CommvaultSecurityIQ_API_AzureFunctionApp.json

{
    "id": "CommvaultSecurityIQ_CL",
    "title": "CommvaultSecurityIQ",
    "publisher": "Commvault",
    "descriptionMarkdown": "This Azure Function enables Commvault users to ingest alerts/events into their Microsoft Sentinel instance. With Analytic Rules,Microsoft Sentinel can automatically create Microsoft Sentinel incidents from incoming events and logs.",
    "graphQueries": [
        {
            "metricName": "Commvault Events",
            "legend": "Commvault Security IQ Logs",
            "baseQuery": "CommvaultSecurityIQ_CL"
        }
    ],
    "sampleQueries": [
        {
            "description" : "Last 10 events/alerts ",
            "query": "CommvaultSecurityIQ_CL \n| where TimeGenerated > ago(24h) \n| limit 10"
        }
    ],
    "dataTypes": [
        {
            "name": "CommvaultSecurityIQ_CL",
            "lastDataReceivedQuery": "CommvaultSecurityIQ_CL\n            | summarize Time = max(TimeGenerated)\n            | where isnotempty(Time)"
        }
    ],
    "connectivityCriterias": [
        {
            "type": "IsConnectedQuery",
            "value": [
                "CommvaultSecurityIQ_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
            ]
        }
    ],
    "availability": {
        "status": 1,
        "isPreview": true
    },
    "permissions": {
        "resourceProvider": [
            {
                "provider": "Microsoft.OperationalInsights/workspaces",
                "permissionsDisplayText": "read and write permissions on the workspace are required.",
                "providerDisplayName": "Workspace",
                "scope": "Workspace",
                "requiredPermissions": {
                    "write": true,
                    "read": true,
                    "delete": true
                }
            },
			{
				"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
				"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
				"providerDisplayName": "Keys",
				"scope": "Workspace",
				"requiredPermissions": {
					"action": true
				}
			}
        ],
        "customs": [
            {
                "name": "Microsoft.Web/sites permissions",
                "description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
            },            
            {
                "name": "Commvault Environment Endpoint URL",
                "description": "Make sure to follow the documentation and set the secret value in KeyVault"
            },            
            {
                "name": "Commvault QSDK Token",
                "description": "Make sure to follow the documentation and set the secret value in KeyVault"
            }
        ]
    },
    "instructionSteps": [
        {
            "title": "",
            "description": ">**NOTE:** This connector uses Azure Functions to connect to a Commvault Instance to pull its logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
        },
        {
            "title": "",
            "description": ">Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
        },
        {
            "title": "",
            "description": "**STEP 1 - Configuration steps for the Commvalut QSDK Token**\n\n[Follow these instructions](https://documentation.commvault.com/2024e/essential/creating_access_token.html) to create an API Token."
        },
        {
            "title": "",
            "description": "**STEP 2 - Deploy the connector and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the CommvaultSecurityIQ data connector, have the Workspace ID  and Workspace Primary Key (can be copied from the following), as well as the Commvault Endpoint URL and QSDK Token, readily available.",
            "instructions": [
                {
                    "parameters": {
                        "fillWith": [
                            "WorkspaceId"
                        ],
                        "label": "Workspace ID"
                    },
                    "type": "CopyableLabel"
                },
                {
                    "parameters": {
                        "fillWith": [
                            "PrimaryKey"
                        ],
                        "label": "Primary Key"
                    },
                    "type": "CopyableLabel"
                }
            ]
        },
        {
            "title": "",
            "description": "**Azure Resource Manager (ARM) Template**\n\nUse this method for automated deployment of the Commvault Security IQ data connector.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/sentinel-CommvaultSecurityIQ-azuredeploy)\n2. Select the preferred **Subscription**, **Resource Group** and **Region**. \n3. Enter the **Workspace ID**, **Workspace Key** 'and/or Other required fields' and click Next. \n4. Click **Create** to deploy."
        }
    ]
}