Analyzing Suspicious Activity Using Palo Alto Cortex XSOAR

You can use Palo Alto Cortex XSOAR to automate the process of analyzing suspicious activity in your Commvault environment.

Note

The Commvault Cloud content pack for Palo Alto Cortex XSOAR can be found on the Cortex XSOAR Marketplace.

Commvault Cloud provides pre-built integrations, automation workflows, and playbooks to streamline operations, enhance threat intelligence integration, and gain actionable insights through advanced reporting and analytics.

Introducing Commvault Cloud integration pack for Commvault products. It enables security analysts swiftly respond to threats using pre-built integrations, playbooks to secure and audit backups and backup software ecosystem.

With today's evolving threat landscape, data is under constant risk of data destruction and exfiltration. Organizations are challenged with responding to security events as quickly as they can to limit the impact of cyber threats on their production as well as backup data. This content pack allows organizations to monitor anomaly alerts from Commvault Cloud data protection platforms, so they can respond with orchestrated actions to help fortify the data protection platform.

Key Features

  • Support for Commvault Cloud.

  • Suspicious file anomaly monitoring to indicate file encryption.

  • Fetch Commvault Cloud file anomaly alerts over API, Commvault Webhook, or Syslog.

  • Native API token storage or Azure Key Vault token storage.

  • Ability to export and view list of infected files for investigation.

Automation Use Cases

  • Disable data aging within Commvault Cloud when server compromise is detected to protect backup data.

  • Interactive runbook to disable Commvault Cloud user account if suspicious user behavior is detected to avoid exfiltration attempts.

  • Interactive runbook to disable IDP provider configured for Commvault Cloud user authentication to restrict access to backups in the event of a cyber incident to avoid exfiltration attempts.

  • Add a VM to the Cleanroom using the nearest clean recovery point, identified based on the incident time, after a compromise is detected.

Running an Integration

There are two modes of running an integration. They are as follows:

Loading...