https://catalogartifact.azureedge.net/publicartifacts/commvault.commvault-security-investigation-agent-50a8a532-12b2-4121-921d-8a706362c77d/7b2adb12-c835-4d95-8e46-6ffe86dc6e56_Commvault.png

Commvault Security Investigation Agent

by Commvault

Enhance security with Commvault's advanced investigation tools for data protection.

The Commvault Security Investigation Agent is an investigation and correlation agent that integrates Commvault cyber-resilience telemetry with the broader security ecosystem in Microsoft Sentinel. The agent correlates signals originating from backup environments with third-party security telemetry stored in the Sentinel Data Lake, enabling security teams to determine whether threats detected in backup data also impacted production workloads.

Threat signals from backup environments may include:

  • Backup anomalies indicating suspicious activity in protected workloads

  • Encryption events within backup data that may signal ransomware activity

  • Malware detections identified through Commvault Threat Scan

  • Backups containing sensitive data identified through Commvault Risk Analysis

The agent correlates these events with additional security signals generated by partner platforms such as Netskope, Palo Alto Networks, and CrowdStrike and sent to Sentinel Data Lake.

By correlating security signals across backup and production telemetry, the agent helps security teams determine whether a potential compromise detected in backup data corresponds to activity observed across endpoint, network, and cloud security tools.

Key Capabilities

  • Multi-Signal Threat Correlation - correlates security events generated by Commvault Threat Scan and Risk Analysis with partner telemetry from Netskope, Palo Alto Networks, and CrowdStrike to identify related security activity across the environment.

  • Backup-Derived Threat Intelligence - identifies suspicious activity within backup datasets including ransomware encryption patterns, malware detections, anomalous backup activity, and backups containing sensitive data.

  • Production Impact Validation - helps determine whether suspicious activity identified in backup data corresponds to security events affecting live workloads.

  • Asset-Level Investigation - correlates events by hostname or asset identifier and provides a counter of related security signals detected across multiple platforms to help analysts prioritize investigations.

At a glance

https://catalogartifact.azureedge.net/publicartifacts/commvault.commvault-security-investigation-agent-50a8a532-12b2-4121-921d-8a706362c77d/0bf336d6-b4ba-4f56-be7f-39d400ff5de1_agent1.png
https://catalogartifact.azureedge.net/publicartifacts/commvault.commvault-security-investigation-agent-50a8a532-12b2-4121-921d-8a706362c77d/ea05755d-1255-4f4f-a83d-439609591e38_agent2.png
https://catalogartifact.azureedge.net/publicartifacts/commvault.commvault-security-investigation-agent-50a8a532-12b2-4121-921d-8a706362c77d/8ff5f2f5-b22c-4e96-bacb-3d1c54661457_CommvaultAgentRunScreenshot.png