KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Commvault Exploitation In Azure

Query

// https://thehackernews.com/2025/05/commvault-confirms-hackers-exploited.html
// https://kb.commvault.com/article/87661

let CommVaultIOC = dynamic(["108.69.148.100", "128.92.80.210", 
"184.153.42.129", "108.6.189.53", "159.242.42.20"]);
let AzureActivityResult =
AzureActivity
| where TimeGenerated > ago(90d)
| where CallerIpAddress has_any(CommVaultIOC);
SigninLogs
| where TimeGenerated > ago(90d)
| where IPAddress has_any(CommVaultIOC)
| union AzureActivityResult

Explanation

This KQL (Kusto Query Language) query is designed to identify potentially malicious activity related to a known security incident involving CommVault. Here's a simple breakdown of what the query does:

  1. CommVaultIOC Definition: It defines a list of suspicious IP addresses (CommVaultIOC) that are associated with the CommVault security incident.

  2. AzureActivityResult:

    • It queries the AzureActivity table to find any records from the last 90 days (TimeGenerated > ago(90d)) where the CallerIpAddress matches any of the IP addresses in the CommVaultIOC list.

  3. SigninLogs:

    • It queries the SigninLogs table for the same 90-day period to find records where the IPAddress matches any of the IP addresses in the CommVaultIOC list.

  4. Union Operation:

    • It combines the results from both the AzureActivity and SigninLogs queries into a single result set using the union operator.

In summary, this query is searching through Azure activity and sign-in logs from the past 90 days to find any entries that involve the suspicious IP addresses linked to the CommVault incident.

Details

Steven Lim profile picture

Steven Lim

Released: May 1, 2025

Tables

AzureActivitySigninLogs

Keywords

AzureActivitySigninLogsCallerIpAddressIPAddressTimeGeneratedCommVaultIOC

Operators

letdynamicAzureActivity|where>agohas_anySigninLogsunion

Actions