Azure · v-dvedak · Sep 5, 2023 · Aug 30, 2023 · Sep 1, 2023 · Sep 1, 2023
@@ -0,0 +1,31 @@
+id: 1d2c3da7-60ec-40be-9c14-bade6eaf3c49
+name: Data Alert
+description: |
+  'This query identifies clients or servers whose data has been compromised.'
+severity: Medium
+status: Available
+requiredDataConnectors: []
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - Impact
+
+relevantTechniques:
+  - T1578
+  - T1531
+tags:
+  - Commvault
+  - Metallic
+  - Threat Intelligence
+  - Ransomware
+query: |
+    SecurityIncident
+    | where Title has "Cvlt Alert" and Description has "Client" and Description has "Compromised" and Status has "New"
+    | extend extracted_word = extract("Client\\s(.*?)\\sCompromised", 1, Description)
+    | project TimeGenerated, Title, Description, Status
+entityMappings: null
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,28 @@
+id: c982bcc1-ef73-485b-80d5-2a637ce4ab2b
+name: IDP Alert
+description: |
+  'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'
+severity: Medium
+status: Available
+requiredDataConnectors: []
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - Impact
+relevantTechniques:
+  - T1578
+  - T1531
+tags:
+  - Commvault
+  - Metallic
+  - Threat Intelligence
+  - Ransomware
+query: |
+    SecurityIncident
+    | where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"
+entityMappings: null
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,30 @@
+id: 29e0767c-80ac-4689-9a2e-b25b9fc88fce
+name: User Alert
+description: |
+  'This query identifies users whose user account or credentials have been compromised.'
+severity: Medium
+status: Available
+requiredDataConnectors: []
+queryFrequency: 5m
+queryPeriod: 5m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - DefenseEvasion
+  - Impact
+relevantTechniques:
+  - T1578
+  - T1531
+tags:
+  - Commvault
+  - Metallic
+  - Threat Intelligence
+  - Ransomware
+query: |
+    SecurityIncident
+    | where Title has "Cvlt Alert" and Description has "User" and Description has "Compromised" and Status has "New"
+    | extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
+    | project TimeGenerated, Title, Description, Status
+entityMappings: null
+version: 1.0.0
+kind: Scheduled
@@ -0,0 +1,19 @@
+{
+  "Name": "Commvault Security IQ",
+  "Author": "svc.cv-securityiq@commvault.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Commvault-Logo.svg\" width=\"75px\"height=\"75px\">",
+  "Description": "This Microsoft Sentinel integration enables Commvault users to ingest alerts and other data into their Microsoft Sentinel instance. With Analytic Rules, Microsoft Sentinel can automatically create Microsoft Sentinel incidents",
+  "Analytic Rules": [
+	  "Analytic Rules/Data_Alert.yaml",
+	  "Analytic Rules/IDP_Alert.yaml",
+	  "Analytic Rules/User_Alert.yaml"
+  ],
+  "Playbooks": [
+        "Playbooks/CommvaultLogicApp/azuredeploy.json"
+    ],
+  "Metadata": "SolutionMetadata.json",
+  "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Commvault Security IQ",
+  "Version": "3.0.0",
+  "TemplateSpec": true,
+	"Is1Pconnector": false
+}
@@ -0,0 +1,159 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Commvault-Logo.svg\" width=\"75px\"height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThis Microsoft Sentinel integration enables Commvault users to ingest alerts and other data into their Microsoft Sentinel instance. With Analytic Rules, Microsoft Sentinel can automatically create Microsoft Sentinel incidents\n\n**Analytic Rules:** 3, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "analytics",
+        "label": "Analytics",
+        "subLabel": {
+          "preValidation": "Configure the analytics",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Analytics",
+        "elements": [
+          {
+            "name": "analytics-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view."
+            }
+          },
+          {
+            "name": "analytics-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          },
+          {
+            "name": "analytic1",
+            "type": "Microsoft.Common.Section",
+            "label": "Data Alert",
+            "elements": [
+              {
+                "name": "analytic1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query identifies clients or servers whose data has been compromised."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic2",
+            "type": "Microsoft.Common.Section",
+            "label": "IDP Alert",
+            "elements": [
+              {
+                "name": "analytic2-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider."
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic3",
+            "type": "Microsoft.Common.Section",
+            "label": "User Alert",
+            "elements": [
+              {
+                "name": "analytic3-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "This query identifies users whose user account or credentials have been compromised."
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "name": "playbooks",
+        "label": "Playbooks",
+        "subLabel": {
+          "preValidation": "Configure the playbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Playbooks",
+        "elements": [
+          {
+            "name": "playbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This solution installs the Playbook templates to help implement your Security Orchestration, Automation and Response (SOAR) operations. After installing the solution, these will be deployed under Playbook Templates in the Automation blade in Microsoft Sentinel. They can be configured and managed from the Manage solution view in Content Hub."
+            }
+          },
+          {
+            "name": "playbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}