Merge pull request #11646 from Cv-securityIQ/BugFix

Changing analytics rule name and Auditing requests for tracking usage

Author: v-atulyadav

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -261,5 +261,6 @@
   "IllumioSaaSDataConnector",
   "CTERA",
   "Workday",
-  "SamsungDCDefinition"
+  "SamsungDCDefinition",
+  "CommvaultSecurityIQ_CL"
 ]

Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml

@@ -1,10 +1,13 @@
 id: 317e757e-c320-448e-8837-fc61a70fe609
-name: CommvaultSecurityIQ Alert
+name: Commvault Cloud Alert
 description: |
-  'This query identifies CommvaultSecurityIQ Alerts.'
+  'This query identifies Alerts from Commvault Cloud.'
 severity: Medium
 status: Available
-requiredDataConnectors: []
+requiredDataConnectors:
+  - connectorId: CommvaultSecurityIQ_CL
+    datatypes:
+      - CommvaultSecurityIQ_CL
 queryFrequency: 5m
 queryPeriod: 5m
 triggerOperator: gt
@@ -25,5 +28,5 @@ query: |
     CommvaultSecurityIQ_CL
     | take 1000
 entityMappings: null
-version: 1.0.0
+version: 1.0.2
 kind: Scheduled

Solutions/Commvault Security IQ/Analytic Rules/Data_Alert.yaml

@@ -4,7 +4,10 @@ description: |
   'This query identifies clients or servers whose data has been compromised.'
 severity: Medium
 status: Available
-requiredDataConnectors: []
+requiredDataConnectors:
+  - connectorId: CommvaultSecurityIQ_CL
+    datatypes:
+      - CommvaultSecurityIQ_CL
 queryFrequency: 5m
 queryPeriod: 5m
 triggerOperator: gt
@@ -27,5 +30,5 @@ query: |
     | extend extracted_word = extract("Client\\s(.*?)\\sCompromised", 1, Description)
     | project TimeGenerated, Title, Description, Status
 entityMappings: null
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/Commvault Security IQ/Analytic Rules/IDP_Alert.yaml

@@ -4,7 +4,10 @@ description: |
   'This query identifies indications of a potential security breach or unauthorized access to the systems and data of the Identity Provider.'
 severity: Medium
 status: Available
-requiredDataConnectors: []
+requiredDataConnectors:
+  - connectorId: CommvaultSecurityIQ_CL
+    datatypes:
+      - CommvaultSecurityIQ_CL
 queryFrequency: 5m
 queryPeriod: 5m
 triggerOperator: gt
@@ -24,5 +27,5 @@ query: |
     SecurityIncident
     | where Title has "Cvlt Alert" and Description == "IDP Compromised" and Status has "New"
 entityMappings: null
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled

Solutions/Commvault Security IQ/Analytic Rules/User_Alert.yaml

@@ -4,7 +4,10 @@ description: |
   'This query identifies users whose user account or credentials have been compromised.'
 severity: Medium
 status: Available
-requiredDataConnectors: []
+requiredDataConnectors:
+  - connectorId: CommvaultSecurityIQ_CL
+    datatypes:
+      - CommvaultSecurityIQ_CL
 queryFrequency: 5m
 queryPeriod: 5m
 triggerOperator: gt
@@ -26,5 +29,5 @@ query: |
     | extend extracted_word = extract("User\\s(.*?)\\sCompromised", 1, Description)
     | project TimeGenerated, Title, Description, Status
 entityMappings: null
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled