Auditing

Veeam Backup for Microsoft 365 is protecting important and confidential company data which is processed and stored on a secondary location. This requires additional monitoring and auditing to ensure the availability and security of the backup data.

As an restore operator of backup administrator can access all backup data it’s important to audit all activities within the Veeam Backup for Microsoft 365 infrastructure to track and trace all restore activities.

There are two methods available to Audit the operations within the Veeam Backup for Microsoft 365 infrastructure.

Audit Notifications by email

To receive email notifications for specific operations within the Veeam Backup for Microsoft 365 infrastructure you can create Audit Items. After creating the Audit Items Veeam Backup for Microsoft 365 will send Audit Notification by email when the specified actions are executed by an operator.

The configuration of Audit Items and settings is performed through the RESTapi and can be configured for specific users or groups. The process is documented within the Managing Audit Notification Settings topic within the helpcenter

Using Powershell

If you prefer to monitor the restore activities using your 3rd party monitoring or SIEM solution you can grep the restore session information using the Get_VBORestoreSession powershell Cmdlet. Using this Cmdlet you can extract the information for specific users or items.

Example syntax:

Get-VBORestoreSession | Where-Object {\(\$\_.ProcessedObjects -notcontains '0') -and \(\$\_.InitiatedBy -in 'Domain\Administrator')} | % { \$\_; \$\_.Log | ? { \$\_.Title -match \"^Item\" }} | Out-File -FilePath C:\temp\test.txt

Resources:

• Managing Audit Notification Settings – Managing Audit Notifications documentation within the Helpcenter.
• Get_VBORestoreSession – Helpcenter documentation for the Get_VBORestoreSession Cmdlet