VMware SD-WAN Edge - IDSIPS Signature Update Failed

VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_FAILED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail

triggerOperator: gt
triggerThreshold: 0
name: VMware SD-WAN Edge - IDS/IPS Signature Update Failed
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-updatefailed.yaml
queryPeriod: 1h
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: 5h
kind: Scheduled
queryFrequency: 1h
alertDetailsOverride:
  alertDescriptionFormat: '{{message}} '
  alertDynamicProperties: []
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
customDetails:
  edgeSerialNumber: edgeSerialNumber
  idpsSignatureVersion: idpsSignatureVersion
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    groupByAlertDetails: []
    groupByEntities: []
    enabled: true
    lookbackDuration: 5h
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
description: |-
  The VMware SD-WAN Edge Management Plane reported a failed IDS/IPS signature update. This can indicate a potential management plane issue, an Edge OS version mismatch (IDS/IPS has been introduced in release 5.2.0.0), or a software issue.

  If the Edge was able to download signature files before, this error means that the IPS/IDS engine can still provide a level of protection, however, signatures might be missing or inaccurate. If the Edge has no valid signature file, this error could indicate that the Edge Firewall cannot protect from network threats.  
query: |+
  VMware_VECO_EventLogs_CL
  | where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_FAILED"
  | extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
  | extend todynamic(detail).edgeSerialNumber
  | extend todynamic(detail).data
  | project-rename idpsSignatureData = detail_data
  | project-rename edgeSerialNumber = detail_edgeSerialNumber
  | project-away detail  

id: 27553108-4aaf-4a3e-8ecd-5439d820d474
version: 1.0.0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/27553108-4aaf-4a3e-8ecd-5439d820d474')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/27553108-4aaf-4a3e-8ecd-5439d820d474')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{message}} ",
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "27553108-4aaf-4a3e-8ecd-5439d820d474",
        "customDetails": {
          "edgeSerialNumber": "edgeSerialNumber",
          "idpsSignatureVersion": "idpsSignatureVersion"
        },
        "description": "The VMware SD-WAN Edge Management Plane reported a failed IDS/IPS signature update. This can indicate a potential management plane issue, an Edge OS version mismatch (IDS/IPS has been introduced in release 5.2.0.0), or a software issue.\n\nIf the Edge was able to download signature files before, this error means that the IPS/IDS engine can still provide a level of protection, however, signatures might be missing or inaccurate. If the Edge has no valid signature file, this error could indicate that the Edge Firewall cannot protect from network threats.",
        "displayName": "VMware SD-WAN Edge - IDS/IPS Signature Update Failed",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-updatefailed.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"MGD_ATPUP_APPLY_IDPS_SIGNATURE_FAILED\"\n| extend idpsSignatureVersion = extract(\"\\\"version\\\":\\\"([0-9]+)\\\"\", 1, tostring(todynamic(detail).data))\n| extend todynamic(detail).edgeSerialNumber\n| extend todynamic(detail).data\n| project-rename idpsSignatureData = detail_data\n| project-rename edgeSerialNumber = detail_edgeSerialNumber\n| project-away detail\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}