Commvault Cloud Alert
| Id | 317e757e-c320-448e-8837-fc61a70fe609 |
| Rulename | Commvault Cloud Alert |
| Description | This query identifies Alerts from Commvault Cloud. |
| Severity | Medium |
| Tactics | DefenseEvasion Impact |
| Techniques | T1578 T1531 |
| Required data connectors | CommvaultSecurityIQ_CL |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml |
| Version | 1.0.4 |
| Arm template | 317e757e-c320-448e-8837-fc61a70fe609.json |
let CommvaultData = union isfuzzy=true
(CommvaultSecurityIQ_CL | where TimeGenerated > ago(5m)),
(datatable(TimeGenerated:datetime, eventCodeString_s:string, Event_Code_s:string, description_s:string, Description_s:string, id_d:real, Event_Id_s:string)[]);
CommvaultData
| where isnotempty(TimeGenerated)
| where eventCodeString_s in ("7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575")
or Event_Code_s in ("7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575")
| extend Description = coalesce(description_s, Description_s, "")
| extend EventId = coalesce(tostring(toint(id_d)), Event_Id_s, "")
| extend ClientMachine = case(
Description contains "on the machine", extract(@"on the machine \[([^\]]+)\]", 1, Description),
Description contains "on client", extract(@"on client \[([^\]]+)\]", 1, Description),
Description contains "for client", extract(@"for client \[([^\]]+)\]", 1, Description),
Description contains "client", extract(@"client \[([^\]]+)\]", 1, Description),
Description contains "machine", extract(@"machine \[([^\]]+)\]", 1, Description),
"Unknown"
)
| project TimeGenerated, eventCodeString_s, Event_Code_s, EventId, Description, ClientMachine, Event_Id_s, id_d
| take 1000
alertDetailsOverride:
alertDisplayNameFormat: 'Alert from Commvault Cloud for Event ID : {{id_d}} '
alertDescriptionFormat: 'Alert from Commvault Cloud for Event ID : {{id_d}} . Event Description : {{Description}} . Check the event description on Commvault Command Center for more details.'
alertDynamicProperties: []
eventGroupingSettings:
aggregationKind: AlertPerResult
tactics:
- DefenseEvasion
- Impact
id: 317e757e-c320-448e-8837-fc61a70fe609
triggerThreshold: 0
version: 1.0.4
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
query: |
let CommvaultData = union isfuzzy=true
(CommvaultSecurityIQ_CL | where TimeGenerated > ago(5m)),
(datatable(TimeGenerated:datetime, eventCodeString_s:string, Event_Code_s:string, description_s:string, Description_s:string, id_d:real, Event_Id_s:string)[]);
CommvaultData
| where isnotempty(TimeGenerated)
| where eventCodeString_s in ("7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575")
or Event_Code_s in ("7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575")
| extend Description = coalesce(description_s, Description_s, "")
| extend EventId = coalesce(tostring(toint(id_d)), Event_Id_s, "")
| extend ClientMachine = case(
Description contains "on the machine", extract(@"on the machine \[([^\]]+)\]", 1, Description),
Description contains "on client", extract(@"on client \[([^\]]+)\]", 1, Description),
Description contains "for client", extract(@"for client \[([^\]]+)\]", 1, Description),
Description contains "client", extract(@"client \[([^\]]+)\]", 1, Description),
Description contains "machine", extract(@"machine \[([^\]]+)\]", 1, Description),
"Unknown"
)
| project TimeGenerated, eventCodeString_s, Event_Code_s, EventId, Description, ClientMachine, Event_Id_s, id_d
| take 1000
status: Available
queryFrequency: 5m
customDetails:
Client: ClientMachine
kind: Scheduled
severity: Medium
relevantTechniques:
- T1578
- T1531
description: |
'This query identifies Alerts from Commvault Cloud.'
triggerOperator: gt
requiredDataConnectors:
- datatypes:
- CommvaultSecurityIQ_CL
connectorId: CommvaultSecurityIQ_CL
entityMappings:
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml
name: Commvault Cloud Alert
enabled: true
queryPeriod: 5m
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/317e757e-c320-448e-8837-fc61a70fe609')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/317e757e-c320-448e-8837-fc61a70fe609')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "Alert from Commvault Cloud for Event ID : {{id_d}} . Event Description : {{Description}} . Check the event description on Commvault Command Center for more details.",
"alertDisplayNameFormat": "Alert from Commvault Cloud for Event ID : {{id_d}} ",
"alertDynamicProperties": []
},
"alertRuleTemplateName": "317e757e-c320-448e-8837-fc61a70fe609",
"customDetails": {
"Client": "ClientMachine"
},
"description": "'This query identifies Alerts from Commvault Cloud.'\n",
"displayName": "Commvault Cloud Alert",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml",
"query": "let CommvaultData = union isfuzzy=true\n (CommvaultSecurityIQ_CL | where TimeGenerated > ago(5m)),\n (datatable(TimeGenerated:datetime, eventCodeString_s:string, Event_Code_s:string, description_s:string, Description_s:string, id_d:real, Event_Id_s:string)[]);\nCommvaultData\n| where isnotempty(TimeGenerated)\n| where eventCodeString_s in (\"7:211\", \"7:212\", \"7:293\", \"7:269\", \"14:337\", \"14:338\", \"69:59\", \"7:333\", \"69:60\", \"35:5575\")\n or Event_Code_s in (\"7:211\", \"7:212\", \"7:293\", \"7:269\", \"14:337\", \"14:338\", \"69:59\", \"7:333\", \"69:60\", \"35:5575\")\n| extend Description = coalesce(description_s, Description_s, \"\")\n| extend EventId = coalesce(tostring(toint(id_d)), Event_Id_s, \"\")\n| extend ClientMachine = case(\n Description contains \"on the machine\", extract(@\"on the machine \\[([^\\]]+)\\]\", 1, Description),\n Description contains \"on client\", extract(@\"on client \\[([^\\]]+)\\]\", 1, Description),\n Description contains \"for client\", extract(@\"for client \\[([^\\]]+)\\]\", 1, Description),\n Description contains \"client\", extract(@\"client \\[([^\\]]+)\\]\", 1, Description),\n Description contains \"machine\", extract(@\"machine \\[([^\\]]+)\\]\", 1, Description),\n \"Unknown\"\n)\n| project TimeGenerated, eventCodeString_s, Event_Code_s, EventId, Description, ClientMachine, Event_Id_s, id_d\n| take 1000\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"status": "Available",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion",
"Impact"
],
"tags": [
"Commvault",
"Metallic",
"Threat Intelligence",
"Ransomware"
],
"techniques": [
"T1531",
"T1578"
],
"templateVersion": "1.0.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}