-
Notifications
You must be signed in to change notification settings - Fork 3.7k
Add Veeam data connector - Public Preview #14462
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
TwistedAlex
merged 11 commits into
Azure:master
from
v-hectorarv:feature/veeam-public-preview
Jun 22, 2026
Merged
Changes from all commits
Commits
Show all changes
11 commits
Select commit
Hold shift + click to select a range
ac8d4b6
Veeam Custom tables added to Veeam_CCF
v-hectorarv f74c0b8
Add Veeam data connector - Public Preview- CCF connector with 6 data …
v-hectorarv f73d9a6
Veeam - fix KQL error
v-hectorarv 1aa83e1
Fix Internal Review comments
v-hectorarv 14e94de
Refactor code structure for improved readability and maintainability
v-hectorarv 926a4d8
PR Comments resolved
v-hectorarv b7e53ab
PR Comment resolved - package
v-hectorarv ad361e8
PR Comments solved - remove package
v-hectorarv 4f7025d
Fix internal review comments. Add parsers
v-hectorarv f0d1f0e
fixing comment for the PR
v-hectorarv 9ab7098
fixing diferences
v-hectorarv File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
295 changes: 295 additions & 0 deletions
295
Solutions/Veeam/Data Connectors/Veeam_CCF/Veeam_ConnectorDefinition.json
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,295 @@ | ||
| { | ||
| "name": "VeeamConnector", | ||
| "apiVersion": "2023-04-01-preview", | ||
| "type": "Microsoft.SecurityInsights/dataConnectorDefinitions", | ||
| "location": "{{location}}", | ||
| "kind": "Customizable", | ||
| "properties": { | ||
| "connectorUiConfig": { | ||
| "id": "VeeamConnector", | ||
| "title": "Veeam Data Connector (via Codeless Connector Framework)", | ||
| "publisher": "Microsoft", | ||
| "descriptionMarkdown": "Veeam Data Connector allows you to ingest Veeam telemetry data from multiple custom tables into Microsoft Sentinel.\n\nThe connector supports integration with Veeam Backup & Replication, Veeam ONE and Coveware platforms to provide comprehensive monitoring and security analytics. The data is collected through Azure Functions and stored in custom Log Analytics tables with dedicated Data Collection Rules (DCR) and Data Collection Endpoints (DCE).\n\n**Custom Tables Included:**\n- **VeeamMalwareEventsV2_CL**: Malware detection events from Veeam Backup & Replication\n- **VeeamSecurityComplianceAnalyzerV2_CL**: Security & Compliance Analyzer results collected from Veeam backup infrastructure components\n- **VeeamAuthorizationEventsV2_CL**: Authorization and authentication events\n- **VeeamOneTriggeredAlarmsV2_CL**: Triggered alarms from Veeam ONE servers\n- **VeeamCovewareFindingsV2_CL**: Security findings from Coveware solution\n- **VeeamSessionsV2_CL**: Veeam sessions", | ||
| "graphQueries": [ | ||
| { | ||
| "metricName": "Total malware logs received", | ||
| "legend": "Malware events", | ||
| "baseQuery": "VeeamMalwareEventsV2_CL" | ||
| }, | ||
| { | ||
| "metricName": "Critical malware events", | ||
| "legend": "Critical malware events", | ||
| "baseQuery": "VeeamMalwareEventsV2_CL\n| where Severity == \"Critical\"" | ||
| }, | ||
| { | ||
| "metricName": "Total security & compliance analyzer logs received", | ||
| "legend": "Security & Compliance Analyzer results", | ||
| "baseQuery": "VeeamSecurityComplianceAnalyzerV2_CL" | ||
| }, | ||
| { | ||
| "metricName": "Total veeam ONE alarms logs received", | ||
| "legend": "Veeam ONE alarms", | ||
| "baseQuery": "VeeamOneTriggeredAlarmsV2_CL" | ||
| }, | ||
| { | ||
| "metricName": "Total authorization events logs received", | ||
| "legend": "Authorization events", | ||
| "baseQuery": "VeeamAuthorizationEventsV2_CL" | ||
| }, | ||
| { | ||
| "metricName": "Total coveware findings logs received", | ||
| "legend": "Coveware findings", | ||
| "baseQuery": "VeeamCovewareFindingsV2_CL" | ||
| }, | ||
| { | ||
| "metricName": "Total session logs received", | ||
| "legend": "Session logs", | ||
| "baseQuery": "VeeamSessionsV2_CL" | ||
| } | ||
| ], | ||
| "sampleQueries": [ | ||
| { | ||
| "description": "Malware Events", | ||
| "query": "VeeamMalwareEventsV2_CL\n | sort by TimeGenerated desc" | ||
| }, | ||
| { | ||
| "description": "Critical Malware Events", | ||
| "query": "VeeamMalwareEventsV2_CL\n | where Severity == \"Critical\"\n | sort by TimeGenerated desc" | ||
| }, | ||
| { | ||
| "description": "Security Compliance Results", | ||
| "query": "VeeamSecurityComplianceAnalyzerV2_CL\n | sort by TimeGenerated desc" | ||
| }, | ||
| { | ||
| "description": "Veeam ONE Alarms", | ||
| "query": "VeeamOneTriggeredAlarmsV2_CL\n | sort by TimeGenerated desc" | ||
| }, | ||
| { | ||
| "description": "Authorization Events", | ||
| "query": "VeeamAuthorizationEventsV2_CL\n | sort by TimeGenerated desc" | ||
| }, | ||
| { | ||
| "description": "Coveware Security Findings", | ||
| "query": "VeeamCovewareFindingsV2_CL\n | sort by TimeGenerated desc" | ||
| }, | ||
| { | ||
| "description": "Session events", | ||
| "query": "VeeamSessionsV2_CL\n | sort by TimeGenerated desc" | ||
| } | ||
| ], | ||
| "dataTypes": [ | ||
| { | ||
| "name": "VeeamMalwareEventsV2_CL", | ||
| "lastDataReceivedQuery": "VeeamMalwareEventsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" | ||
| }, | ||
| { | ||
| "name": "VeeamSecurityComplianceAnalyzerV2_CL", | ||
| "lastDataReceivedQuery": "VeeamSecurityComplianceAnalyzerV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" | ||
| }, | ||
| { | ||
| "name": "VeeamOneTriggeredAlarmsV2_CL", | ||
| "lastDataReceivedQuery": "VeeamOneTriggeredAlarmsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" | ||
| }, | ||
| { | ||
| "name": "VeeamAuthorizationEventsV2_CL", | ||
| "lastDataReceivedQuery": "VeeamAuthorizationEventsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" | ||
| }, | ||
| { | ||
| "name": "VeeamCovewareFindingsV2_CL", | ||
| "lastDataReceivedQuery": "VeeamCovewareFindingsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" | ||
| }, | ||
| { | ||
| "name": "VeeamSessionsV2_CL", | ||
| "lastDataReceivedQuery": "VeeamSessionsV2_CL\n| where TimeGenerated > ago(12h)\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" | ||
| } | ||
| ], | ||
| "connectivityCriteria": [ | ||
| { | ||
| "type": "HasDataConnectors" | ||
| } | ||
| ], | ||
| "availability": { | ||
| "isPreview": true, | ||
| "status": 1 | ||
| }, | ||
| "permissions": { | ||
| "resourceProvider": [ | ||
| { | ||
| "provider": "Microsoft.OperationalInsights/workspaces", | ||
| "permissionsDisplayText": "Read and Write permissions are required.", | ||
| "providerDisplayName": "Workspace", | ||
| "scope": "Workspace", | ||
| "requiredPermissions": { | ||
| "write": true, | ||
| "read": true, | ||
| "delete": true, | ||
| "action": false | ||
| } | ||
| }, | ||
| { | ||
| "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", | ||
| "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", | ||
| "providerDisplayName": "Keys", | ||
| "scope": "Workspace", | ||
| "requiredPermissions": { | ||
| "read": true | ||
| } | ||
| } | ||
| ], | ||
| "customs": [ | ||
| { | ||
| "name": "Veeam Data Access", | ||
| "description": "Access to Veeam systems is required to collect security and operational data. The connector supports data ingestion from Veeam Backup & Replication, Veeam ONE, and Coveware platforms." | ||
| } | ||
| ] | ||
| }, | ||
| "instructionSteps": [ | ||
| { | ||
| "title": "Prerequisites", | ||
| "description": "Follow the instructions to configure the Veeam Data Connector.", | ||
|
v-hectorarv marked this conversation as resolved.
|
||
| "instructions": [ | ||
| { | ||
| "type": "InfoMessage", | ||
| "parameters": { | ||
| "text": "**Note:** This data connector depends on parsers based on Kusto Functions to work as expected. These parsers are installed with the Microsoft Sentinel Solution for Veeam." | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "title": "1. Configuration steps for Veeam Data Connector", | ||
| "instructions": [ | ||
| { | ||
| "type": "Markdown", | ||
| "parameters": { | ||
| "content": "1. Configure your Veeam systems to export security and operational data.\n2. Set up data collection endpoints to ingest data into the custom Log Analytics tables.\n3. Ensure proper permissions are configured for data access.\n4. Verify connectivity and data flow to Microsoft Sentinel." | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "title": "2. Coveware API Configuration", | ||
| "description": "Configure Coveware API credentials for security findings data collection.", | ||
| "instructions": [ | ||
| { | ||
| "type": "Markdown", | ||
| "parameters": { | ||
| "content": "#### 2.1 Obtain Coveware API Credentials\n1. Log in to your Coveware management console\n2. Navigate to API settings or integrations section\n3. Create or configure an API application\n4. Generate or obtain a Bearer token for API access\n5. Note your Coveware API base URL" | ||
| } | ||
| }, | ||
| { | ||
| "type": "Textbox", | ||
| "parameters": { | ||
| "label": "Coveware API URL", | ||
| "placeholder": "https://api.coveware.com", | ||
| "type": "text", | ||
| "name": "covewareApiUrl", | ||
| "validations": { | ||
| "required": true | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "type": "Textbox", | ||
| "parameters": { | ||
| "label": "Coveware Bearer Token", | ||
| "placeholder": "Your Coveware API Bearer Token", | ||
| "type": "password", | ||
| "name": "covewareBearerToken", | ||
| "validations": { | ||
| "required": true | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "title": "3. Veeam API Configuration", | ||
| "description": "Configure Veeam API credentials for all Veeam services (Malware Events, Security Analyzer, and Authorization Events).", | ||
| "instructions": [ | ||
| { | ||
| "type": "Markdown", | ||
| "parameters": { | ||
| "content": "#### 3.1 Obtain Veeam API Access Token\n1. Access your Veeam Backup & Replication management console\n2. Navigate to the REST API settings or authentication section\n3. Generate or obtain a Bearer token for API access\n4. Ensure the token has appropriate permissions for:\n - Malware Detection API (v1.3-rev1)\n - Security & Compliance Analyzer API (v1.3-rev1)\n - Authorization Events API (v1.3-rev1)\n - Sessions API (v1.3-rev1)\n5. Note the API base URL (typically https://your-veeam-server.com:9419)\n6. This token will be used for both on-premises and CDN-hosted APIs" | ||
| } | ||
| }, | ||
| { | ||
| "type": "Textbox", | ||
| "parameters": { | ||
| "label": "Veeam API URL", | ||
| "placeholder": "https://your-veeam-server.com:9419", | ||
| "type": "text", | ||
| "name": "veeamApiUrl", | ||
| "validations": { | ||
| "required": true | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "type": "Textbox", | ||
| "parameters": { | ||
| "label": "Veeam Bearer Token", | ||
| "placeholder": "Your Veeam API Bearer Token", | ||
| "type": "password", | ||
| "name": "veeamBearerToken", | ||
| "validations": { | ||
| "required": true | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "title": "4. Veeam ONE API Configuration", | ||
| "description": "Configure Veeam ONE API credentials for triggered alarms data collection.", | ||
| "instructions": [ | ||
| { | ||
| "type": "Markdown", | ||
| "parameters": { | ||
| "content": "#### 4.1 Obtain Veeam ONE API Access Key\n1. Access your Veeam ONE management console\n2. Navigate to Administration -> Users and Roles\n3. Create or use an existing user with API access permissions\n4. Generate or obtain a Bearer token for API access\n5. Note the Veeam ONE server URL and port (typically https://your-veeam-one-server:1239)" | ||
| } | ||
| }, | ||
| { | ||
| "type": "Textbox", | ||
| "parameters": { | ||
| "label": "Veeam ONE API URL", | ||
| "placeholder": "https://your-veeam-one-server:1239", | ||
| "type": "text", | ||
| "name": "veeamOneApiUrl", | ||
| "validations": { | ||
| "required": true | ||
| } | ||
| } | ||
| }, | ||
| { | ||
| "type": "Textbox", | ||
| "parameters": { | ||
| "label": "Veeam ONE API Bearer Token", | ||
| "placeholder": "Your Veeam ONE API Bearer Token", | ||
| "type": "password", | ||
| "name": "veeamOneBearerToken", | ||
| "validations": { | ||
| "required": true | ||
| } | ||
| } | ||
| } | ||
| ] | ||
| }, | ||
| { | ||
| "title": "5. Connect", | ||
| "description": "Enable the Veeam Data Connector.", | ||
| "instructions": [ | ||
| { | ||
| "type": "ConnectionToggleButton", | ||
| "parameters": { | ||
| "connectLabel": "Connect", | ||
| "disconnectLabel": "Disconnect", | ||
| "name": "toggle" | ||
| } | ||
| } | ||
| ] | ||
| } | ||
| ] | ||
| } | ||
| } | ||
| } | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.