SecurityBrief US - Technology news for CISOs & cybersecurity decision-makers
United States
Corporate incident response oc multiscreen malware alerts cloud backups
#
Malware
#
Data Protection
#
DR

Commvault deepens Microsoft Security link for rapid recovery

Mon, 23rd Mar 2026
Author image
By Joseph Gabriel Lagonsin, News Editor

Commvault has expanded its integration with Microsoft Security, linking Commvault Cloud with Microsoft Sentinel and Microsoft Security Copilot.

The integration is intended to connect threat detection more closely with data recovery workflows. It brings Commvault security alerts into Microsoft Sentinel and adds a Commvault Investigation Agent to Microsoft Security Copilot.

Under the arrangement, alerts generated by Commvault Cloud Threat Scan and Risk Analysis are streamed into Microsoft Sentinel in real time. These include malware detections, backup anomalies and signs of sensitive data exposure.

Security operations centre analysts can then access that data in Sentinel and combine it with other security intelligence to assess an incident's impact and confirm its scope. This is intended to give security teams visibility into backup-related risks alongside the broader threat data already used in their workflows.

A separate part of the announcement centres on Commvault's Investigation Agent in Microsoft Security Copilot. Built for cyber recovery investigations, the agent analyses suspicious activity using Commvault recovery data to identify affected hosts, unusual encryption patterns and validated restore points.

Combined with signals from Microsoft's security products, the integration is designed to reduce the manual hand-offs that often take place between security teams and backup administrators during a cyber incident. The goal is to shorten the time between threat detection and clean data restoration.

Recovery link

The latest work reflects a broader shift in cyber security towards tying response and recovery more closely together, particularly as ransomware attacks continue to target backup environments as well as production systems. In many organisations, detection tools and recovery systems are still managed by different teams, slowing investigations and complicating decisions about when and what to restore.

Coordinated workflows between security and recovery teams are a central part of the integration. In the coming quarters, incident insights gathered through Sentinel are expected to feed automated, policy-based recovery workflows designed to orchestrate clean recovery after an attack.

For customers already using Microsoft's security stack, the integration may reduce the need to switch between separate consoles during an investigation. It also places backup telemetry inside the same environment security operations teams use for monitoring, triage and response.

Michelle Graff, SVP, Global Channels and Partnerships at Commvault, said the announcement marked a broader change in how resilience operations are handled. "This isn't just an integration - it's a blueprint for the future of agentic ResOps," Graff said.

"As attacks continue to evolve, siloed approaches don't work. Seconds matter. By uniting and automating critical workflows, Commvault and Microsoft are ushering in a modern approach that can diminish the time between detection and recovery, advance the collaboration between IT and security teams, and keep enterprises running in a state of continuous resiliency," she added.

Microsoft described the partnership in similar terms, focusing on linking artificial intelligence tools with recovery processes during security incidents. It pointed to the combination of Microsoft Sentinel, Microsoft Security Copilot and Commvault's threat analysis tools as a single operating model for resilience work.

"In today's threat landscape, the need to connect AI-enabled intelligence with automated recovery has never been greater," said Krishna Kumar Parthasarathy, CVP Sentinel Platform, Microsoft Security.

"The combination of Microsoft's Security Copilot, Microsoft Sentinel, and Commvault's Threat Scan and Risk Analysis gives enterprises access to a unified approach that can transform ResOps," Parthasarathy said.

Early access

The updated Microsoft Sentinel connector and the Investigation Agent in Security Copilot are in early access. General availability is expected in the summer.

Commvault, listed on Nasdaq under the ticker CVLT, has been positioning cyber recovery, data security and identity resilience as connected parts of a single operating model. The latest Microsoft tie-up adds to that strategy by bringing recovery-layer information into security investigations and feeding security findings back into recovery decisions.

The practical test for customers will be whether the joint workflow reduces the time needed to determine what data is safe to restore after an attack. In incidents involving ransomware or destructive malware, that decision can shape both downtime and the risk of reintroducing compromised data into production systems.

Commvault said the Investigation Agent uses recovery-layer intelligence to determine scope, including impacted hosts, anomalous encryption patterns and validated restore points.

Related stories
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding
Cyber insurance now common among North American SMBs
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
Autonomize launches healthcare AI platform version 3
CERN joins OpenSearch foundation as associate member