Veeam Backup and Replication CCF Connector Now in Public Preview: Six Security Data Streams Added to Sentinel

Data Source

This connector ingests telemetry from three Veeam ecosystem products:

• Veeam Backup and Replication – malware detection, security compliance analyzer results, authorization/authentication events, and session telemetry via the Veeam REST API (v1.3-rev1, default port 9419)
• Veeam ONE – triggered alarm events from Veeam ONE monitoring servers
• Coveware – ransomware incident response findings via Coveware Bearer-token API

Ingestion Mechanism

CCF-based (Codeless Connector Framework) with REST API polling. Six independent pollingConfig blocks drive ingestion into six new custom tables via DCR/DCE:

Six alias parsers are included (parser_VeeamMalwareEventsV2AliasFunction, parser_VeeamSecurityComplianceAnalyzerV2AliasFunction, parser_VeeamAuthorizationEventsV2AliasFunction, parser_VeeamOneTriggeredAlarmsV2AliasFunction, parser_VeeamCovewareFindingsV2AliasFunction, parser_VeeamSessionsV2AliasFunction) to provide stable query entry points over the custom tables.

Authentication is Bearer token-based: separate tokens are required for the Veeam API endpoint and for the Coveware API URL.

Detection Surface Unlocked

Backup infrastructure is a high-value ransomware target – attackers routinely target backup systems to prevent recovery (T1490). This connector surfaces:

• Malware detections on backup workloads – previously invisible to Sentinel without this connector
• Authorization anomalies in Veeam B&R – credential abuse against backup admin accounts (T1078)
• Compliance drift via Security and Compliance Analyzer results – misconfigured backup hardening that widens the attack surface
• Coveware findings – post-incident ransomware forensics data directly in Sentinel for correlation with other IOCs
• Session telemetry – abnormal restore operations or job failures that may indicate data destruction or exfiltration activity (T1485, T1537)
• Veeam ONE alarms – operational and security alarm aggregation from the Veeam monitoring plane

No bundled Analytic Rules or Hunting Queries are included in this PR. Detection coverage depends on the existing Veeam Solution rules deployed prior to this connector addition.

MITRE Coverage (from connector data surface)

• T1078 – Valid Accounts (AuthorizationEvents stream)
• T1485 – Data Destruction (Session/MalwareEvents streams)
• T1490 – Inhibit System Recovery (core backup infrastructure monitoring use case)
• T1537 – Transfer Data to Cloud Account (Sessions stream)

Affected Files

Solutions/Veeam/Data Connectors/Veeam_CCF/Veeam_ConnectorDefinition.json
Solutions/Veeam/Data Connectors/Veeam_CCF/Veeam_DCR.json
Solutions/Veeam/Data Connectors/Veeam_CCF/Veeam_PollerConfig.json
Solutions/Veeam/Data Connectors/Veeam_CCF/table_VeeamAuthorizationEventsV2.json
Solutions/Veeam/Data Connectors/Veeam_CCF/table_VeeamCovewareFindingsV2.json
Solutions/Veeam/Data Connectors/Veeam_CCF/table_VeeamMalwareEventsV2.json
Solutions/Veeam/Data Connectors/Veeam_CCF/table_VeeamOneTriggeredAlarmsV2.json
Solutions/Veeam/Data Connectors/Veeam_CCF/table_VeeamSecurityComplianceAnalyzerV2.json
Solutions/Veeam/Data Connectors/Veeam_CCF/table_VeeamSessionsV2.json
Solutions/Veeam/Package/testParameters.json
Solutions/Veeam/Parsers/parser_VeeamAuthorizationEventsV2AliasFunction.json
Solutions/Veeam/Parsers/parser_VeeamCovewareFindingsV2AliasFunction.json
Solutions/Veeam/Parsers/parser_VeeamMalwareEventsV2AliasFunction.json
Solutions/Veeam/Parsers/parser_VeeamOneTriggeredAlarmsV2AliasFunction.json
Solutions/Veeam/Parsers/parser_VeeamSecurityComplianceAnalyzerV2AliasFunction.json
Solutions/Veeam/Parsers/parser_VeeamSessionsV2AliasFunction.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_Veeam.json, createUiDefinition.json, mainTemplate.json)