Analytic rule catalog
VMware SD-WAN Edge - IDSIPS Signature Update Failed
Back
| Id | 27553108-4aaf-4a3e-8ecd-5439d820d474 |
| Rulename | VMware SD-WAN Edge - IDS/IPS Signature Update Failed |
| Description | The VMware SD-WAN Edge Management Plane reported a failed IDS/IPS signature update. This can indicate a potential management plane issue, an Edge OS version mismatch (IDS/IPS has been introduced in release 5.2.0.0), or a software issue. If the Edge was able to download signature files before, this error means that the IPS/IDS engine can still provide a level of protection, however, signatures might be missing or inaccurate. If the Edge has no valid signature file, this error could indicate that the Edge Firewall cannot protect from network threats. |
| Severity | High |
| Required data connectors | VMwareSDWAN |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sdwan-idps-updatefailed.yaml |
| Version | 1.0.0 |
| Arm template | 27553108-4aaf-4a3e-8ecd-5439d820d474.json |
VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_FAILED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail
suppressionDuration: 5h
query: |+
VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_FAILED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail
queryPeriod: 1h
id: 27553108-4aaf-4a3e-8ecd-5439d820d474
requiredDataConnectors:
- dataTypes:
- SDWAN
connectorId: VMwareSDWAN
triggerOperator: gt
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
enabled: true
groupByCustomDetails: []
groupByAlertDetails: []
lookbackDuration: 5h
groupByEntities: []
matchingMethod: AllEntities
createIncident: true
name: VMware SD-WAN Edge - IDS/IPS Signature Update Failed
customDetails:
idpsSignatureVersion: idpsSignatureVersion
edgeSerialNumber: edgeSerialNumber
suppressionEnabled: false
triggerThreshold: 0
severity: High
alertDetailsOverride:
alertDescriptionFormat: '{{message}} '
alertDynamicProperties: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sdwan-idps-updatefailed.yaml
description: |-
The VMware SD-WAN Edge Management Plane reported a failed IDS/IPS signature update. This can indicate a potential management plane issue, an Edge OS version mismatch (IDS/IPS has been introduced in release 5.2.0.0), or a software issue.
If the Edge was able to download signature files before, this error means that the IPS/IDS engine can still provide a level of protection, however, signatures might be missing or inaccurate. If the Edge has no valid signature file, this error could indicate that the Edge Firewall cannot protect from network threats.
version: 1.0.0
queryFrequency: 1h
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/27553108-4aaf-4a3e-8ecd-5439d820d474')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/27553108-4aaf-4a3e-8ecd-5439d820d474')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{message}} ",
"alertDynamicProperties": []
},
"alertRuleTemplateName": "27553108-4aaf-4a3e-8ecd-5439d820d474",
"customDetails": {
"edgeSerialNumber": "edgeSerialNumber",
"idpsSignatureVersion": "idpsSignatureVersion"
},
"description": "The VMware SD-WAN Edge Management Plane reported a failed IDS/IPS signature update. This can indicate a potential management plane issue, an Edge OS version mismatch (IDS/IPS has been introduced in release 5.2.0.0), or a software issue.\n\nIf the Edge was able to download signature files before, this error means that the IPS/IDS engine can still provide a level of protection, however, signatures might be missing or inaccurate. If the Edge has no valid signature file, this error could indicate that the Edge Firewall cannot protect from network threats.",
"displayName": "VMware SD-WAN Edge - IDS/IPS Signature Update Failed",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sdwan-idps-updatefailed.yaml",
"query": "VMware_VECO_EventLogs_CL\n| where event == \"MGD_ATPUP_APPLY_IDPS_SIGNATURE_FAILED\"\n| extend idpsSignatureVersion = extract(\"\\\"version\\\":\\\"([0-9]+)\\\"\", 1, tostring(todynamic(detail).data))\n| extend todynamic(detail).edgeSerialNumber\n| extend todynamic(detail).data\n| project-rename idpsSignatureData = detail_data\n| project-rename edgeSerialNumber = detail_edgeSerialNumber\n| project-away detail\n\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}