Back
Idd811ef72-66b9-43a3-ba29-cd9e4bf75b74
RulenameVMware Cloud Web Security - Data Loss Prevention Violation
DescriptionThis Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
SeverityMedium
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sase-cwsdlp-violation.yaml
Version1.0.0
Arm templated811ef72-66b9-43a3-ba29-cd9e4bf75b74.json
Deploy To Azure
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
queryPeriod: 1h
kind: Scheduled
suppressionEnabled: false
query: |-
  VMware_CWS_DLPLogs_CL
  | join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
suppressionDuration: 5h
severity: Medium
queryFrequency: 1h
triggerOperator: gt
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
name: VMware Cloud Web Security - Data Loss Prevention Violation
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: userId
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: sourceIp
- entityType: CloudApplication
  fieldMappings:
  - identifier: Name
    columnName: casbAppName
- entityType: URL
  fieldMappings:
  - identifier: Url
    columnName: dstUrl
requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - CWS
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sase-cwsdlp-violation.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    groupByCustomDetails: []
    groupByAlertDetails: []
    lookbackDuration: 5h
    groupByEntities: []
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
customDetails:
  CWS_Rule_Name: ruleMatched
  CWS_Policy_Name: policyName
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
      "properties": {
        "alertRuleTemplateName": "d811ef72-66b9-43a3-ba29-cd9e4bf75b74",
        "customDetails": {
          "CWS_Policy_Name": "policyName",
          "CWS_Rule_Name": "ruleMatched"
        },
        "description": "This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.",
        "displayName": "VMware Cloud Web Security - Data Loss Prevention Violation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "userId",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "casbAppName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "dstUrl",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sase-cwsdlp-violation.yaml",
        "query": "VMware_CWS_DLPLogs_CL\n| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}