Commvault Plugin for Threat Exchange
Commvault Plugin for Threat Exchange
This document explains how to configure the Commvault v1.0.0 integration with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches URL and pushes the same to the Commvault platform.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- A URL list on your Netskope Tenant.
- A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
- A Commvault Instance.
- The hostname used while sharing (reach out to Commvault for assistance, if needed).
- Connectivity to the following host: Commvault platform URL.
CE Version Compatibility
- Netskope CE v4.2.0, v5.0.0
Plugin Scope
The Commvault plugin fetches IoCs of the type of URL from the Commvault platform. This plugin shares the URL to Commvault. You need the Command Center API URL, Commvault Access Token to access the plugin. IoCs are pulled from CommandCenter > Unusual File Activities. The IoCs are pushed to the same page in the hostname under Threat Scan External Software detected tab.
Commvault Plugin Support
Fetched indicator types |
URL |
Shared indicator types |
URL |
Mappings
Severity
Commvault Severity | CE Severity |
-1 | Unknown |
0-3 | Low |
4-7 | High |
8-10 | Critical |
Mappings for Pull (Netskope field – Commvault fields)
Netskope CE Fields | Commvault Field |
value | client_hostname |
severity | Refer to Severity Mapping |
type | URL |
firstSeen | timeSource |
lastSeen | timeSource |
Mappings for Push
Netskope CE Fields | Commvault Field |
value |
client.hostname |
lastSeen |
anomalyDetectedBy.anomalyDetails.anomalyEvents.detectionTime |
lastSeen |
anomalyDetectedBy.anomalyDetails.detectionTime |
Comment |
anomalyDetectedBy.anomalyDetails.anomalyReason |
anomalyDetectedBy.vendorName (netskope-ce it will be an constant value) |
|
anomalyDetectedBy.anomalyDetails.anomalyEvents.eventId(Random UUID eg:456fdd12trhth43) |
|
extendedInformation |
anomalyDetectedBy.anomalyDetails.anomalyEvents.eventUrl |
anomalyDetectedBy.anomalyDetails.timesSeen(1 Always Constant) |
|
anomalyDetectedBy.anomalyDetails.eventType (URL) |
Permissions
Assign the following permissions to the user. For more information, refer to the Commvault documentation.
-
- View permission on the CommCell.
- Agent Management on All Servers.
- View permission on All Servers.
API Details
Validate
API Endpoint:
<Command Center API URL>/commandcenter/api/Events
Method: GET
Headers:
Key | Value |
Accept | application/json |
authToken | <Commvault Access Token> |
Sample API Response:
{ "commservEvents": [ { "severity": 9, "eventCode": "117440845", "acknowledge": 0, "eventCodeString": "7:333", "subsystem": "cvd", "description": “<event_description>", "id": 115920200, "timeSource": 1702291179, "type": 0, "clientEntity": { "clientId": 57238, "clientName": "<client_name>", "displayName": "<display_name>" } } ] }
Fetch Events
API Endpoint:
<Command Center API URL>/commandcenter/api/Events
Method: GET
Headers:
Key | Value |
Accept | application/json |
authToken | <Commvault Access Token> |
paginginfo | 0 |
Parameters:
Key | Value |
level | 10 |
showAnomalous | True |
fromTime | Epoch timestamp |
Sample API Response:
{ "commservEvents": [ { "severity": 9, "eventCode": "117440845", "acknowledge": 0, "eventCodeString": "7:333", "subsystem": "cvd", "description": “<event_description>", "id": 115920200, "timeSource": 1702291179, "type": 0, "clientEntity": { "clientId": 57238, "clientName": "<client_name>", "displayName": "<display_name>" } } ] }
Get Client Details
API Endpoint:
<Base URL>/commandcenter/api/Client/<Client ID>
Method: GET
Headers:
Key | Value |
Accept | application/json |
authToken | <Commvault Access Token> |
Sample API Response:
"clientProperties":{ "client":{ "clientEntity": { "hostName": "<host_name>" } } }
Push
API Endpoint:
<Command Center API URL>/commandcenter/api/Client/Action/Report/Bulk/Anomaly
Method: PUT
Headers:
Key | Value |
Accept | application/json |
authToken | <Commvault Access Token> |
Body:
{ "anomalyDetections": [ { "client": { "hostName": "<Host Name>" }, "anomalyDetectedBy": { "vendorName": "NetSkope CTE", "anomalyDetails": [ { "anomalyEvents": [ { "detectionTime": 1698837719, "eventId": "456fdd12trhth43", "eventUrl": "url target" } ], "anomalyReason": "Testing", "detectionTime": 1699422560, "eventId": "12fdg-232333333", "timesSeen": 1, "eventType": "URL" } ] } } ] }
Sample API Response:
"anomalyDetections": [ { "client": { "clientName": "dm2perf8_2" }, "errorResponse": {} } ] }
Performance Matrix
Below is the performance reading conducted for fetching and pushing 100K IOCs in each plugin lifecycle on a Large CE instance with the below specifications.
Stack details | Size: Large
RAM: 32 GB CPU: 16 Cores |
Indicators fetched from Commvault | ~ 10K per minute |
Indicators shared to Commvault | ~ 200 per minute |
Note
The above performance for pull has been conducted using mock data since the Commvault platform does not have sufficient data to test the performance for pulling of IoCs. This might be the reason for the performance difference in the pull and push. Also it has been observed that the hits on the Commvault platform for shared IoCs is resetted to 0 after the hits surpasses to 5000.
User Agent
netskope-ce-5.0.0-cte-Commvault-v1.0.0
Workflow
- Get your Commvault Access Token.
- Configure the Commvault plugin.
- Add a Business Rule.
- Configure Sharing between Threat Exchange and Commvault.
- Validate the plugin.
Click play to watch a video.
Get your Commvault Access Token
- Log in to your Commvault Instance.
- Click Profile on the top right to expand it.
- Click Profile.
- Click Access tokens.
- Click Add token.
- Enter a Token Name, Expire Date, and Scope, and then click Submit.
- Copy the token and save it in a safe place because it will only be visible once.
Configure the Commvault Plugin
- Log in to Cloud Exchange and go to Settings > Plugins.
- Search for and select the Commvault plugin box to configure the plugin.
- Enter these values:
- Configuration Name: Unique name for the configuration.
- Sync Interval: Leave default.
- Aging Criteria: Expiry time of the plugin in days. (Default: 90)
- Override Reputation: Set a value to override the reputation of indicators received from this configuration.
- Enable SSL Validation: Enable SSL Certificate validation.
- Use System Proxy: Enable if the proxy is required for communication.
- Click Next.
- Enter these values:
- Command Center API URL: Command Center URL where alerts are pushed to/pulled from, like https://commandcenter.nam.contoso.com/.
- Commvault Access Token: Enter the Access Token generated from the Profile > Access tokens section of your Commvault platform.
- Enable Polling: Enable/Disable polling Threat IOCs from Commvault. Disable if you only need to push Threat IOCs to Commvault.
- Initial Range (in days): Number of days to pull the data for the initial run.
- Click Save.
Add a Threat Exchange Business Rule for Commvault
To share indicators fetched from the Commvault to the Cloud Exchange and vice versa, you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule follow the below steps:
- Go to Threat Exchange > Business Rule > Create New Rule.
- Add the filter according to your requirement in the rule.
Configure Sharing for Netskope and Commvault
To share IoCs from the Cloud Exchange to the Commvault platform and vice versa, follow these steps:
- Go to Threat Exchange > Sharing and click Add Sharing Configuration.
- Select your Source Configuration (Cloud Exchange), the Business Rule, Destination Configuration (Commvault), and Target as Report client as Anomalous.
- Repeat step 2 for sharing Commvault IoCs to Cloud Exchange. Select your Source Configuration as Commvault, the Business Rule, and the Destination Configuration (Cloud Exchange).
- Add a Target and select the existing IoCs List Name, or create a new IoCs list on the platform.
- Click Save.
Note
Only the existing Clients on the Commvault platform can be tagged/marked as anomalous in Commvault, hence we cannot create new Client on the platform while sharing.
Validate the Commvault Plugin
Validate the Pull
Pulled data will be listed on the Threat IOCs page. You can filter the IOCs pulled from the platform using the Filter: sources.source Like “<plugin name>”. You can filter the logs from CE as well with the plugin name.
On the Commvault platform the IoCs are pulled from CommandCenter > Unusual File Activities.
Note
The IoCs will be pulled from all the tabs under the Unusal File Activities, except the External Software detected, since we push IoCs to that page.
Validate the Push
To validate the push in CE, go to Logging and filter shared logs for the Commvault plugin.
To check the ingested data on the platform, log in to Commvault and go to CommandCenter > Unusual File Activities. Click on the hostname and check the shared data under External software detected.
Troubleshooting
Unable to pull IOCs from the Commvault platform
After the plugin configuration if the IoCs are not pulled from the platform it might be due to one of the following.
- No IoCs are available on the platform to pull
- IoCs are not available for the given time range or do not match the configuration parameters
- The event code does not match.
What to do: Identity your root cause from above and follow below steps to resolve the issue.
No IoCs are available on the platform to pull: Check if you have data to be pulled from the platform if so check the initial range provided in the plugin configuration. The data available on the Commvault platform should match the initial range added in the plugin.
Below are the possible event codes that are matched in the plugin while pulling the IOCs as these event codes are associated with malicious events, if this Event Codes does not match during the pull call data won’t be pulled, 14:337, 7:333, 14:337, 69:59, 69:60.
Unable to share IoCs on Commvault
If you are unable to share IoCs to Commvault and receive below error.
Unable to share 50 indicator(s) from 50 indicator(s) to Commvault. The indicators may have an invalid value, or the client’s hostname might not be available in Commvault. |
What to do:
To share the IoCs on Commvault it is necessary that the IoCs that are to be shared have a Host detected or Configured on the Commvault platform.