Skip to content

Commit

Permalink
Commvault Integration with Microsoft Azure Sentinel - V.1.0
Browse files Browse the repository at this point in the history
  • Loading branch information
Cv-securityIQ committed Aug 30, 2023
1 parent ff43125 commit 596c23c
Show file tree
Hide file tree
Showing 21 changed files with 2,554 additions and 0 deletions.
34 changes: 34 additions & 0 deletions Logos/Commvault-Logo.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
31 changes: 31 additions & 0 deletions Solutions/Commvault Security IQ/Analytic Rules/Data_Alert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
id: 1d2c3da7-60ec-40be-9c14-bade6eaf3c49
name: Data Alert
description: |
'This query identifies clients or servers whose data has been compromised.'
severity: Medium
status: Available
requiredDataConnectors: []
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
- Impact

relevantTechniques:
- T1578
- T1531
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
query: |
SecurityIncident
| where Title has "Cvlt Alert" and Description has "Client" and Description has "Compromised" and Status has "New"
| extend extracted_word = extract("Client\\s(.*?)\\sCompromised", 1, Description)
| project TimeGenerated, Title, Description, Status
entityMappings: null
version: 1.0.0
kind: Scheduled
28 changes: 28 additions & 0 deletions Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
id: c982bcc1-ef73-485b-80d5-2a637ce4ab2b
name: IDP Alert
description: |
'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'
severity: Medium
status: Available
requiredDataConnectors: []
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
- Impact
relevantTechniques:
- T1578
- T1531
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
query: |
SecurityIncident
| where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"
entityMappings: null
version: 1.0.0
kind: Scheduled
30 changes: 30 additions & 0 deletions Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
id: 29e0767c-80ac-4689-9a2e-b25b9fc88fce
name: User Alert
description: |
'This query identifies users whose user account or credentials have been compromised.'
severity: Medium
status: Available
requiredDataConnectors: []
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
- Impact
relevantTechniques:
- T1578
- T1531
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
query: |
SecurityIncident
| where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
| extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
| project TimeGenerated, Title, Description, Status
entityMappings: null
version: 1.0.0
kind: Scheduled
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{
"Name": "Commvault Security IQ",
"Author": "svc.cv-securityiq@commvault.com",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Commvault-Logo.svg\" width=\"75px\"height=\"75px\">",
"Description": "This Microsoft Sentinel integration enables Commvault users to ingest alerts and other data into their Microsoft Sentinel instance. With Analytic Rules, Microsoft Sentinel can automatically create Microsoft Sentinel incidents",
"Analytic Rules": [
"Analytic Rules/Data_Alert.yaml",
"Analytic Rules/IDP_Alert.yaml",
"Analytic Rules/User_Alert.yaml"
],
"Playbooks": [
"Playbooks/CommvaultLogicApp/azuredeploy.json"
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Commvault Security IQ",
"Version": "3.0.0",
"TemplateSpec": true,
"Is1Pconnector": false
}
Binary file added Solutions/Commvault Security IQ/Package/3.0.0.zip
Binary file not shown.
159 changes: 159 additions & 0 deletions Solutions/Commvault Security IQ/Package/createUiDefinition.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Commvault-Logo.svg\" width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis Microsoft Sentinel integration enables Commvault users to ingest alerts and other data into their Microsoft Sentinel instance. With Analytic Rules, Microsoft Sentinel can automatically create Microsoft Sentinel incidents\n\n**Analytic Rules:** 3, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
"Microsoft.OperationalInsights/workspaces/providers/alertRules",
"Microsoft.Insights/workbooks",
"Microsoft.Logic/workflows"
]
},
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "analytics",
"label": "Analytics",
"subLabel": {
"preValidation": "Configure the analytics",
"postValidation": "Done"
},
"bladeTitle": "Analytics",
"elements": [
{
"name": "analytics-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
}
},
{
"name": "analytics-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
},
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "Data Alert",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query identifies clients or servers whose data has been compromised."
}
}
]
},
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "IDP Alert",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider."
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "User Alert",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This query identifies users whose user account or credentials have been compromised."
}
}
]
}
]
},
{
"name": "playbooks",
"label": "Playbooks",
"subLabel": {
"preValidation": "Configure the playbooks",
"postValidation": "Done"
},
"bladeTitle": "Playbooks",
"elements": [
{
"name": "playbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
}
},
{
"name": "playbooks-link",
"type": "Microsoft.Common.TextBlock",
"options": {
"link": {
"label": "Learn more",
"uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
}
}
}
]
}
],
"outputs": {
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"location": "[location()]",
"workspace": "[basics('workspace')]"
}
}
}
Loading

0 comments on commit 596c23c

Please sign in to comment.