Commvault Cloud Alert

let TargetEventCodes = dynamic(["7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575", "35:5636", "7:349", "17:193", "17:195"]);
CommvaultAlerts_CL
| where TimeGenerated > ago(5m)
| where EventCode in (TargetEventCodes)
| take 1000

id: 317e757e-c320-448e-8837-fc61a70fe609
enabled: true
tags:
- Commvault
- Metallic
- Threat Intelligence
- Ransomware
triggerOperator: gt
entityMappings: 
eventGroupingSettings:
  aggregationKind: AlertPerResult
requiredDataConnectors:
- datatypes:
  - CommvaultAlerts_CL
  connectorId: CommvaultSecurityIQ_CL
queryFrequency: 5m
alertDetailsOverride:
  alertDynamicProperties: []
  alertDisplayNameFormat: 'Alert from Commvault Cloud for Event ID: {{EventId}}'
  alertDescriptionFormat: 'Alert from Commvault Cloud for Event ID: {{EventId}}. Event Description: {{Description}}. Check the event description on Commvault Command Center for more details.'
queryPeriod: 5m
status: Available
query: |
  let TargetEventCodes = dynamic(["7:211", "7:212", "7:293", "7:269", "14:337", "14:338", "69:59", "7:333", "69:60", "35:5575", "35:5636", "7:349", "17:193", "17:195"]);
  CommvaultAlerts_CL
  | where TimeGenerated > ago(5m)
  | where EventCode in (TargetEventCodes)
  | take 1000  
name: Commvault Cloud Alert
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml
tactics:
- DefenseEvasion
- Impact
severity: Medium
relevantTechniques:
- T1578
- T1531
triggerThreshold: 0
version: 1.0.5
description: |
    'This query identifies Alerts from Commvault Cloud.'
customDetails:
  Client: HostName