);
let AzureActivityResult =
AzureActivity
| where TimeGenerated > ago(90d)
| where CallerIpAddress has_any(CommVaultIOC);
SigninLogs
| where TimeGenerated > ago(90d)
| where IPAddress has_any(CommVaultIOC)
| union AzureActivityResult

This query creates a dynamic array containing IP addresses that Commvault has identified as related to malicious activity.

It then searches both Azure Activity logs and Signin logs for the past 90 days, filtering for any events where the caller IP address matches these known malicious addresses, effectively identifying potential compromise attempts.

Mitigations

CISA has mandated that Federal Civilian Executive Branch agencies apply patches for this vulnerability by May 19, 2025.

However, all organizations using Commvault products should immediately apply the fixes available in versions 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for both Windows and Linux platforms.

Beyond patching, Commvault recommends implementing Conditional Access policies for all Microsoft 365, Dynamics 365, and Azure AD single-tenant app registrations. Additionally, organizations should:

Rotate and sync client secrets between Azure portal and Commvault every 90 days.

Explicitly block the identified malicious IP addresses in Conditional Access policies.

Monitor sign-in activity for access attempts from outside allowlisted ranges.

Report suspicious activities to Commvault Support immediately.

With nation-state actors actively exploiting CVE-2025-3928, organizations must prioritize detection and remediation.

The provided KQL query serves as a critical tool for security teams to identify potential compromises through Azure’s native logging capabilities.

By combining this detection mechanism with proper patching and enhanced security measures, organizations can significantly reduce their risk exposure while ensuring the integrity of their Commvault environments.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download”]