Commvault Connector: Migration from Legacy Sentinel API to Modern Logs Ingestion Architecture

What Changed

The Commvault Security IQ data connector underwent a complete architectural migration from the legacy Log Analytics HTTP Data Collector API to the modern Azure Monitor Logs Ingestion API with Data Collection Endpoint (DCE) and Data Collection Rule (DCR) infrastructure.

Security Impact (Visibility & Fidelity)

This modernization prevents future ingestion failures as Microsoft phases out legacy APIs. The connector now uses:

• Azure Monitor Logs Ingestion API via LogsIngestionClient instead of deprecated HTTP Data Collector API
• Data Collection Rule (DCR) for schema validation and transformation
• Data Collection Endpoint (DCE) for secure data ingestion
• Managed Identity authentication replacing shared key authentication
• Custom table CommvaultAlerts_CL (renamed from CommvaultSecurityIQ_CL)

Event filtering logic remains unchanged — connector still targets the same security event codes (7:211, 7:212, 7:293, 7:269, 14:337, 14:338, 69:59, 7:333, 69:60, 35:5575, 35:5636, 7:349, 17:193, 17:195) unless ShowAllEvents is enabled.

ARM Template Changes

The deployment template now provisions:

• Data Collection Endpoint (DCE) resource
• Data Collection Rule (DCR) with custom stream definition
• Role assignment granting Function App managed identity Monitoring Metrics Publisher permissions on DCR
• Removed deprecated AzureSentinelWorkspaceId and AzureSentinelSharedKey parameters

Data Format Changes

Events are normalized with improved field mapping:

• EventCode field now uses eventCodeString (previously eventCode)
• Enhanced client name extraction from event descriptions
• Better timestamp normalization via timeSource field
• Hidden metadata extraction from HTML span elements in descriptions

Organizations using this connector must upgrade to maintain Commvault security event visibility as Microsoft deprecates the legacy ingestion API.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/CommvaultAlerts_CL.json
.script/tests/KqlvalidationsTests/CustomTables/CommvaultSecurityIQ_CL.json
Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml
Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py
Solutions/Commvault Security IQ/Data Connectors/CommvaultSecurityIQ_API_AzureFunctionApp.json
Solutions/Commvault Security IQ/Data Connectors/azuredeploy_CommvaultSecurityIQ_FunctionApp.json
Solutions/Commvault Security IQ/Data Connectors/requirements.txt
Solutions/Commvault Security IQ/DataConnector.md
Solutions/Commvault Security IQ/Permissions.md
Solutions/Commvault Security IQ/README.md
(packaging artefacts: 3.0.4.zip, CommvaultSecurityIQDataConnector.zip, ReleaseNotes.md, Solution_Commvault Security IQ.json, mainTemplate.json)