The SIEM webhooks may require additional configuration to send the events. JSON body is used in the SIEM webhook notifications. When configuring SIEM with webhook, you need to modify the JSON body format perferred by your webhook application.
The following are the example JSON templates:
Microsoft Teams Template
Microsoft Teams allows the SIEM webhook to receive alerts, events, and audit trail information.
Example
Alerts
{
"summary": "<ALERTNAME>",
"themeColor": "0078D7",
"title": "Alert - <ALERTNAME>",
"sections": [
{
"facts": [
{
"name": "Alert Id",
"value": "<ALERTID>"
},
{
"name": "Alert name",
"value": "<ALERTNAME>"
},
{
"name": "Detected time",
"value": "<ALERTTIME>"
},
{
"name": "Severity",
"value": "<ALERTSEVERITY>"
},
{
"name": "Job Id",
"value": "<JOBID>"
},
{
"name": "Description",
"value": "<ALERTDESCRIPTION>"
},
{
"name": "CS UTC Timestamp",
"value": "<UTCTIMESTAMP>"
},
{
"name": "Company name",
"value": "<Companyname>"
}
]
}
]
}Audit
{
"summary": "<OPERATION>",
"themeColor": "0078D7",
"title": "Audit - <OPERATION>",
"sections": [
{
"facts": [
{
"name": "OpId",
"value": "<OPID>"
},
{
"name": "Audit Time",
"value": "<AUDITTIME>"
},
{
"name": "Severity",
"value": "<SEVERITYLEVEL>"
},
{
"name": "User",
"value": "<USERNAME>"
},
{
"name": "Operation",
"value": "<OPERATION>"
},
{
"name": "Details",
"value": "<DETAILS>"
},
{
"name": "Company name",
"value": "<Companyname>"
},
{
"name": "UTC Timestamp",
"value": "<UTCTIMESTAMP>"
}
]
}
]
}Events
{
"summary": "<EVENTID>",
"themeColor": "0078D7",
"title": "Event - <EVENTID>",
"sections": [
{
"facts": [
{
"name": "Event Id",
"value": "<EVENTID>"
},
{
"name": "Occurrence Time",
"value": "<OCCURRENCETIME>"
},
{
"name": "Severity",
"value": "<EVENTSEVERITY>"
},
{
"name": "Computer",
"value": "<COMPUTER>"
},
{
"name": "Program",
"value": "<PROGRAM>"
},
{
"name": "Description",
"value": "<DESCRIPTION>"
},
{
"name": "UTC Timestamp",
"value": "<UTCTIMESTAMP>"
}
]
}
]
}Slack Template
You can configure Slack to receive webhook alerts from Commvault Cloud.
Example
Alerts
{
"text": "Alert - <ALERTNAME>",
"blocks": [
{
"type": "section",
"text": {
"type": "plain_text",
"text": "<ALERTNAME>"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<ALERTNAME>"
}
},
{
"type": "section",
"block_id": "section789",
"fields": [
{
"type": "mrkdwn",
"text": "Detected Criteria: <ALERTDESCRIPTION> \n"
},
{
"type": "mrkdwn",
"text": "Detected Time: <ALERTTIME> \n"
},
{
"type": "mrkdwn",
"text": "Alert Id: <ALERTID> \n"
},
{
"type": "mrkdwn",
"text": "Severity: <ALERTSEVERITY> \n"
},
{
"type": "mrkdwn",
"text": "Job Id: <JOBID> \n"
}
]
}
]
}Audit
{
"text": "Audit - <OPERATION>",
"blocks": [
{
"type": "section",
"text": {
"type": "plain_text",
"text": "<OPERATION>"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<OPID>"
}
},
{
"type": "section",
"block_id": "section789",
"fields": [
{
"type": "mrkdwn",
"text": "Audit Time: <AUDITTIME> \n"
},
{
"type": "mrkdwn",
"text": "Severity: <SEVERITYLEVEL> \n"
},
{
"type": "mrkdwn",
"text": "User: <USERNAME> \n"
},
{
"type": "mrkdwn",
"text": "Operation: <OPERATION> \n"
},
{
"type": "mrkdwn",
"text": "Details: <DETAILS> \n"
}
]
}
]
}Events
{
"text": "Event - <EVENTID>",
"blocks": [
{
"type": "section",
"text": {
"type": "plain_text",
"text": "<EVENTID>"
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "<EVENTID>"
}
},
{
"type": "section",
"block_id": "section789",
"fields": [
{
"type": "mrkdwn",
"text": "Occurrence Time: <OCCURRENCETIME> \n"
},
{
"type": "mrkdwn",
"text": "Severity: <EVENTSEVERITY> \n"
},
{
"type": "mrkdwn",
"text": "Computer: <COMPUTER> \n"
},
{
"type": "mrkdwn",
"text": "Program: <PROGRAM> \n"
},
{
"type": "mrkdwn",
"text": "Description: <DESCRIPTION> \n"
}
]
}
]
}Splunk Template
Commvault Cloud can send alerts and events to Splunk using HTTP Event Collector (HEC).
Example
Alerts
{ "summary": "<ALERTNAME>", "title": "Alert - <ALERTNAME>", "sections": [ { "facts": [ { "name": "Alert Id", "value": "<ALERTID>" }, { "name": "Alert name", "value": "<ALERTNAME>" }, { "name": "Detected time", "value": "<ALERTTIME>" }, { "name": "Severity", "value": "<ALERTSEVERITY>" }, { "name": "Job Id", "value": "<JOBID>" }, { "name": "Description", "value": "<ALERTDESCRIPTION>" }, { "name": "CS UTC Timestamp", "value": "<UTCTIMESTAMP>" }, { "name": "Company name", "value": "<Companyname>" } ] } ]}Audit
{ "summary": "<OPERATION>", "title": "Audit - <OPERATION>", "sections": [ { "facts": [ { "name": "OpId", "value": "<OPID>" }, { "name": "Audit Time", "value": "<AUDITTIME>" }, { "name": "Severity", "value": "<SEVERITYLEVEL>" }, { "name": "User", "value": "<USERNAME>" }, { "name": "Operation", "value": "<OPERATION>" }, { "name": "Details", "value": "<DETAILS>" } ] } ]}Events
{ "summary": "<EVENTID>", "title": "Event - <EVENTID>", "sections": [ { "facts": [ { "name": "Event Id", "value": "<EVENTID>" }, { "name": "Occurrence Time", "value": "<OCCURRENCETIME>" }, { "name": "Severity", "value": "<EVENTSEVERITY>" }, { "name": "Computer", "value": "<COMPUTER>" }, { "name": "Program", "value": "<PROGRAM>" }, { "name": "Description", "value": "<DESCRIPTION>" } ] } ]}