Commvault Plugin for Threat Exchange

This document explains how to configure the Commvault v1.0.0 integration with the Cloud Threat Exchange module of the Netskope Cloud Exchange platform. This plugin fetches URL and pushes the same to the Commvault platform.

Prerequisites

To complete this configuration, you need:

A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
A URL list on your Netskope Tenant.
A Netskope Cloud Exchange tenant with the Threat Exchange module already configured.
A Commvault Instance.
The hostname used while sharing (reach out to Commvault for assistance, if needed).
Connectivity to the following host: Commvault platform URL.

CE Version Compatibility

Netskope CE v4.2.0, v5.0.0

Plugin Scope

The Commvault plugin fetches IoCs of the type of URL from the Commvault platform. This plugin shares the URL to Commvault. You need the Command Center API URL, Commvault Access Token to access the plugin. IoCs are pulled from CommandCenter > Unusual File Activities. The IoCs are pushed to the same page in the hostname under Threat Scan External Software detected tab.

Commvault Plugin Support

Fetched indicator types	URL
Shared indicator types	URL

Mappings

Severity

Commvault Severity	CE Severity
-1	Unknown
0-3	Low
4-7	High
8-10	Critical

Mappings for Pull (Netskope field – Commvault fields)

Netskope CE Fields	Commvault Field
value	client_hostname
severity	Refer to Severity Mapping
type	URL
firstSeen	timeSource
lastSeen	timeSource

Mappings for Push

Netskope CE Fields	Commvault Field
value	client.hostname
lastSeen	anomalyDetectedBy.anomalyDetails.anomalyEvents.detectionTime
lastSeen	anomalyDetectedBy.anomalyDetails.detectionTime
Comment	anomalyDetectedBy.anomalyDetails.anomalyReason
	anomalyDetectedBy.vendorName (netskope-ce it will be an constant value)
	anomalyDetectedBy.anomalyDetails.anomalyEvents.eventId(Random UUID eg:456fdd12trhth43)
extendedInformation	anomalyDetectedBy.anomalyDetails.anomalyEvents.eventUrl
	anomalyDetectedBy.anomalyDetails.timesSeen(1 Always Constant)
	anomalyDetectedBy.anomalyDetails.eventType (URL)

Permissions

Assign the following permissions to the user. For more information, refer to the Commvault documentation.

- View permission on the CommCell.
- Agent Management on All Servers.
- View permission on All Servers.

API Details

Validate

API Endpoint:

<Command Center API URL>/commandcenter/api/Events

Method: GET

Headers:

Key	Value
Accept	application/json
authToken	<Commvault Access Token>

Sample API Response:

{
  "commservEvents": [
    {
      "severity": 9,
      "eventCode": "117440845",
      "acknowledge": 0,
      "eventCodeString": "7:333",
      "subsystem": "cvd",
"description": “<event_description>",
      "id": 115920200,
      "timeSource": 1702291179,
      "type": 0,
      "clientEntity": {
         "clientId": 57238,
         "clientName": "<client_name>",
         "displayName": "<display_name>"
      }
    }
  ]
}

Fetch Events

API Endpoint:

<Command Center API URL>/commandcenter/api/Events

Method: GET
Headers:

Key	Value
Accept	application/json
authToken	<Commvault Access Token>
paginginfo	0

Parameters:

Key	Value
level	10
showAnomalous	True
fromTime	Epoch timestamp

Sample API Response:

{
  "commservEvents": [
    {
      "severity": 9,
      "eventCode": "117440845",
      "acknowledge": 0,
      "eventCodeString": "7:333",
      "subsystem": "cvd",
"description": “<event_description>",
      "id": 115920200,
      "timeSource": 1702291179,
      "type": 0,
      "clientEntity": {
         "clientId": 57238,
         "clientName": "<client_name>",
         "displayName": "<display_name>"
      }
    }
  ]
}

Get Client Details

API Endpoint:

<Base URL>/commandcenter/api/Client/<Client ID>

Method: GET

Headers:

Key	Value
Accept	application/json
authToken	<Commvault Access Token>

Sample API Response:

"clientProperties":{
            "client":{
                      "clientEntity": {
                                "hostName": "<host_name>"
                        }
            }
}

Push

API Endpoint:

<Command Center API URL>/commandcenter/api/Client/Action/Report/Bulk/Anomaly

Method: PUT

Headers:

Key	Value
Accept	application/json
authToken	<Commvault Access Token>

Body:

{
"anomalyDetections": [
  {
    "client": {
    "hostName": "<Host Name>"
    },
    "anomalyDetectedBy": {
      "vendorName": "NetSkope CTE",
      "anomalyDetails": [
        {
          "anomalyEvents": [
           {
             "detectionTime": 1698837719,
             "eventId": "456fdd12trhth43",
             "eventUrl": "url target"
           }
         ],
         "anomalyReason": "Testing",
         "detectionTime": 1699422560,
         "eventId": "12fdg-232333333",
         "timesSeen": 1,
         "eventType": "URL"
       }
      ]
     }
    }
   ]
 }

Sample API Response:

 "anomalyDetections": [
   {
     "client": {
        "clientName": "dm2perf8_2"
     },
      "errorResponse": {}
   }
 ]
}

Performance Matrix

Below is the performance reading conducted for fetching and pushing 100K IOCs in each plugin lifecycle on a Large CE instance with the below specifications.

Stack details

Size: Large

RAM: 32 GB

CPU: 16 Cores

Indicators fetched from Commvault

~ 10K per minute

Indicators shared to Commvault

~ 200 per minute

Note

The above performance for pull has been conducted using mock data since the Commvault platform does not have sufficient data to test the performance for pulling of IoCs. This might be the reason for the performance difference in the pull and push. Also it has been observed that the hits on the Commvault platform for shared IoCs is resetted to 0 after the hits surpasses to 5000.

User Agent

netskope-ce-5.0.0-cte-Commvault-v1.0.0

Workflow

Get your Commvault Access Token.
Configure the Commvault plugin.
Add a Business Rule.
Configure Sharing between Threat Exchange and Commvault.
Validate the plugin.

Click play to watch a video.

Get your Commvault Access Token

Log in to your Commvault Instance.
Click Profile on the top right to expand it.
Click Profile.
Click Access tokens.
Click Add token.
Enter a Token Name, Expire Date, and Scope, and then click Submit.
Copy the token and save it in a safe place because it will only be visible once.

Configure the Commvault Plugin

Log in to Cloud Exchange and go to Settings > Plugins.
Search for and select the Commvault plugin box to configure the plugin.
Enter these values:
- Configuration Name: Unique name for the configuration.
- Sync Interval: Leave default.
- Aging Criteria: Expiry time of the plugin in days. (Default: 90)
- Override Reputation: Set a value to override the reputation of indicators received from this configuration.
- Enable SSL Validation: Enable SSL Certificate validation.
- Use System Proxy: Enable if the proxy is required for communication.
Click Next.
Enter these values:
- Command Center API URL: Command Center URL where alerts are pushed to/pulled from, like https://commandcenter.nam.contoso.com/.
- Commvault Access Token: Enter the Access Token generated from the Profile > Access tokens section of your Commvault platform.
- Enable Polling: Enable/Disable polling Threat IOCs from Commvault. Disable if you only need to push Threat IOCs to Commvault.
- Initial Range (in days): Number of days to pull the data for the initial run.
Click Save.

Add a Threat Exchange Business Rule for Commvault

To share indicators fetched from the Commvault to the Cloud Exchange and vice versa, you will need to have a business rule that will filter out the indicators that you want to share. To configure a business rule follow the below steps:

Go to Threat Exchange > Business Rule > Create New Rule.
Add the filter according to your requirement in the rule.

Configure Sharing for Netskope and Commvault

To share IoCs from the Cloud Exchange to the Commvault platform and vice versa, follow these steps:

Go to Threat Exchange > Sharing and click Add Sharing Configuration.
Select your Source Configuration (Cloud Exchange), the Business Rule, Destination Configuration (Commvault), and Target as Report client as Anomalous.
Repeat step 2 for sharing Commvault IoCs to Cloud Exchange. Select your Source Configuration as Commvault, the Business Rule, and the Destination Configuration (Cloud Exchange).
Add a Target and select the existing IoCs List Name, or create a new IoCs list on the platform.
Click Save.

Note

Only the existing Clients on the Commvault platform can be tagged/marked as anomalous in Commvault, hence we cannot create new Client on the platform while sharing.

Validate the Commvault Plugin

Validate the Pull

Pulled data will be listed on the Threat IOCs page. You can filter the IOCs pulled from the platform using the Filter: sources.source Like “<plugin name>”. You can filter the logs from CE as well with the plugin name.

On the Commvault platform the IoCs are pulled from CommandCenter > Unusual File Activities.

Note

The IoCs will be pulled from all the tabs under the Unusal File Activities, except the External Software detected, since we push IoCs to that page.

Validate the Push

To validate the push in CE, go to Logging and filter shared logs for the Commvault plugin.

To check the ingested data on the platform, log in to Commvault and go to CommandCenter > Unusual File Activities. Click on the hostname and check the shared data under External software detected.

Troubleshooting

Unable to pull IOCs from the Commvault platform

After the plugin configuration if the IoCs are not pulled from the platform it might be due to one of the following.

No IoCs are available on the platform to pull
IoCs are not available for the given time range or do not match the configuration parameters
The event code does not match.

What to do: Identity your root cause from above and follow below steps to resolve the issue.

No IoCs are available on the platform to pull: Check if you have data to be pulled from the platform if so check the initial range provided in the plugin configuration. The data available on the Commvault platform should match the initial range added in the plugin.

Below are the possible event codes that are matched in the plugin while pulling the IOCs as these event codes are associated with malicious events, if this Event Codes does not match during the pull call data won’t be pulled, 14:337, 7:333, 14:337, 69:59, 69:60.

Unable to share IoCs on Commvault

If you are unable to share IoCs to Commvault and receive below error.

Unable to share 50 indicator(s) from 50 indicator(s) to Commvault. The indicators may have an invalid value, or the client’s hostname might not be available in Commvault.

What to do:

To share the IoCs on Commvault it is necessary that the IoCs that are to be shared have a Host detected or Configured on the Commvault platform.

Commvault Plugin for Threat Exchange