Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Commvault Cloud Alert

Commvault Cloud Alert

Back
Id317e757e-c320-448e-8837-fc61a70fe609
RulenameCommvault Cloud Alert
DescriptionThis query identifies Alerts from Commvault Cloud.
SeverityMedium
TacticsDefenseEvasion
Impact
TechniquesT1578
T1531
Required data connectorsCommvaultSecurityIQ_CL
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml
Version1.0.5
Arm template317e757e-c320-448e-8837-fc61a70fe609.json
Deploy To Azure
let TargetEventCodes = dynamic(["7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575", "35:5636", "7:349", "17:193", "17:195"]);
CommvaultAlerts_CL
| where TimeGenerated > ago(5m)
| where EventCode in (TargetEventCodes)
| take 1000

eventGroupingSettings:
  aggregationKind: AlertPerResult
enabled: true
queryPeriod: 5m
kind: Scheduled
name: Commvault Cloud Alert
status: Available
customDetails:
  Client: HostName
entityMappings: 
alertDetailsOverride:
  alertDescriptionFormat: 'Alert from Commvault Cloud for Event ID: {{EventId}}. Event Description: {{Description}}. Check the event description on Commvault Command Center for more details.'
  alertDynamicProperties: []
  alertDisplayNameFormat: 'Alert from Commvault Cloud for Event ID: {{EventId}}'
tactics:
- DefenseEvasion
- Impact
description: |
    'This query identifies Alerts from Commvault Cloud.'
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
requiredDataConnectors:
- connectorId: CommvaultSecurityIQ_CL
  datatypes:
  - CommvaultAlerts_CL
queryFrequency: 5m
triggerThreshold: 0
version: 1.0.5
query: |
  let TargetEventCodes = dynamic(["7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575", "35:5636", "7:349", "17:193", "17:195"]);
  CommvaultAlerts_CL
  | where TimeGenerated > ago(5m)
  | where EventCode in (TargetEventCodes)
  | take 1000  
relevantTechniques:
- T1578
- T1531
id: 317e757e-c320-448e-8837-fc61a70fe609
triggerOperator: gt