VonePasswordId": { + "type": "SetVariable", + "inputs": { + "name": "VonePasswordId", + "value": "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Key Vault Password ID']" + } + }, + "Set_VoneUsernameId": { + "type": "SetVariable", + "inputs": { + "name": "VoneUsernameId", + "value": "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Key Vault Username ID']" + }, + "runAfter": { + "Set_VonePasswordId": [ + "Succeeded" + ] + } + }, + "Set_VoneServerName": { + "type": "SetVariable", + "inputs": { + "name": "VoneServerName", + "value": "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Veeam Server Name']" + }, + "runAfter": { + "Set_VoneUsernameId": [ + "Succeeded" + ] + } + }, + "Extract_Host_and_Port_VONE": { + "type": "Compose", + "inputs": { + "host": "@split(replace(variables('VoneBaseUrl'), 'https://', ''), ':')[0]", + "port": "@if(and(greater(length(split(replace(variables('VoneBaseUrl'), 'https://', ''), ':')), 1), not(equals(last(split(replace(variables('VoneBaseUrl'), 'https://', ''), ':')), ''))), int(last(split(replace(variables('VoneBaseUrl'), 'https://', ''), ':'))), 1239)" + }, + "runAfter": { + "Set_VoneBaseUrl": [ + "Succeeded" + ] + } + }, + "Setup_KeyVault_Secrets_VONE": { + "type": "Scope", + "actions": { + "Check_Username_Secret_Exists_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VoneUsernameId'), '?api-version=7.4')", + "method": "GET", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" + } + } + }, + "Create_Username_Secret_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VoneUsernameId'), '?api-version=7.4')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "value": "UNDEFINED", + "attributes": { + "enabled": true + }, + "tags": { + "source": "playbook", + "vbrServer": "@variables('VoneServerName')", + "type": "username" + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" + } + }, + "runAfter": { + "Check_Username_Secret_Exists_VONE": [ + "Failed" + ] + } + }, + "Check_Password_Secret_Exists_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VonePasswordId'), '?api-version=7.4')", + "method": "GET", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" + } + } + }, + "Create_Password_Secret_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VonePasswordId'), '?api-version=7.4')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "value": "UNDEFINED", + "attributes": { + "enabled": true + }, + "tags": { + "source": "playbook", + "vbrServer": "@variables('VoneServerName')", + "type": "password", + "status": "requires_update" + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" + } + }, + "runAfter": { + "Check_Password_Secret_Exists_VONE": [ + "Failed" + ] + } + } + }, + "runAfter": { + "Extract_Host_and_Port_VONE": [ + "Succeeded" + ] + } + }, + "Setup_Hybrid_Connection_VONE": { + "type": "Scope", + "actions": { + "Check_Hybrid_Connection_Exists_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '?api-version=2024-01-01')", + "method": "GET", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + } + }, + "Create_Hybrid_Connection_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '?api-version=2024-01-01')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "properties": { + "requiresClientAuthorization": true, + "userMetadata": "@concat('[{\"key\":\"endpoint\",\"value\":\"', outputs('Extract_Host_and_Port_VONE')?['host'], ':', outputs('Extract_Host_and_Port_VONE')?['port'], '\"}]')" + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Check_Hybrid_Connection_Exists_VONE": [ + "Failed" + ] + } + }, + "Create_Listener_Rule_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '/authorizationRules/defaultListener?api-version=2024-01-01')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "properties": { + "rights": [ + "Listen" + ] + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Create_Hybrid_Connection_VONE": [ + "Succeeded" + ] + } + }, + "Create_Sender_Rule_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '/authorizationRules/defaultSender?api-version=2024-01-01')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "properties": { + "rights": [ + "Send" + ] + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Create_Listener_Rule_VONE": [ + "Succeeded" + ] + } + }, + "Get_Sender_Key_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VoneServerName'), '/authorizationRules/defaultSender/listKeys?api-version=2024-01-01')", + "method": "POST", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Create_Sender_Rule_VONE": [ + "Succeeded", + "Skipped" + ] + } + }, + "Check_Function_App_Binding_Exists_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Web/sites/', parameters('functionAppName'), '/hybridConnectionNamespaces/', parameters('relayNamespaceName'), '/relays/', variables('VoneServerName'), '?api-version=2022-03-01')", + "method": "GET", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Get_Sender_Key_VONE": [ + "Succeeded", + "Skipped" + ] + } + }, + "Bind_To_Function_App_VONE": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Web/sites/', parameters('functionAppName'), '/hybridConnectionNamespaces/', parameters('relayNamespaceName'), '/relays/', variables('VoneServerName'), '?api-version=2022-03-01')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "properties": { + "hostname": "@outputs('Extract_Host_and_Port_VONE')?['host']", + "port": "@outputs('Extract_Host_and_Port_VONE')?['port']", + "relayArmUri": "@if(equals(body('Check_Hybrid_Connection_Exists_VONE')?['id'], null), body('Create_Hybrid_Connection_VONE')?['id'], body('Check_Hybrid_Connection_Exists_VONE')?['id'])", + "relayName": "@variables('VoneServerName')", + "sendKeyName": "defaultSender", + "sendKeyValue": "@body('Get_Sender_Key_VONE')?['primaryKey']", + "serviceBusNamespace": "@parameters('relayNamespaceName')", + "serviceBusSuffix": ".servicebus.windows.net" + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Check_Function_App_Binding_Exists_VONE": [ + "Failed" + ] + } + } + }, + "runAfter": { + "Setup_KeyVault_Secrets_VONE": [ + "Succeeded" + ] + } + }, + "Set_VoneBaseUrl": { + "type": "SetVariable", + "inputs": { + "name": "VoneBaseUrl", + "value": "@body('Parse_current_updated_VONE_server')?['properties.itemsKeyValue']?['Base URL']" + }, + "runAfter": { + "Set_VoneServerName": [ + "Succeeded" + ] + } + } + }, + "runAfter": { + "Parse_current_updated_VONE_server": [ + "Succeeded" + ] + } + } + }, + "runAfter": { + "Parse_Updated_VONE_Settings": [ + "Succeeded" + ] + }, + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "For_each_updated_VBR_server": { + "type": "Foreach", + "foreach": "@body('Parse_updated_VBR_Settings')?['properties']?['watchlistItems']", + "actions": { + "Are_there_any_events_collected_from_VBR_server": { + "type": "If", + "expression": { + "and": [ + { + "not": { + "equals": [ + "@item()?['properties.itemsKeyValue']?['Veeam Server Name']", + "ExampleServerName" + ] + } + }, + { + "or": [ + { + "equals": [ + "@body('Parse_current_updated_VBR_Server')?['properties.itemsKeyValue']?['Collect Malware Events']", + "true" + ] + }, + { + "equals": [ + "@body('Parse_current_updated_VBR_Server')?['properties.itemsKeyValue']?['Collect Security and Compliance Analyzer Results']", + "true" + ] + }, + { + "equals": [ + "@body('Parse_current_updated_VBR_Server')?['properties.itemsKeyValue']?['Collect Authorization Events']", + "true" + ] + } + ] + } + ] + }, + "actions": { + "Extract_Host_and_Port_VBR": { + "type": "Compose", + "inputs": { + "host": "@split(replace(variables('VbrBaseUrl'), 'https://', ''), ':')[0]", + "port": "@if(and(greater(length(split(replace(variables('VbrBaseUrl'), 'https://', ''), ':')), 1), not(equals(last(split(replace(variables('VbrBaseUrl'), 'https://', ''), ':')), ''))), int(last(split(replace(variables('VbrBaseUrl'), 'https://', ''), ':'))), 9419)" + }, + "runAfter": { + "Set_VbrBaseUrl": [ + "Succeeded" + ] + } + }, + "Setup_KeyVault_Secrets_VBR": { + "type": "Scope", + "actions": { + "Check_Username_Secret_Exists_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VbrUsernameId'), '?api-version=7.4')", + "method": "GET", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" + } + } + }, + "Create_Username_Secret_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VbrUsernameId'), '?api-version=7.4')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "value": "UNDEFINED", + "attributes": { + "enabled": true + }, + "tags": { + "source": "playbook", + "vbrServer": "@variables('VbrServerName')", + "type": "username" + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" + } + }, + "runAfter": { + "Check_Username_Secret_Exists_VBR": [ + "Failed" + ] + } + }, + "Check_Password_Secret_Exists_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VbrPasswordId'), '?api-version=7.4')", + "method": "GET", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" + } + } + }, + "Create_Password_Secret_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'), '/secrets/', variables('VbrPasswordId'), '?api-version=7.4')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "value": "UNDEFINED", + "attributes": { + "enabled": true + }, + "tags": { + "source": "playbook", + "vbrServer": "@variables('VbrServerName')", + "type": "password", + "status": "requires_update" + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@concat('https://', parameters('keyVaultName'), parameters('keyVaultDomain'))" + } + }, + "runAfter": { + "Check_Password_Secret_Exists_VBR": [ + "Failed" + ] + } + } + }, + "runAfter": { + "Extract_Host_and_Port_VBR": [ + "Succeeded" + ] + } + }, + "Setup_Hybrid_Connection_VBR": { + "type": "Scope", + "actions": { + "Check_Hybrid_Connection_Exists_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '?api-version=2024-01-01')", + "method": "GET", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + } + }, + "Create_Hybrid_Connection_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '?api-version=2024-01-01')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "properties": { + "requiresClientAuthorization": true, + "userMetadata": "@concat('[{\"key\":\"endpoint\",\"value\":\"', outputs('Extract_Host_and_Port_VBR')?['host'], ':', outputs('Extract_Host_and_Port_VBR')?['port'], '\"}]')" + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Check_Hybrid_Connection_Exists_VBR": [ + "Failed" + ] + } + }, + "Create_Listener_Rule_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '/authorizationRules/defaultListener?api-version=2024-01-01')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "properties": { + "rights": [ + "Listen" + ] + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Create_Hybrid_Connection_VBR": [ + "Succeeded" + ] + } + }, + "Create_Sender_Rule_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '/authorizationRules/defaultSender?api-version=2024-01-01')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "properties": { + "rights": [ + "Send" + ] + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Create_Listener_Rule_VBR": [ + "Succeeded" + ] + } + }, + "Get_Sender_Key_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Relay/namespaces/', parameters('relayNamespaceName'), '/hybridConnections/', variables('VbrServerName'), '/authorizationRules/defaultSender/listKeys?api-version=2024-01-01')", + "method": "POST", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Create_Sender_Rule_VBR": [ + "Succeeded" + ] + } + }, + "Check_Function_App_Binding_Exists_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Web/sites/', parameters('functionAppName'), '/hybridConnectionNamespaces/', parameters('relayNamespaceName'), '/relays/', variables('VbrServerName'), '?api-version=2022-03-01')", + "method": "GET", + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Get_Sender_Key_VBR": [ + "Succeeded" + ] + } + }, + "Bind_To_Function_App_VBR": { + "type": "Http", + "inputs": { + "uri": "@concat(parameters('azureManagementDomain'), '/subscriptions/', parameters('subscriptionId'), '/resourceGroups/', parameters('resourceGroupName'), '/providers/Microsoft.Web/sites/', parameters('functionAppName'), '/hybridConnectionNamespaces/', parameters('relayNamespaceName'), '/relays/', variables('VbrServerName'), '?api-version=2022-03-01')", + "method": "PUT", + "headers": { + "Content-Type": "application/json" + }, + "body": { + "properties": { + "hostname": "@outputs('Extract_Host_and_Port_VBR')?['host']", + "port": "@outputs('Extract_Host_and_Port_VBR')?['port']", + "relayArmUri": "@if(equals(body('Check_Hybrid_Connection_Exists_VBR')?['id'], null), body('Create_Hybrid_Connection_VBR')?['id'], body('Check_Hybrid_Connection_Exists_VBR')?['id'])", + "relayName": "@variables('VbrServerName')", + "sendKeyName": "defaultSender", + "sendKeyValue": "@body('Get_Sender_Key_VBR')?['primaryKey']", + "serviceBusNamespace": "@parameters('relayNamespaceName')", + "serviceBusSuffix": ".servicebus.windows.net" + } + }, + "authentication": { + "type": "ManagedServiceIdentity", + "audience": "@parameters('azureManagementDomain')" + } + }, + "runAfter": { + "Check_Function_App_Binding_Exists_VBR": [ + "Failed" + ] + } + } + }, + "runAfter": { + "Setup_KeyVault_Secrets_VBR": [ + "Succeeded" + ] + } + }, + "Set_VbrPasswordId": { + "type": "SetVariable", + "inputs": { + "name": "VbrPasswordId", + "value": "@item()?['properties.itemsKeyValue']?['Key Vault Password ID']" + } + }, + "Set_VbrUsernameId": { + "type": "SetVariable", + "inputs": { + "name": "VbrUsernameId", + "value": "@item()?['properties.itemsKeyValue']?['Key Vault Username ID']" + }, + "runAfter": { + "Set_VbrPasswordId": [ + "Succeeded" + ] + } + }, + "Set_VbrServerName": { + "type": "SetVariable", + "inputs": { + "name": "VbrServerName", + "value": "@item()?['properties.itemsKeyValue']?['Veeam Server Name']" + }, + "runAfter": { + "Set_VbrUsernameId": [ + "Succeeded" + ] + } + }, + "Set_VbrBaseUrl": { + "type": "SetVariable", + "inputs": { + "name": "VbrBaseUrl", + "value": "@item()?['properties.itemsKeyValue']?['Base URL']" + }, + "runAfter": { + "Set_VbrServerName": [ + "Succeeded" + ] + } + } + }, + "runAfter": { + "Parse_current_updated_VBR_Server": [ + "Succeeded" + ] + } + }, + "Parse_current_updated_VBR_Server": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_updated_VBR_server')", + "schema": { + "type": "object", + "properties": { + "properties.watchlistItemType": { + "type": "string" + }, + "properties.watchlistItemId": { + "type": "string" + }, + "properties.tenantId": { + "type": "string" + }, + "properties.isDeleted": { + "type": "boolean" + }, + "properties.created": { + "type": "string" + }, + "properties.updated": { + "type": "string" + }, + "properties.createdBy": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.updatedBy": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Malware Events": { + "type": "string" + }, + "Collect Security and Compliance Analyzer Results": { + "type": "string" + }, + "Collect Authorization Events": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + } + } + }, + "properties.entityMapping": { + "type": "object" + }, + "etag": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "systemData": { + "type": "object", + "properties": { + "createdBy": { + "type": "string" + }, + "createdByType": { + "type": "string" + }, + "createdAt": { + "type": "string" + }, + "lastModifiedBy": { + "type": "string" + }, + "lastModifiedByType": { + "type": "string" + }, + "lastModifiedAt": { + "type": "string" + } + } + } + } + } + } + } + }, + "runAfter": { + "Parse_updated_VBR_Settings": [ + "Succeeded" + ] + }, + "runtimeConfiguration": { + "concurrency": { + "repetitions": 1 + } + } + }, + "Watchlists_-_Get_Updated_VBR_Settings": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems" + }, + "runAfter": { + "For_each_VBR_server_set_missing_parameters": [ + "Succeeded" + ] + } + }, + "Parse_updated_VBR_Settings": { + "type": "ParseJson", + "inputs": { + "content": "@body('Watchlists_-_Get_Updated_VBR_Settings')", + "schema": { + "type": "object", + "properties": { + "properties": { + "type": "object", + "properties": { + "watchlistItems": { + "type": "array", + "items": { + "type": "object", + "properties": { + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Malware Events": { + "type": "string" + }, + "Collect Security and Compliance Analyzer Results": { + "type": "string" + }, + "Collect Authorization Events": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + } + } + } + }, + "required": [ + "properties.itemsKeyValue" + ] + } + } + } + } + } + } + }, + "runAfter": { + "Watchlists_-_Get_Updated_VBR_Settings": [ + "Succeeded" + ] + } + }, + "Parse_VONE_Settings": { + "type": "ParseJson", + "inputs": { + "content": "@body('Watchlists_-_Get_VONE_Settings_')", + "schema": { + "type": "object", + "properties": { + "id": { + "type": "string" + }, + "type": { + "type": "string" + }, + "properties": { + "type": "object", + "properties": { + "watchlistItems": { + "type": "array", + "items": { + "type": "object", + "properties": { + "properties.watchlistItemType": { + "type": "string" + }, + "properties.watchlistItemId": { + "type": "string" + }, + "properties.tenantId": { + "type": "string" + }, + "properties.isDeleted": { + "type": "boolean" + }, + "properties.created": { + "type": "string" + }, + "properties.updated": { + "type": "string" + }, + "properties.createdBy": { + "type": "object", + "properties": { + "email": { + "type": "string" + }, + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.updatedBy": { + "type": "object", + "properties": { + "name": { + "type": "string" + }, + "objectId": { + "type": "string" + } + } + }, + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Alarms": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + } + } + }, + "properties.entityMapping": { + "type": "object" + }, + "etag": { + "type": "string" + }, + "id": { + "type": "string" + }, + "name": { + "type": "string" + }, + "type": { + "type": "string" + }, + "systemData": { + "type": "object", + "properties": { + "createdBy": { + "type": "string" + }, + "createdByType": { + "type": "string" + }, + "createdAt": { + "type": "string" + }, + "lastModifiedBy": { + "type": "string" + }, + "lastModifiedByType": { + "type": "string" + }, + "lastModifiedAt": { + "type": "string" + } + } + } + }, + "required": [ + "properties.watchlistItemType", + "properties.watchlistItemId", + "properties.tenantId", + "properties.isDeleted", + "properties.created", + "properties.updated", + "properties.createdBy", + "properties.updatedBy", + "properties.itemsKeyValue", + "properties.entityMapping", + "etag", + "id", + "name", + "type", + "systemData" + ] + } + } + } + } + } + } + }, + "runAfter": { + "Watchlists_-_Get_VONE_Settings_": [ + "Succeeded" + ] + } + }, + "Watchlists_-_Get_VONE_Settings_": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vone_settings')}/watchlistItems" + }, + "runAfter": { + "Initialize_Variables": [ + "Succeeded" + ] + } + }, + "Watchlists_-_Get_VBR_Settings": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Watchlists/subscriptions/@{encodeURIComponent(parameters('subscriptionId'))}/resourceGroups/@{encodeURIComponent(parameters('resourceGroupName'))}/workspaces/@{encodeURIComponent(parameters('workspaceId'))}/watchlists/@{encodeURIComponent('vbr_settings')}/watchlistItems" + }, + "runAfter": { + "Initialize_Variables": [ + "Succeeded" + ] + } + }, + "Parse_VBR_Settings": { + "type": "ParseJson", + "inputs": { + "content": "@body('Watchlists_-_Get_VBR_Settings')", + "schema": { + "type": "object", + "properties": { + "properties": { + "type": "object", + "properties": { + "watchlistItems": { + "type": "array", + "items": { + "type": "object", + "properties": { + "properties.itemsKeyValue": { + "type": "object", + "properties": { + "Veeam Server Name": { + "type": "string" + }, + "Base URL": { + "type": "string" + }, + "Collect Malware Events": { + "type": "string" + }, + "Collect Security and Compliance Analyzer Results": { + "type": "string" + }, + "Collect Authorization Events": { + "type": "string" + }, + "Key Vault Password ID": { + "type": "string" + }, + "Key Vault Username ID": { + "type": "string" + } + } + } + }, + "required": [ + "properties.itemsKeyValue" + ] + } + } + } + } + } + } + }, + "runAfter": { + "Watchlists_-_Get_VBR_Settings": [ + "Succeeded" + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionName": "[[parameters('AzureSentinelConnectionName')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', parameters('AzureSentinelConnectionName'))]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId15'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId15')]", + "contentId": "[variables('_playbookContentId15')]", + "kind": "Playbook", + "version": "[variables('playbookVersion15')]", + "source": { + "kind": "Solution", + "name": "Veeam", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Veeam Software", + "email": "[variables('_email')]" + }, + "support": { + "name": "Veeam Software", + "email": "microsoftappsupport@veeam.com", + "tier": "Partner", + "link": "https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/" + } + } + } + ], + "metadata": { + "title": "Veeam-SetupConnections", + "description": "A Microsoft Sentinel playbook that configures Key Vault secrets and hybrid connections for Veeam servers. The playbook gets server settings and Key Vault secrets from vbr_settings and vone_settings watchlists, creates Key Vault IDs, and sets all collection flags to True if required.", + "prerequisites": [ + "1. Microsoft Sentinel workspace configured.", + "2. Permissions to create Logic Apps and API Connections.", + "3. Permissions to assign roles to the Resource Group.", + "4. Veeam Azure Function App deployed and configured.", + "5. Azure Key Vault configured with appropriate access policies.", + "6. Azure Relay namespace configured.", + "7. VBR Settings watchlist configured in Microsoft Sentinel.", + "8. Veeam ONE Settings watchlist configured in Microsoft Sentinel." + ], + "tags": [ + "Automation", + "Veeam", + "Setup", + "Connections" + ], + "lastUpdateTime": "2025-09-02T01:02:00Z", + "parameterTemplateVersion": "1.0.0", + "postDeployment": [ + "1. Assign the Microsoft Sentinel Contributor role to the Logic App's managed identity on the Microsoft Sentinel workspace.", + "2. Assign the Key Vault Administrator role to the Logic App's managed identity on the Key Vault resource.", + "3. Assign the Website Contributor role to the Logic App's managed identity on the Function App resource.", + "4. Assign the Azure Relay Owner role to the Logic App's managed identity on the Relay Namespace resource.", + "5. **After playbook is run successfully**, you need to go to the Key Vault and set the password and username for each VBR server. Also, you need to install Hybrid Connections Manager into your network and set up connection there." + ], + "releaseNotes": { + "version": "1.0", + "title": "[variables('blanks')]", + "notes": [ + "Initial version" + ] + } + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId15')]", + "contentKind": "Playbook", + "displayName": "Veeam-SetupConnections", + "contentProductId": "[variables('_playbookcontentProductId15')]", + "id": "[variables('_playbookcontentProductId15')]", + "version": "[variables('playbookVersion15')]" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist1-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "Job Types Lookup", + "watchlistAlias": "job_types_lookup", + "source": "job_types_lookup.csv", + "description": "Job Types Lookup.", + "provider": "Microsoft", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "JobType", + "rawContent": "JobType,JobTypeDescription\r\n0,Backup Job\r\n1,Replication Job\r\n2,Backup Copy Job\r\n3,SureBackup Job\r\n8,Quick Migration\r\n22,Rescan Job\r\n24,File to Tape Job\r\n28,Backup to Tape Job\r\n50,Replication Job\r\n51,Backup Copy Job\r\n52,MS SQL Log Backup Job\r\n54,Oracle Log Backup Job\r\n60,HPE StoreOnce Replication Job\r\n63,Backup Copy Job\r\n65,Backup Copy Job\r\n70,Backup Copy Job\r\n74,PostgreSQL Log Backup Job\r\n78,Entra ID Backup Job\r\n100,Configuration Backup Job\r\n104,Configuration Database Maintenance Job\r\n198,Tape Verification Job\r\n501,Tape Copy Job\r\n202,Restore Job\r\n203,Undo Failover Plan\r\n290,Restore Job\r\n316,CDP Policy\r\n4000,Agent Backup Job (Backup Server)\r\n12000,Agent Backup Job (Backup Server)\r\n12002,Agent Backup Job (Backup Policy)\r\n12003,Agent Backup Job (Backup Server)\r\n12100,Enterprise Plug-in Backup Job\r\n12101,Enterprise Plug-in Log Backup Job\r\n13000,File Backup job\r\n13003,File Backup Copy Job\r\n14000,Backup Job\r\n15000,Storage Snapshot Snapshot-Only Job\r\n15001,Storage Snapshot Backup Job\r\n15002,Storage Snapshot Copy Job\r\n15004,Storage Snapshot Restore Session\r\n18000,Archive Tier Backup Job\r\n18001,Archive Tier Restore Session\r\n18002,Archive Download Session\r\n18003,Archive Tier Synchronization Job\r\n18004,Archive Tier Backup Copy Job\r\n18005,Archive Tier Archiving Job\r\n18006,Publish Disk Session\r\n18008,Object Storage Repository Synchronization Job\r\n24002,Guest OS File Restore Session\r\n33000,SureBackup Scan only\r\n33001,SureBackup Scan only\r\n" + }, + "apiVersion": "2022-08-01" + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist2-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "apiVersion": "2022-08-01", + "properties": { + "displayName": "License Editions Lookup", + "description": "License Editions Lookup.", + "provider": "Microsoft", + "source": "license_editions_lookup.csv", + "defaultDuration": "P1000Y", + "isDeleted": false, + "sourceType": "Local file", + "contentType": "text/csv", + "numberOfLinesToSkip": 0, + "rawContent": "Edition,EditionDescription\n-1,No License Installed\n0,Veeam Universal License\n1,Community Edition\n2,Enterprise Edition\n3,Enterprise Plus Edition", + "itemsSearchKey": "Edition", + "watchlistAlias": "license_editions_lookup" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist3-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "apiVersion": "2022-08-01", + "properties": { + "displayName": "License Types Lookup", + "description": "License Types Lookup.", + "sourceType": "Microsoft", + "isDeleted": false, + "defaultDuration": "P1000Y", + "source": "license_types_lookup.csv", + "contentType": "text/csv", + "rawContent": "Type,TypeDescription\n0,No License Installed\n1,Rental License\n2,NFR License\n3,Perpetual License\n4,Evaluation License\n5,Subscription License\n7,Promo License", + "itemsSearchKey": "Type", + "numberOfLinesToSkip": 0, + "provider": "Veeam Software" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist4-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "apiVersion": "2022-08-01", + "properties": { + "displayName": "Operation Names Lookup", + "description": "Operation Names Lookup.", + "provider": "Microsoft", + "source": "operation_names_lookup.csv", + "sourceType": "Local file", + "contentType": "text/csv", + "numberOfLinesToSkip": 0, + "rawContent": "Operation Id,OperationName\n0,Four-eyes authorization has been enabled\n1,Four-eyes authorization has been disabled\n100,Delete backup\n101,Delete log backup\n102,Delete configuration backup\n103,Disable four-eyes authorization\n104,Delete snapshot\n105,Delete infrastructure object\n106,Delete service provider\n107,Delete storage\n108,Update Veeam Backup & Replication security settings\n10000,Other operations", + "itemsSearchKey": "Operation Id", + "watchlistAlias": "operation_names_lookup" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist5-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "apiVersion": "2022-08-01", + "properties": { + "displayName": "Session States Lookup", + "description": "Session States Lookup.", + "provider": "Microsoft", + "source": "session_states_lookup.csv", + "sourceType": "Local file", + "contentType": "text/csv", + "numberOfLinesToSkip": 0, + "rawContent": "JobResult,JobResultMessage\n0,Success\n2,Failed\n3,Warning\n5,In progress\n6,Pending\n13,CBT mode", + "itemsSearchKey": "JobResult", + "watchlistAlias": "session_states_lookup" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist6-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "apiVersion": "2022-08-01", + "properties": { + "displayName": "VBR Events Lookup", + "description": "Veeam Software Backup & Replication Events Lookup.", + "provider": "Microsoft", + "source": "vbr_events_lookup.csv", + "sourceType": "Local file", + "contentType": "text/csv", + "numberOfLinesToSkip": 0, + "rawContent": "ID,Event Name,Type,Event Group,Severity,Default Severity\n115,Tape Erase Job Started,Veeam Backup & Replication,Security,high,high\n150,Backup Task Finished,Veeam Backup & Replication,Monitoring,none,none\n151,File Backup Job Finished,Veeam Backup & Replication,Monitoring,none,none\n190,Backup Job Finished,Veeam Backup & Replication,Monitoring,none,none\n194,File To Tape Job Finished,Veeam Backup & Replication,Monitoring,none,none\n198,Tape Verification Job,Veeam Backup & Replication,Monitoring,none,none\n200,Tape Copy Job,Veeam Backup & Replication,Monitoring,disabled,none\n251,Restore Task for Hyper-V VM FInished,Veeam Backup & Replication,Monitoring,none,none\n290,Restore Session Finished,Veeam Backup & Replication,Monitoring,none,none\n314,VM with no backup,Veeam ONE,Security,critical,critical\n315,VM with no backup (Hyper-V),Veeam ONE,Security,critical,critical\n331,VM with no replica,Veeam ONE,Security,medium,medium\n332,VM with no replica (Hyper-V),Veeam ONE,Security,critical,critical\n342,Possible ransomware activity (vSphere),Veeam ONE,Security,critical,critical\n344,Possible ransomware activity (Hyper-V),Veeam ONE,Security,critical,critical\n364,Suspicious incremental backup size,Veeam ONE,Security,critical,critical\n365,Backup Copy RPO,Veeam ONE,Security,critical,critical\n369,Unusual job duration,Veeam ONE,Security,medium,medium\n370,Computer with no backup,Veeam ONE,Security,critical,critical\n376,Immutability state,Veeam ONE,Security,medium,medium\n377,Immutability change tracking,Veeam ONE,Security,critical,critical\n378,Job disabled (Veeam Backup for Microsoft 365),Veeam ONE,Security,medium,medium\n381,Unusual job duration (Veeam Backup for Microsoft 365),Veeam ONE,Security,medium,medium\n390,SureBackup Job Finished,Veeam Backup & Replication,Monitoring,none,none\n391,Application with no recent data backup sessions,Veeam ONE,Security,medium,medium\n395,Backup server security & compliance state,Veeam ONE,Security,critical,critical\n403,Veeam malware detection change tracking,Veeam ONE,Security,critical,critical\n450,Backup Copy Task Finished,Veeam Backup & Replication,Monitoring,none,none\n451,File Backup Copy Job Finished,Veeam Backup & Replication,Monitoring,none,none\n490,Backup Copy Job Finished,Veeam Backup & Replication,Monitoring,none,none\n590,File Copy Job Finished,Veeam Backup & Replication,Monitoring,none,none\n592,VM Copy Job Finished,Veeam Backup & Replication,Monitoring,none,none\n610,Quick Migration Finished,Veeam Backup & Replication,Monitoring,none,none\n652,Active Full Backup for Backup Policy Finished,Veeam Backup & Replication,Monitoring,none,none\n790,Agent Backup Job Finished,Veeam Backup & Replication,Monitoring,none,none\n21224,Connection to Backup Repository Lost,Veeam Backup & Replication,Security,critical,critical\n23090,Job Deleted,Veeam Backup & Replication,Security,critical,critical\n23420,Job No Longer Used as Second Destination,Veeam Backup & Replication,Security,high,high\n23630,Tape Media Pool Deleted,Veeam Backup & Replication,Security,information,information\n23631,Tape Media Vault Deleted,Veeam Backup & Replication,Security,information,information\n23632,Tape medium Deleted,Veeam Backup & Replication,Security,high,high\n23633,Tape Library Deleted,Veeam Backup & Replication,Security,information,information\n24020,License Key Expiring,Veeam Backup & Replication,Security,information,information\n24030,License Key Expired,Veeam Backup & Replication,Security,high,high\n24040,License Support Expiring,Veeam Backup & Replication,Security,medium,medium\n24050,License Support Expired,Veeam Backup & Replication,Security,high,high\n24060,License Grace Period Started,Veeam Backup & Replication,Security,medium,medium\n24070,License Limit Exceeded,Veeam Backup & Replication,Security,medium,medium\n24080,License Key Removed,Veeam Backup & Replication,Security,high,high\n24114,Tenant Password Changed,Veeam Backup & Replication,Security,medium,medium\n24131,Cloud Gateway Settings Updated,Veeam Backup & Replication,Security,information,information\n24140,Cloud Gateway Deleted,Veeam Backup & Replication,Security,information,information\n24142,Cloud Gateway Pool Settings Updated,Veeam Backup & Replication,Security,information,information\n24143,Cloud Gateway Pool Deleted,Veeam Backup & Replication,Security,information,information\n24160,Tenant Quota Changed,Veeam Backup & Replication,Security,information,information\n24170,Tenant Quota Deleted,Veeam Backup & Replication,Security,information,information\n25000,Tenant State Changed,Veeam Backup & Replication,Security,information,information\n25210,Subtenant Deleted,Veeam Backup & Replication,Security,high,high\n25220,Subtenant Updated,Veeam Backup & Replication,Security,information,information\n25400,Credential Record Updated,Veeam Backup & Replication,Security,high,high\n25500,Credential Record Deleted,Veeam Backup & Replication,Security,critical,critical\n25700,Hypervisor Host Deleted,Veeam Backup & Replication,Security,information,information\n25800,Hypervisor Host Settings Updated,Veeam Backup & Replication,Security,information,information\n26000,Failover Plan Settings Updated,Veeam Backup & Replication,Security,information,information\n26100,Failover Plan Deleted,Veeam Backup & Replication,Security,medium,medium\n26110,Failover Plan Failed,Veeam Backup & Replication,Security,medium,medium\n26600,Failover Plan Started,Veeam Backup & Replication,Security,high,high\n26700,Failover Plan Stopped,Veeam Backup & Replication,Security,medium,medium\n26800,Tenant Replica Started,Veeam Backup & Replication,Security,information,information\n26900,Tenant Replica Stopped,Veeam Backup & Replication,Security,high,high\n27000,Cloud Replica Permanent Failover Performed by Tenant,Veeam Backup & Replication,Security,high,high\n27200,WAN Accelerator Settings Updated,Veeam Backup & Replication,Security,information,information\n27300,WAN Accelerator Deleted,Veeam Backup & Replication,Security,information,information\n27500,Service Provider Updated,Veeam Backup & Replication,Security,information,information\n27600,Service Provider Deleted,Veeam Backup & Replication,Security,information,information\n27900,Backup Proxy Deleted,Veeam Backup & Replication,Security,information,information\n28100,Backup Repository Settings Updated,Veeam Backup & Replication,Security,medium,medium\n28200,Backup Repository Deleted,Veeam Backup & Replication,Security,critical,critical\n28400,Host Settings Updated,Veeam Backup & Replication,Security,information,information\n28500,Host Deleted,Veeam Backup & Replication,Security,high,high\n28800,Tape Server Deleted,Veeam Backup & Replication,Security,information,information\n28850,NDMP Server Deleted,Veeam Backup & Replication,Security,information,information\n28920,File Share Deleted,Veeam Backup & Replication,Security,high,high\n28940,File Server Settings Updated,Veeam Backup & Replication,Security,information,information\n28950,File Server Deleted,Veeam Backup & Replication,Security,high,high\n28970,Object Storage Settings Updated,Veeam Backup & Replication,Security,medium,medium\n28980,Object Storage Deleted,Veeam Backup & Replication,Security,critical,critical\n29110,Protection Group Settings Updated,Veeam Backup & Replication,Security,information,information\n29120,Protection Group Deleted,Veeam Backup & Replication,Security,high,high\n29140,Objects for Protection Group Changed,Veeam Backup & Replication,Security,information,information\n29150,Objects for Protection Group Deleted,Veeam Backup & Replication,Security,high,high\n29800,Archive Repository Settings Updated,Veeam Backup & Replication,Security,medium,medium\n29900,Archive Repository Deleted,Veeam Backup & Replication,Security,critical,critical\n30100,Scale-Out Backup Repository Settings Updated,Veeam Backup & Replication,Security,high,high\n30200,Scale-Out Backup Repository Deleted,Veeam Backup & Replication,Security,critical,critical\n30400,Application Group Settings Updated,Veeam Backup & Replication,Security,information,information\n30500,Application Group Deleted,Veeam Backup & Replication,Security,information,information\n30700,Virtual Lab Settings Updated,Veeam Backup & Replication,Security,information,information\n30800,Virtual Lab Deleted,Veeam Backup & Replication,Security,information,information\n31000,General Settings Updated,Veeam Backup & Replication,Security,information,information\n31200,User or Group Added,Veeam Backup & Replication,Security,high,high\n31210,Adding User or Group Failed,Veeam Backup & Replication,Security,medium,medium\n31400,User or Group Deleted,Veeam Backup & Replication,Security,critical,critical\n31500,Configuration Backup Job Settings Updated,Veeam Backup & Replication,Security,information,information\n31600,Encryption Password Added,Veeam Backup & Replication,Security,information,information\n31700,Encryption Password Changed,Veeam Backup & Replication,Security,high,high\n31800,Encryption Password Deleted,Veeam Backup & Replication,Security,critical,critical\n31900,SSH Credentials Changed,Veeam Backup & Replication,Security,high,high\n32100,External Repository Settings Updated,Veeam Backup & Replication,Security,information,information\n32120,Objects for Job Deleted,Veeam Backup & Replication,Security,high,high\n32200,External Repository Deleted,Veeam Backup & Replication,Security,critical,critical\n32400,Global Network Traffic Rules Deleted,Veeam Backup & Replication,Security,information,information\n32800,Preferred Networks Deleted,Veeam Backup & Replication,Security,information,information\n36013,Recovery Token Deleted,Veeam Backup & Replication,Security,medium,medium\n36022,Backup Job for Application Backup Policy Finished,Veeam Backup & Replication,Monitoring,none,none\n36023,Backup Task for Application Backup Policy Started,Veeam Backup & Replication,Monitoring,none,none\n36024,Backup Task for Application Backup Policy Finished,Veeam Backup & Replication,Monitoring,none,none\n36026,Log Backup Job for Application Backup Policy Finished,Veeam Backup & Replication,Monitoring,none,none\n40201,Multi-Factor Authentication Disabled,Veeam Backup & Replication,Security,critical,critical\n40202,Multi-Factor Authentication Token Revoked,Veeam Backup & Replication,Security,medium,medium\n40204,Multi-Factor Authentication for User Disabled,Veeam Backup & Replication,Security,critical,critical\n40205,Invalid Code for Multi-Factor Authentication Entered,Veeam Backup & Replication,Security,high,high\n40206,Allowed Attempts for Multi-Factor Authentication Exceeded,Veeam Backup & Replication,Security,critical,critical\n40290,Restore Session Finished,Veeam Backup & Replication,Monitoring,none,none\n40400,Global VM Exclusions Added,Veeam Backup & Replication,Security,high,high\n40500,Global VM Exclusions Deleted,Veeam Backup & Replication,Security,medium,medium\n40600,Global VM Exclusions Changed,Veeam Backup & Replication,Security,high,high\n40700,Configuration Backup Job Finished,Veeam Backup & Replication,Monitoring,none,none\n40800,Configuration Restore Session Finished,Veeam Backup & Replication,Monitoring,none,none\n41200,Detaching Backups Started,Veeam Backup & Replication,Security,information,information\n41401,Storage Settings Updated,Veeam Backup & Replication,Security,information,information\n41402,Storage Deleted,Veeam Backup & Replication,Security,critical,critical\n41600,Malware Activity Detected,Veeam Backup & Replication,Security,critical,critical\n41610,Object Marked as Clean,Veeam Backup & Replication,Security,information,information\n41800,Attempt to Delete Backup Failed,Veeam Backup & Replication,Security,critical,critical\n41810,Attempt to Update Security Object Failed,Veeam Backup & Replication,Security,critical,critical\n42210,Malware Detection Session Finished,Veeam Backup & Replication,Security,information,information\n42220,Restore Point Marked as Infected,Veeam Backup & Replication,Security,critical,critical\n42230,Restore Point Marked as Clean,Veeam Backup & Replication,Security,information,information\n42260,Objects Added to Malware Detection Exclusions,Veeam Backup & Replication,Security,high,high\n42270,Objects Deleted from Malware Detection Exclusions,Veeam Backup & Replication,Security,information,information\n42280,Malware Detection Exclusions List Updated,Veeam Backup & Replication,Security,high,high\n42290,Malware Detection Settings Updated,Veeam Backup & Replication,Security,high,high\n42301,KMS Server Deleted,Veeam Backup & Replication,Security,critical,critical\n42302,KMS Server Settings Updated,Veeam Backup & Replication,Security,high,high\n42401,Four-Eyes Authorization Disabled,Veeam Backup & Replication,Security,critical,critical\n42402,Four-Eyes Authorization Request Created,Veeam Backup & Replication,Security,critical,critical\n42403,Four-Eyes Authorization Request Approved,Veeam Backup & Replication,Monitoring,none,none\n42404,Four-Eyes Authorization Request Rejected,Veeam Backup & Replication,Security,information,information\n42405,Four-Eyes Authorization Request Expired,Veeam Backup & Replication,Security,high,high\n42500,KMS Key Rotation Job Finished,Veeam Backup & Replication,Security,information,information", + "itemsSearchKey": "ID", + "watchlistAlias": "vbr_events_lookup" + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist7-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "Action Results Lookup", + "watchlistAlias": "action_results_lookup", + "source": "action_results_lookup.csv", + "description": "Action Results Lookup.", + "provider": "Microsoft", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "JobResult", + "rawContent": "JobResult,JobResultMessage\r\n-1,None\r\n0,Success\r\n1,Warning\r\n2,Failed\r\n3,Working\r\n" + }, + "apiVersion": "2022-08-01" + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist8-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "Veeam Backup & Replication Settings", + "watchlistAlias": "vbr_settings", + "source": "vbr_settings.csv", + "description": "This watchlist lists Veeam Backup & Replication servers and the event types to collect. To add a server, specify Veeam Server Name and Base URL. Then run the Veeam-SetupConnections Playbook. The playbook sets the collection flags to true and creates keyVaultIds if they are empty. Otherwise, it uses the values you provide to configure Hybrid Connections and Key Vault secrets.", + "provider": "Custom", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "Veeam Server Name", + "rawContent": "Veeam Server Name,Base URL,Collect Malware Events,Collect Security and Compliance Analyzer Results,Collect Authorization Events,Collect Configuration Backups,Key Vault Username ID,Key Vault Password ID\r\nExampleServerName,https://ExampleServerName.domain.example:9419,true,true,true,true,ExampleServerNameUsername,ExampleServerNamePassword\r\n" + }, + "apiVersion": "2022-08-01" + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist9-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "VONE Settings", + "watchlistAlias": "vone_settings", + "source": "vone_settings.csv", + "description": "This watchlist lists Veeam ONE servers and a flag that controls event collection. To add a server, specify Veeam Server Name and Base URL. Then run the Veeam-SetupConnections Playbook. The playbook sets the collection flag to true and creates keyVaultIds if they are empty. Otherwise, it uses the values you provide to configure Hybrid Connections and Key Vault secrets.", + "provider": "Custom", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "Veeam Server Name", + "rawContent": "Veeam Server Name,Base URL,Collect Alarms,Key Vault Username ID,Key Vault Password ID\r\nExampleServerName,https://ExampleServerName.domain.example:1239,true,ExampleServerNameUsername,ExampleServerNamePassword\r\n" + }, + "apiVersion": "2022-08-01" + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist10-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", + "properties": { + "displayName": "Coveware Settings", + "watchlistAlias": "coveware_settings", + "source": "coveware_settings.csv", + "description": "This watchlist defines Coveware server settings for findings data collection. You can disable data collection by setting the Collect Coveware Findings flag to false.", + "provider": "Custom", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "Coveware Server Name", + "rawContent": "Coveware Server Name,Collect Coveware Findings,Coveware Base URL,Key Vault Password ID,Key Vault Username ID,Key Vault Client ID\r\nCovewareServer,true,https://api.coveware.com,CovewareServerPasswordId,CovewareServerUsernameId,CovewareServerClientId\r\n" + }, + "apiVersion": "2022-08-01" + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',parameters('watchlist11-id'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/watchlists", + "apiVersion": "2023-02-01", + "properties": { + "displayName": "Veeam Collection Schedule Settings", + "watchlistAlias": "collection_schedule_settings", + "source": "collection_schedule_settings.csv", + "description": "This watchlist stores the configuration for schedules and recurrence intervals used by Veeam collection playbooks. To apply the changes, run the Veeam-ChangeCollectionTime playbook.", + "provider": "Custom", + "isDeleted": false, + "defaultDuration": "P1000Y", + "contentType": "Text/Csv", + "numberOfLinesToSkip": 0, + "itemsSearchKey": "CollectionPlaybookName", + "rawContent": "CollectionPlaybookName,RecurrenceInterval,TimeUnit\r\nVeeam-CollectMalwareEvents,1,Day\r\nVeeam-CollectVeeamAuthorizationEvents,1,Day\r\nVeeam-CollectSecurityComplianceAnalyzerResult,1,Day\r\nVeeam-CollectVeeamONEAlarms,1,Day\r\nVeeam-CollectCovewareFindings,1,Day\r\nVeeam-CollectConfigurationBackups,1,Day\r\n" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('parserObject1').parserTemplateSpecName1]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "Veeam_GetJobFinished Data Parser with template version 3.1.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('parserObject1').parserVersion1]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[variables('parserObject1')._parserName1]", + "apiVersion": "2025-07-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "location": "[parameters('workspace-location')]", + "properties": { + "eTag": "*", + "displayName": "Parser for Veeam Job Finished Events", + "category": "Microsoft Sentinel Parser", + "functionAlias": "Veeam_GetJobFinished", + "query": "let vbr_events_lookup = union isfuzzy=true \n (datatable(ID:string, Severity:string, Type1:string, [\"Event Name\"]:string)[]),\n (_GetWatchlist(\"vbr_events_lookup\")); \nlet action_results_lookup = union isfuzzy=true \n (datatable(JobResult:string, JobResultMessage:string)[]),\n (_GetWatchlist(\"action_results_lookup\")); \nlet job_types_lookup = union isfuzzy=true \n (datatable(JobType:string, JobTypeDescription:string)[]),\n (_GetWatchlist(\"job_types_lookup\")); \nSyslog\n| where SyslogMessage has \"instanceId\"\n| extend instanceId = extract(\"instanceId=(\\\\d+)\", 1, SyslogMessage) \n| filter instanceId in (\"150\", \"151\", \"190\", \"194\", \"198\", \"200\", \"250\", \"251\", \"290\", \"390\", \"450\", \"451\", \"490\", \"590\", \"592\", \"610\", \"790\", \"36022\", \"36026\", \"40290\", \"40800\")\n| lookup kind=leftouter (vbr_events_lookup) \n on $left.instanceId == $right.ID\n| extend Description = extract(\"Description=\\\"(?Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nVeeam App for Microsoft Sentinel allows Veeam Data Platform Advanced and Premium customers to combine the powerful cyberthreat detection and response features of Microsoft Sentinel with a simple and powerful data platform that goes beyond backup, providing organizations with reliable data protection, seamless recovery, and vital security insights.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\nData Connectors: 1, Parsers: 4, Workbooks: 2, Analytic Rules: 132, Watchlists: 11, Playbooks: 15
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nVeeam App for Microsoft Sentinel allows Veeam Data Platform Advanced and Premium customers to combine the powerful cyberthreat detection and response features of Microsoft Sentinel with a simple and powerful data platform that goes beyond backup, providing organizations with reliable data protection, seamless recovery, and vital security insights.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\nData Connectors: 2, Parsers: 10, Workbooks: 2, Analytic Rules: 132, Watchlists: 11, Playbooks: 15
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -24977,6 +27854,11 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentIdConnections2')]", + "version": "[variables('dataConnectorCCPVersion')]" + }, { "kind": "Playbook", "contentId": "[variables('_Veeam-ChangeCollectionTime')]", @@ -25055,57 +27937,57 @@ { "kind": "Watchlist", "contentId": "[variables('_Job Types Lookup')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_License Editions Lookup')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_License Types Lookup')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_Operation Names Lookup')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_Session States Lookup')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_VBR Events Lookup')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_Action Results Lookup')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_Veeam Backup & Replication Settings')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_VONE Settings')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_Coveware Settings')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Watchlist", "contentId": "[variables('_Veeam Collection Schedule Settings')]", - "version": "3.0.2" + "version": "3.1.0" }, { "kind": "Parser", @@ -25127,6 +28009,36 @@ "contentId": "[variables('parserObject4').parserContentId4]", "version": "[variables('parserObject4').parserVersion4]" }, + { + "kind": "Parser", + "contentId": "[variables('parserObject5').parserContentId5]", + "version": "[variables('parserObject5').parserVersion5]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject6').parserContentId6]", + "version": "[variables('parserObject6').parserVersion6]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject7').parserContentId7]", + "version": "[variables('parserObject7').parserVersion7]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject8').parserContentId8]", + "version": "[variables('parserObject8').parserVersion8]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject9').parserContentId9]", + "version": "[variables('parserObject9').parserVersion9]" + }, + { + "kind": "Parser", + "contentId": "[variables('parserObject10').parserContentId10]", + "version": "[variables('parserObject10').parserVersion10]" + }, { "kind": "AnalyticsRule", "contentId": "[variables('analyticRuleObject1')._analyticRulecontentId1]", @@ -25799,7 +28711,7 @@ } ] }, - "firstPublishDate": "2025-08-26", + "firstPublishDate": "2026-06-16", "providers": [ "Veeam" ], diff --git a/Solutions/Veeam/Package/testParameters.json b/Solutions/Veeam/Package/testParameters.json index 018b6b27644..9e7a0480a8f 100644 --- a/Solutions/Veeam/Package/testParameters.json +++ b/Solutions/Veeam/Package/testParameters.json @@ -21,6 +21,20 @@ "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" } }, + "resourceGroupName": { + "type": "string", + "defaultValue": "[resourceGroup().name]", + "metadata": { + "description": "resource group name where Microsoft Sentinel is setup" + } + }, + "subscription": { + "type": "string", + "defaultValue": "[last(split(subscription().id, '/'))]", + "metadata": { + "description": "subscription id where Microsoft Sentinel is setup" + } + }, "watchlist1-id": { "type": "string", "defaultValue": "job_types_lookup", diff --git a/Solutions/Veeam/Parsers/parser_VeeamAuthorizationEventsV2AliasFunction.json b/Solutions/Veeam/Parsers/parser_VeeamAuthorizationEventsV2AliasFunction.json new file mode 100644 index 00000000000..218aacda8f7 --- /dev/null +++ b/Solutions/Veeam/Parsers/parser_VeeamAuthorizationEventsV2AliasFunction.json @@ -0,0 +1,14 @@ +{ + "name": "VeeamAuthorizationEventsV2AliasFunction", + "apiVersion": "2023-09-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "properties": { + "eTag": "*", + "displayName": "VeeamAuthorizationEvents_CL", + "category": "Microsoft Sentinel Parser", + "functionAlias": "VeeamAuthorizationEvents_CL", + "query": "union isfuzzy=true VeeamAuthorizationEventsV2_CL, VeeamAuthorizationEvents_CL", + "functionParameters": "", + "version": 2 + } +} \ No newline at end of file diff --git a/Solutions/Veeam/Parsers/parser_VeeamCovewareFindingsV2AliasFunction.json b/Solutions/Veeam/Parsers/parser_VeeamCovewareFindingsV2AliasFunction.json new file mode 100644 index 00000000000..bdbdc9658bc --- /dev/null +++ b/Solutions/Veeam/Parsers/parser_VeeamCovewareFindingsV2AliasFunction.json @@ -0,0 +1,14 @@ +{ + "name": "VeeamCovewareFindingsV2AliasFunction", + "apiVersion": "2023-09-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "properties": { + "eTag": "*", + "displayName": "VeeamCovewareFindings_CL", + "category": "Microsoft Sentinel Parser", + "functionAlias": "VeeamCovewareFindings_CL", + "query": "union isfuzzy=true VeeamCovewareFindingsV2_CL, VeeamCovewareFindings_CL", + "functionParameters": "", + "version": 2 + } +} \ No newline at end of file diff --git a/Solutions/Veeam/Parsers/parser_VeeamMalwareEventsV2AliasFunction.json b/Solutions/Veeam/Parsers/parser_VeeamMalwareEventsV2AliasFunction.json new file mode 100644 index 00000000000..8b9e883ebcb --- /dev/null +++ b/Solutions/Veeam/Parsers/parser_VeeamMalwareEventsV2AliasFunction.json @@ -0,0 +1,14 @@ +{ + "name": "VeeamMalwareEventsV2AliasFunction", + "apiVersion": "2023-09-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "properties": { + "eTag": "*", + "displayName": "VeeamMalwareEvents_CL", + "category": "Microsoft Sentinel Parser", + "functionAlias": "VeeamMalwareEvents_CL", + "query": "union isfuzzy=true VeeamMalwareEventsV2_CL, VeeamMalwareEvents_CL", + "functionParameters": "", + "version": 2 + } +} \ No newline at end of file diff --git a/Solutions/Veeam/Parsers/parser_VeeamOneTriggeredAlarmsV2AliasFunction.json b/Solutions/Veeam/Parsers/parser_VeeamOneTriggeredAlarmsV2AliasFunction.json new file mode 100644 index 00000000000..026451f7c89 --- /dev/null +++ b/Solutions/Veeam/Parsers/parser_VeeamOneTriggeredAlarmsV2AliasFunction.json @@ -0,0 +1,14 @@ +{ + "name": "VeeamOneTriggeredAlarmsV2AliasFunction", + "apiVersion": "2023-09-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "properties": { + "eTag": "*", + "displayName": "VeeamOneTriggeredAlarms_CL", + "category": "Microsoft Sentinel Parser", + "functionAlias": "VeeamOneTriggeredAlarms_CL", + "query": "union isfuzzy=true VeeamOneTriggeredAlarmsV2_CL, VeeamOneTriggeredAlarms_CL", + "functionParameters": "", + "version": 2 + } +} \ No newline at end of file diff --git a/Solutions/Veeam/Parsers/parser_VeeamSecurityComplianceAnalyzerV2AliasFunction.json b/Solutions/Veeam/Parsers/parser_VeeamSecurityComplianceAnalyzerV2AliasFunction.json new file mode 100644 index 00000000000..7bff6a0bbcc --- /dev/null +++ b/Solutions/Veeam/Parsers/parser_VeeamSecurityComplianceAnalyzerV2AliasFunction.json @@ -0,0 +1,14 @@ +{ + "name": "VeeamSecurityComplianceAnalyzerV2AliasFunction", + "apiVersion": "2023-09-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "properties": { + "eTag": "*", + "displayName": "VeeamSecurityComplianceAnalyzer_CL", + "category": "Microsoft Sentinel Parser", + "functionAlias": "VeeamSecurityComplianceAnalyzer_CL", + "query": "union isfuzzy=true VeeamSecurityComplianceAnalyzerV2_CL, VeeamSecurityComplianceAnalyzer_CL", + "functionParameters": "", + "version": 2 + } +} \ No newline at end of file diff --git a/Solutions/Veeam/Parsers/parser_VeeamSessionsV2AliasFunction.json b/Solutions/Veeam/Parsers/parser_VeeamSessionsV2AliasFunction.json new file mode 100644 index 00000000000..18794350418 --- /dev/null +++ b/Solutions/Veeam/Parsers/parser_VeeamSessionsV2AliasFunction.json @@ -0,0 +1,14 @@ +{ + "name": "VeeamSessionsV2AliasFunction", + "apiVersion": "2023-09-01", + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "properties": { + "eTag": "*", + "displayName": "VeeamSessions_CL", + "category": "Microsoft Sentinel Parser", + "functionAlias": "VeeamSessions_CL", + "query": "union isfuzzy=true (VeeamSessionsV2_CL | extend ResourceId = iff(isempty(tostring(column_ifexists('ResourceId', ''))), tostring(column_ifexists('VeeamResourceId', '')), tostring(column_ifexists('ResourceId', '')))),(VeeamSessions_CL | extend ResourceId = iff(isempty(tostring(column_ifexists('ResourceId', ''))), tostring(column_ifexists('VeeamResourceId', '')), tostring(column_ifexists('ResourceId', ''))))", + "functionParameters": "", + "version": 2 + } +} \ No newline at end of file diff --git a/Solutions/Veeam/ReleaseNotes.md b/Solutions/Veeam/ReleaseNotes.md index dc1d14dfc6a..b645c4d7bd7 100644 --- a/Solutions/Veeam/ReleaseNotes.md +++ b/Solutions/Veeam/ReleaseNotes.md @@ -1,5 +1,6 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|-------------------------------------------------------------------------------------| -| 3.0.2 | 15-10-2025 | Updated author to Veeam Software | -| 3.0.1 | 03-10-2025 | Updated Coveware security findings integration; Removed irrelevant mappings from all analytic rules; Updated Workbooks' drilldown capabilities | -| 3.0.0 | 26-08-2025 | Initial Solution Release | \ No newline at end of file +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|---|---|---| +| 3.1.0 | 10-06-2026 | Added Veeam Data Connector (CCF) with support for VeeamMalwareEventsV2_CL, VeeamSecurityComplianceAnalyzerV2_CL, VeeamAuthorizationEventsV2_CL, VeeamOneTriggeredAlarmsV2_CL, VeeamCovewareFindingsV2_CL, and VeeamSessionsV2_CL. Added alias parsers parser_VeeamMalwareEventsV2AliasFunction, parser_VeeamSecurityComplianceAnalyzerV2AliasFunction, parser_VeeamAuthorizationEventsV2AliasFunction, parser_VeeamOneTriggeredAlarmsV2AliasFunction, parser_VeeamCovewareFindingsV2AliasFunction, and parser_VeeamSessionsV2AliasFunction. | +| 3.0.2 | 15-10-2025 | Updated author to Veeam Software | +| 3.0.1 | 03-10-2025 | Updated Coveware security findings integration; Removed irrelevant mappings from all analytic rules; Updated Workbooks drilldown capabilities | +| 3.0.0 | 26-08-2025 | Initial Solution Release | \ No newline at end of file diff --git a/Solutions/Veeam/SolutionMetadata.json b/Solutions/Veeam/SolutionMetadata.json index b8603f916b8..ce67ed86cc0 100644 --- a/Solutions/Veeam/SolutionMetadata.json +++ b/Solutions/Veeam/SolutionMetadata.json @@ -1,7 +1,7 @@ { "publisherId": "veeamsoftware", "offerId": "azure-sentinel-solution-veeamapp", - "firstPublishDate": "2025-08-26", + "firstPublishDate": "2026-06-16", "providers": [ "Veeam" ], "categories": { "domains": [ "IT Operations", "Security - Threat Protection" ] @@ -12,5 +12,5 @@ "tier": "Partner", "link": "https://helpcenter.veeam.com/docs/security_plugins_microsoft_sentinel/guide/" }, - "version": "3.0.2" + "version": "3.1.0" } \ No newline at end of file