Commvault Security IQ: Enhanced Threat Scan Event Coverage and Parser Fix

What Changed

Added two new event codes to the Commvault Security IQ connector ingestion filter: “69:65” and “69:66”. These events were introduced in Commvault threat scan functionality but were not being collected by the existing connector configuration.

Additionally fixed regex patterns for extracting clientId and clientName from event descriptions. The patterns now correctly match PascalCase field names (“ClientId” and “ClientName”) instead of lowercase variants, addressing a data fidelity gap where these fields returned null for events using the PascalCase format.

Security Impact (Visibility & Fidelity)

New Event Coverage: The addition of event codes 69:65 and 69:66 closes a visibility gap for threat scan activity. Deployments running prior versions had incomplete ingestion of threat scanning events, potentially missing security-relevant activities during threat detection workflows.

Parser Fidelity Fix: The regex update resolves a data extraction issue where clientId and hostName fields returned null for events containing PascalCase formatting. Queries referencing these fields against affected events would have missed valid data — this is a data fidelity fix restoring proper field population for threat scan events.

Affected Files

Solutions/Commvault Security IQ/Data Connectors/AzureFunctionCommvaultSecurityIQ/main.py
(packaging artefacts: CommvaultSecurityIQDataConnector.zip)