Azure-Integration/Solutions/Commvault Security IQ/Analytic Rules/Data_Alert.yaml at 3cb481fb7fbe9831d0881ae9d15c80f65d4b27ef · Commvault-3rdPartyIntegrations/Azure-Integration · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
id: 1d2c3da7-60ec-40be-9c14-bade6eaf3c49
name: Data Alert
description: |
  'This query identifies clients or servers whose data has been compromised.'
severity: Medium
status: Available
requiredDataConnectors:
  - connectorId: CommvaultSecurityIQ_CL
    datatypes:
      - CommvaultSecurityIQ_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
  - DefenseEvasion
  - Impact

relevantTechniques:
  - T1578
  - T1531
tags:
  - Commvault
  - Metallic
  - Threat Intelligence
  - Ransomware
query: |
    SecurityIncident
    | where Title has "Cvlt Alert" and Description has "Client" and Description has "Compromised" and Status has "New"
    | extend extracted_word = extract("Client\\s(.*?)\\sCompromised", 1, Description)
    | project TimeGenerated, Title, Description, Status
entityMappings: null
version: 1.0.1
kind: Scheduled