Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware SD-WAN Edge - IDSIPS Signature Update Failed

VMware SD-WAN Edge - IDSIPS Signature Update Failed

Back
Id27553108-4aaf-4a3e-8ecd-5439d820d474
RulenameVMware SD-WAN Edge - IDS/IPS Signature Update Failed
DescriptionThe VMware SD-WAN Edge Management Plane reported a failed IDS/IPS signature update. This can indicate a potential management plane issue, an Edge OS version mismatch (IDS/IPS has been introduced in release 5.2.0.0), or a software issue.



If the Edge was able to download signature files before, this error means that the IPS/IDS engine can still provide a level of protection, however, signatures might be missing or inaccurate. If the Edge has no valid signature file, this error could indicate that the Edge Firewall cannot protect from network threats.
SeverityHigh
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-updatefailed.yaml
Version1.0.0
Arm template27553108-4aaf-4a3e-8ecd-5439d820d474.json
Deploy To Azure
VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_FAILED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-updatefailed.yaml
queryPeriod: 1h
description: |-
  The VMware SD-WAN Edge Management Plane reported a failed IDS/IPS signature update. This can indicate a potential management plane issue, an Edge OS version mismatch (IDS/IPS has been introduced in release 5.2.0.0), or a software issue.

  If the Edge was able to download signature files before, this error means that the IPS/IDS engine can still provide a level of protection, however, signatures might be missing or inaccurate. If the Edge has no valid signature file, this error could indicate that the Edge Firewall cannot protect from network threats.  
triggerThreshold: 0
name: VMware SD-WAN Edge - IDS/IPS Signature Update Failed
triggerOperator: gt
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    matchingMethod: AllEntities
    enabled: true
    groupByCustomDetails: []
    groupByEntities: []
    reopenClosedIncident: false
    groupByAlertDetails: []
kind: Scheduled
requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - SDWAN
customDetails:
  idpsSignatureVersion: idpsSignatureVersion
  edgeSerialNumber: edgeSerialNumber
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: 5h
queryFrequency: 1h
suppressionEnabled: false
id: 27553108-4aaf-4a3e-8ecd-5439d820d474
version: 1.0.0
query: |+
  VMware_VECO_EventLogs_CL
  | where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_FAILED"
  | extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
  | extend todynamic(detail).edgeSerialNumber
  | extend todynamic(detail).data
  | project-rename idpsSignatureData = detail_data
  | project-rename edgeSerialNumber = detail_edgeSerialNumber
  | project-away detail  

alertDetailsOverride:
  alertDescriptionFormat: '{{message}} '
  alertDynamicProperties: []
severity: High