Veeam has a really nice Veeam App for Splunk.  It’s actually one of the nicer apps that has easy data integration and pre-built dashboards that pretty much work out-of-the-box.     However, the Veeam data is really only usable within the Veeam App.  If you are in a different App in Splunk and try to query the Veeam data a lot of fields will be “missing”.  You can see here that I need use 3 fields (EventGroup, ActivityType, and severity) to find the specific events I’m looking for, but only 1 of those fields is actually availble in the _raw data:   Ok...so why are these fields available in the Veeam App but not in any other App in Splunk, especially since they don’t even actually exist?  This is due to the “enrichment” the Veeam App is performing translating things like “instanceId” into something human-readable and informative.  For example instanceId here is “41600” and when you query the Veeam events there is a lookup that references 41600 and returns additional information:   Great, so if this is available in the Veeam App, why don’t I just do all my work there rather than trying to make this extra information available outside the Veeam App?  The short answer is I want to be able to work with more than one dataset at a time.  The longer answer is that I have a custom “app” where I store all my SOC security detection queries.  Splunk also has their Enterprise Security App which basically does the same thing.   What this allows is the creation of correlated searches, such as one search that picks up any “ransomware” related event regardless of whether it comes from Veeam or AntiVirus or UEBA, etc.   But if the Veeam data isn’t usable outside of the Veeam app you can’t incorporate it into your standard SOC process.     What you need to do is make the all the enrichment in the Veeam App (props, lookups, transforms, datamodels, etc) readable from any App in Splunk, not just from the Veeam App.   You can do all this from the Splunk GUI (you might need to be an Admin...not sure...I’m an Admin so I can do everything/whatever I want LOL 😁) Share the Data Model Globally:   Share the enrichment (“props” & “transforms”) Globally:   You can see here before and after snips of the “export” config after I modified all the properties: (default.meta)   (local.meta which overrides defaul created dynamically after edit) ... View more

​ There is extra contextual data for the Malware Detection events that is needed in order to properly start an investigation into the alerts Some of the additional contextual elements needed are in the “C:\ProgramData\Veeam\Backup\Malware_Detection_Logs\” directory When setting up a SOC to respond to these alerts you need this information embedded directly into the Detection Alert from your SIEM This covers only the “Malware_Detection_Logs” directory, there are other contextual data sources needed that will be covered in another post First ensure baseline logging and dashboards are setup.  Veeam has actually done a very good job of making this easy 😁 setup syslog for VBR Specifying Syslog Servers install Splunk app in your Splunk environment Veeam App for Splunk You then need to install a Splunk Universal Forwarder on the VBR server to collect the additional context data: Download Universal Forwarder for Remote Data Collection | Splunk create a custom Splunk file monitor input to collect data from the "Malware_Detection_Logs" directory (work with your Splunk admin if you need help) Now you are ready to correlate the Malware Detection events with their contextual data in a custom Detection Alert for your SOC: only the “ObjectName” field is present in both the Malware Detection event and the log files you need to use the timestamp and the ObjectName to correlate these data sources together THERE IS A LOT OF NUANCE IN THE <snip>ed SECTION BELOW (I can help if you need it, but it was too much to post and needed to be sanitized anyway) You will now see contextual data embedded directly into the SOC alert (we were doing some testing and set .txt and .pdf as bad file extensions just to generate data 😋😞 ... View more

I've installed the Splunk Add-On Builder but the UI is blank/won't load...I've tried installing on my HF (Heavy Forwarder) and my DS (Deployment Server) (HF is under a lot of load) but still the problem persists.   ... View more

For example, in props.conf TIME_PREFIX requires a regex.  My regex seems to work in my search but does not seem to be applied to my data via the .conf file ... View more