Commvault Plugin for Threat Exchange

Commvault Plugin for Threat Exchange

This document explains how to configure the Commvault v1.0.0 integration with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches URL and pushes the same to the Commvault platform.

Prerequisites

To complete this configuration, you need:

  • A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
  • A URL list on your Netskope Tenant.
  • A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
  • A Commvault Instance.
  • The hostname used while sharing (reach out to Commvault for assistance, if needed).
  • Connectivity to the following host: Commvault platform URL.
CE Version Compatibility
  • Netskope CE v4.2.0, v5.0.0
Plugin Scope

The Commvault plugin fetches IoCs of the type of URL from the Commvault platform. This plugin shares the URL to Commvault. You need the Command Center API URL, Commvault Access Token to access the plugin. IoCs are pulled from CommandCenter > Unusual File Activities. The IoCs are pushed to the same page in the hostname under Threat Scan External Software detected tab.

Commvault Plugin Support

Fetched indicator types

URL

Shared indicator types

URL
Mappings
Severity
Commvault Severity CE Severity
-1 Unknown
0-3 Low
4-7 High
8-10 Critical
Mappings for Pull (Netskope field – Commvault fields)
Netskope CE Fields Commvault Field
value client_hostname
severity Refer to Severity Mapping
type URL
firstSeen timeSource
lastSeen timeSource
Mappings for Push
Netskope CE Fields Commvault Field

value

client.hostname
lastSeen

anomalyDetectedBy.anomalyDetails.anomalyEvents.detectionTime

lastSeen

anomalyDetectedBy.anomalyDetails.detectionTime

Comment

anomalyDetectedBy.anomalyDetails.anomalyReason

 

anomalyDetectedBy.vendorName (netskope-ce it will be an constant value)

 

anomalyDetectedBy.anomalyDetails.anomalyEvents.eventId(Random UUID eg:456fdd12trhth43)

extendedInformation

anomalyDetectedBy.anomalyDetails.anomalyEvents.eventUrl

 

anomalyDetectedBy.anomalyDetails.timesSeen(1 Always Constant)

 

anomalyDetectedBy.anomalyDetails.eventType (URL)

Permissions

Assign the following permissions to the user. For more information, refer to the Commvault documentation.

    • View permission on the CommCell.
    • Agent Management on All Servers.
    • View permission on All Servers.
API Details
Validate

API Endpoint:

<Command Center API URL>/commandcenter/api/Events

Method: GET

Headers:

Key Value
Accept application/json
authToken <Commvault Access Token>

Sample API Response:

{
  "commservEvents": [
    {
      "severity": 9,
      "eventCode": "117440845",
      "acknowledge": 0,
      "eventCodeString": "7:333",
      "subsystem": "cvd",
"description": “<event_description>",
      "id": 115920200,
      "timeSource": 1702291179,
      "type": 0,
      "clientEntity": {
         "clientId": 57238,
         "clientName": "<client_name>",
         "displayName": "<display_name>"
      }
    }
  ]
}
Fetch Events

API Endpoint:

<Command Center API URL>/commandcenter/api/Events

Method: GET
Headers:

Key Value
Accept application/json
authToken <Commvault Access Token>
paginginfo 0

Parameters:

Key Value
level 10
showAnomalous True
fromTime Epoch timestamp

Sample API Response:

{
  "commservEvents": [
    {
      "severity": 9,
      "eventCode": "117440845",
      "acknowledge": 0,
      "eventCodeString": "7:333",
      "subsystem": "cvd",
"description": “<event_description>",
      "id": 115920200,
      "timeSource": 1702291179,
      "type": 0,
      "clientEntity": {
         "clientId": 57238,
         "clientName": "<client_name>",
         "displayName": "<display_name>"
      }
    }
  ]
}
Get Client Details

API Endpoint:

<Base URL>/commandcenter/api/Client/<Client ID>

Method: GET

Headers:

Key Value
Accept application/json
authToken <Commvault Access Token>

Sample API Response:

"clientProperties":{
            "client":{
                      "clientEntity": {
                                "hostName": "<host_name>"
                        }
            }
}
Push

API Endpoint:

<Command Center API URL>/commandcenter/api/Client/Action/Report/Bulk/Anomaly

Method: PUT

Headers:

Key Value
Accept application/json
authToken <Commvault Access Token>

Body:

{
"anomalyDetections": [
  {
    "client": {
    "hostName": "<Host Name>"
    },
    "anomalyDetectedBy": {
      "vendorName": "NetSkope CTE",
      "anomalyDetails": [
        {
          "anomalyEvents": [
           {
             "detectionTime": 1698837719,
             "eventId": "456fdd12trhth43",
             "eventUrl": "url target"
           }
         ],
         "anomalyReason": "Testing",
         "detectionTime": 1699422560,
         "eventId": "12fdg-232333333",
         "timesSeen": 1,
         "eventType": "URL"
       }
      ]
     }
    }
   ]
 }

Sample API Response:

 "anomalyDetections": [
   {
     "client": {
        "clientName": "dm2perf8_2"
     },
      "errorResponse": {}
   }
 ]
}
Performance Matrix

Below is the performance reading conducted for fetching and pushing 100K IOCs in each plugin lifecycle on a Large CE instance with the below specifications.

Stack details Size: Large

 

RAM: 32 GB

CPU: 16 Cores

Indicators fetched from Commvault ~ 10K per minute
Indicators shared to Commvault ~ 200 per minute

Note

The above performance for pull has been conducted using mock data since the Commvault platform does not have sufficient data to test the performance for pulling of IoCs. This might be the reason for the performance difference in the pull and push. Also it has been observed that the hits on the Commvault platform for shared IoCs is resetted to 0 after the hits surpasses to 5000.

User Agent
netskope-ce-5.0.0-cte-Commvault-v1.0.0

Workflow

  • Get your Commvault Access Token.
  • Configure the Commvault plugin.
  • Add a Business Rule.
  • Configure Sharing between Threat Exchange and Commvault.
  • Validate the plugin.

Click play to watch a video.

 

Get your Commvault Access Token

  1. Log in to your Commvault Instance.
  2. Click Profile on the top right to expand it.
  3. Click Profile.
  4. Click Access tokens.
  5. Click Add token.
  6. Enter a Token Name, Expire Date, and Scope, and then click Submit.
  7. Copy the token and save it in a safe place because it will only be visible once.

Configure the Commvault Plugin

  1. Log in to Cloud Exchange and go to Settings > Plugins.
  2. Search for and select the Commvault plugin box to configure the plugin.
  3. Enter these values:
    • Configuration Name: Unique name for the configuration.
    • Sync Interval: Leave default.
    • Aging Criteria: Expiry time of the plugin in days. (Default: 90)
    • Override Reputation: Set a value to override the reputation of indicators received from this configuration.
    • Enable SSL Validation: Enable SSL Certificate validation.
    • Use System Proxy: Enable if the proxy is required for communication.

  4. Click Next.
  5. Enter these values:
    • Command Center API URL: Command Center URL where alerts are pushed to/pulled from, like https://commandcenter.nam.contoso.com/.
    • Commvault Access Token: Enter the Access Token generated from the Profile > Access tokens section of your Commvault platform.
    • Enable Polling: Enable/Disable polling Threat IOCs from Commvault. Disable if you only need to push Threat IOCs to Commvault.
    • Initial Range (in days): Number of days to pull the data for the initial run.
  6. Click Save.

Add a Threat Exchange Business Rule for Commvault

To share indicators fetched from the Commvault to the Cloud Exchange and vice versa, you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule follow the below steps:

  1. Go to Threat Exchange > Business Rule > Create New Rule.
  2. Add the filter according to your requirement in the rule.

Configure Sharing for Netskope and Commvault

To share IoCs from the Cloud Exchange to the Commvault platform and vice versa, follow these steps:

  1. Go to Threat Exchange > Sharing and click Add Sharing Configuration.
  2. Select your Source Configuration (Cloud Exchange), the Business Rule, Destination Configuration (Commvault), and Target as Report client as Anomalous.
    A screenshot of a computer

Description automatically generated
  3. Repeat step 2 for sharing Commvault IoCs to Cloud Exchange. Select your Source Configuration as Commvault, the Business Rule, and the Destination Configuration (Cloud Exchange).
  4. Add a Target and select the existing IoCs List Name, or create a new IoCs list on the platform.
  5. Click Save.

Note

Only the existing Clients on the Commvault platform can be tagged/marked as anomalous in Commvault, hence we cannot create new Client on the platform while sharing.

Validate the Commvault Plugin

Validate the Pull

Pulled data will be listed on the Threat IOCs page. You can filter the IOCs pulled from the platform using the Filter: sources.source Like “<plugin name>”. You can filter the logs from CE as well with the plugin name.


On the Commvault platform the IoCs are pulled from CommandCenter > Unusual File Activities.

Note

The IoCs will be pulled from all the tabs under the Unusal File Activities, except the External Software detected, since we push IoCs to that page.


Validate the Push

To validate the push in CE, go to Logging and filter shared logs for the Commvault plugin.

To check the ingested data on the platform, log in to Commvault and go to CommandCenter > Unusual File Activities. Click on the hostname and check the shared data under External software detected.

Troubleshooting

Unable to pull IOCs from the Commvault platform

After the plugin configuration if the IoCs are not pulled from the platform it might be due to one of the following.

  • No IoCs are available on the platform to pull
  • IoCs are not available for the given time range or do not match the configuration parameters
  • The event code does not match.

What to do: Identity your root cause from above and follow below steps to resolve the issue.

No IoCs are available on the platform to pull: Check if you have data to be pulled from the platform if so check the initial range provided in the plugin configuration. The data available on the Commvault platform should match the initial range added in the plugin.

Below are the possible event codes that are matched in the plugin while pulling the IOCs as these event codes are associated with malicious events, if this Event Codes does not match during the pull call data won’t be pulled, 14:337, 7:333, 14:337, 69:59, 69:60.

Unable to share IoCs on Commvault

If you are unable to share IoCs to Commvault and receive below error.

Unable to share 50 indicator(s) from 50 indicator(s) to Commvault. The indicators may have an invalid value, or the client’s hostname might not be available in Commvault.

What to do:

To share the IoCs on Commvault it is necessary that the IoCs that are to be shared have a Host detected or Configured on the Commvault platform.

Share this Doc

Commvault Plugin for Threat Exchange

Or copy link

In this topic ...