Commvault Cloud Alert

let CommvaultData = union isfuzzy=true
    (CommvaultSecurityIQ_CL | where TimeGenerated > ago(5m)),
    (datatable(TimeGenerated:datetime, eventCodeString_s:string, Event_Code_s:string, description_s:string, Description_s:string, id_d:real, Event_Id_s:string)[]);
CommvaultData
| where isnotempty(TimeGenerated)
| where eventCodeString_s in ("7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575")
    or Event_Code_s in ("7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575")
| extend Description = coalesce(description_s, Description_s, "")
| extend EventId = coalesce(tostring(toint(id_d)), Event_Id_s, "")
| extend ClientMachine = case(
    Description contains "on the machine", extract(@"on the machine \[([^\]]+)\]", 1, Description),
    Description contains "on client", extract(@"on client \[([^\]]+)\]", 1, Description),
    Description contains "for client", extract(@"for client \[([^\]]+)\]", 1, Description),
    Description contains "client", extract(@"client \[([^\]]+)\]", 1, Description),
    Description contains "machine", extract(@"machine \[([^\]]+)\]", 1, Description),
    "Unknown"
)
| project TimeGenerated, eventCodeString_s, Event_Code_s, EventId, Description, ClientMachine, Event_Id_s, id_d
| take 1000

queryPeriod: 5m
query: |
  let CommvaultData = union isfuzzy=true
      (CommvaultSecurityIQ_CL | where TimeGenerated > ago(5m)),
      (datatable(TimeGenerated:datetime, eventCodeString_s:string, Event_Code_s:string, description_s:string, Description_s:string, id_d:real, Event_Id_s:string)[]);
  CommvaultData
  | where isnotempty(TimeGenerated)
  | where eventCodeString_s in ("7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575")
      or Event_Code_s in ("7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575")
  | extend Description = coalesce(description_s, Description_s, "")
  | extend EventId = coalesce(tostring(toint(id_d)), Event_Id_s, "")
  | extend ClientMachine = case(
      Description contains "on the machine", extract(@"on the machine \[([^\]]+)\]", 1, Description),
      Description contains "on client", extract(@"on client \[([^\]]+)\]", 1, Description),
      Description contains "for client", extract(@"for client \[([^\]]+)\]", 1, Description),
      Description contains "client", extract(@"client \[([^\]]+)\]", 1, Description),
      Description contains "machine", extract(@"machine \[([^\]]+)\]", 1, Description),
      "Unknown"
  )
  | project TimeGenerated, eventCodeString_s, Event_Code_s, EventId, Description, ClientMachine, Event_Id_s, id_d
  | take 1000  
enabled: true
name: Commvault Cloud Alert
entityMappings: 
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml
alertDetailsOverride:
  alertDisplayNameFormat: 'Alert from Commvault Cloud for Event ID :  {{id_d}} '
  alertDescriptionFormat: 'Alert from Commvault Cloud for Event ID :  {{id_d}} . Event Description : {{Description}}  . Check the event description on Commvault Command Center for more details.'
  alertDynamicProperties: []
description: |
    'This query identifies Alerts from Commvault Cloud.'
kind: Scheduled
version: 1.0.4
status: Available
severity: Medium
requiredDataConnectors:
- connectorId: CommvaultSecurityIQ_CL
  datatypes:
  - CommvaultSecurityIQ_CL
triggerOperator: gt
triggerThreshold: 0
customDetails:
  Client: ClientMachine
tactics:
- DefenseEvasion
- Impact
id: 317e757e-c320-448e-8837-fc61a70fe609
relevantTechniques:
- T1578
- T1531