Detecting Commvault Exploitation In Azure
Query
// https://thehackernews.com/2025/05/commvault-confirms-hackers-exploited.html
// https://kb.commvault.com/article/87661
let CommVaultIOC = dynamic(["108.69.148.100", "128.92.80.210",
"184.153.42.129", "108.6.189.53", "159.242.42.20"]);
let AzureActivityResult =
AzureActivity
| where TimeGenerated > ago(90d)
| where CallerIpAddress has_any(CommVaultIOC);
SigninLogs
| where TimeGenerated > ago(90d)
| where IPAddress has_any(CommVaultIOC)
| union AzureActivityResultExplanation
This KQL (Kusto Query Language) query is designed to identify potentially malicious activity related to a known security incident involving CommVault. Here's a simple breakdown of what the query does:
-
CommVaultIOC Definition: It defines a list of suspicious IP addresses (
CommVaultIOC) that are associated with the CommVault security incident. -
AzureActivityResult:
- It queries the
AzureActivitytable to find any records from the last 90 days (TimeGenerated > ago(90d)) where theCallerIpAddressmatches any of the IP addresses in theCommVaultIOClist.
- It queries the
-
SigninLogs:
- It queries the
SigninLogstable for the same 90-day period to find records where theIPAddressmatches any of the IP addresses in theCommVaultIOClist.
- It queries the
-
Union Operation:
- It combines the results from both the
AzureActivityandSigninLogsqueries into a single result set using theunionoperator.
- It combines the results from both the
In summary, this query is searching through Azure activity and sign-in logs from the past 90 days to find any entries that involve the suspicious IP addresses linked to the CommVault incident.
Details

Steven Lim
Released: May 1, 2025
Tables
AzureActivitySigninLogs
Keywords
AzureActivitySigninLogsCallerIpAddressIPAddressTimeGeneratedCommVaultIOC
Operators
letdynamicAzureActivity|where>agohas_anySigninLogsunion