Commvault -- Sentinel Integration

This Sentinel integration enables Commvault users to ingest alerts and other data into their Sentinel instance. With Analytic Rules, Sentinel can automatically create Sentinel incidents from incoming Commvault events and logs.

Key Features

• Using Azure KeyVault, Commvault access tokens are automatically rotated, providing enhanced security.
• Perform automated actions such as disabling IDP, specific users, or data aging on your Commvault/Metallic environment from inside Sentinel.

Prerequisites

• Administrative access to your Commvault/Metallic environment.
• Administrative access to your Azure Resource Group and Subscription.
• A Microsoft Sentinel instance in the aforementioned Azure Resource Group.
• An Azure Log Analytic Workspace in the aforementioned Azure Resource Group.

Inventory of Required Assets

The following Azure assets need to all be created in order for this integration to function properly. In addition to these assets, proper permissions need to be granted. When following the installation instructions, please use the same asset names to ensure compatibility.

Automation Account

• Commvault-Automation-Account: This is where the runbooks are stored.

Runbooks

All runbooks are stored in the Automation Account Commvault-Automation-Account.

• Commvault_Cycle_Token: Used in the CommvaultTokenCycle Logic App to execute the API calls that generate a new Commvault/Metallic access token.
• Commvault_Disable_Data_Aging: Used in the Commvault-Logic-App Logic App to execute the API calls that disable data aging for a specific client.
• Commvault_Disable_IDP: Used in the Commvault-Logic-App Logic App to execute the API calls that disable the IDP in your environment.
• Commvault_Disable_User: Used in the Commvault-Logic-App Logic App to execute the API calls that disable a specific user given their email address.

Logic Apps

• Commvault-Logic-App: This Logic App (also referred to as a Playbook) executes when called upon by an Automation Rule. Accessing the KeyVault to retrieve various credentials, it executes a specific runbook depending on the use case.
• CommvaultTokenCycle: This Logic App (also referred to as a Playbook) executes periodically to generate a new Commvault/Metallic access token and securely overwrites the old access token in your KeyVault.

Sentinel Analytic Rules

Each of these Analytic Rules run on a continuous basis and are querying for the manually triggered Sentinel incident. Once it discovers a specific incident, a new incident is created that triggers the corresponding Automation Rule.

• IDP Compromised: The Sentinel Analytic Rule that continuously searches for a manually created Sentinel Incident pertaining to a compromised Commvault/Metallic IDP.
• User Compromised: The Sentinel Analytic Rule that continuously searches for a manually created Sentinel Incident pertaining to a compromised Commvault/Metallic user.
• Data Aging: The Sentinel Analytic Rule that continuously searches for a manually created Sentinel Incident pertaining to a request to disable data aging on a specific Commvault/Metallic client.