VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction contains "SECURITY_RULE"
| extend cwsRuleName = todynamic(detail).name
| extend cwsRuleType = todynamic(detail).data.ruleType
| extend cwsPolicyName = todynamic(detail).policyName
queryFrequency: 1h
description: This Analytics rule provides notifications when a VMware CWS policy has been modified. These alerts serve audit purposes. Policy changes might lower the level of security controls.
eventGroupingSettings:
aggregationKind: AlertPerResult
name: VMware Cloud Web Security - Policy Change Detected
suppressionDuration: 5h
triggerThreshold: 0
id: 3efebd49-c985-431b-9da8-d7d397092d18
requiredDataConnectors:
- dataTypes:
- CWS
connectorId: VMwareSDWAN
queryPeriod: 1h
query: |+
VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction contains "SECURITY_RULE"
| extend cwsRuleName = todynamic(detail).name
| extend cwsRuleType = todynamic(detail).data.ruleType
| extend cwsPolicyName = todynamic(detail).policyName
kind: Scheduled
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policychange.yaml
version: 1.0.0
alertDetailsOverride:
alertDescriptionFormat: |+
CWS Policy Change Detected:
CWS Policy Name: {{cwsPolicyName}}
- Rule changed: {{cwsRuleName}}
- Audited Action: {{cwsPolicyAction}}
alertDynamicProperties:
- value: cwsRuleType
alertProperty: ProductComponentName
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 1h
groupByEntities: []
matchingMethod: AllEntities
groupByAlertDetails: []
enabled: true
reopenClosedIncident: false
groupByCustomDetails: []
triggerOperator: gt
suppressionEnabled: false
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3efebd49-c985-431b-9da8-d7d397092d18')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3efebd49-c985-431b-9da8-d7d397092d18')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CWS Policy Change Detected:\n\nCWS Policy Name: {{cwsPolicyName}}\n - Rule changed: {{cwsRuleName}}\n - Audited Action: {{cwsPolicyAction}}\n\n",
"alertDynamicProperties": [
{
"alertProperty": "ProductComponentName",
"value": "cwsRuleType"
}
]
},
"alertRuleTemplateName": "3efebd49-c985-431b-9da8-d7d397092d18",
"customDetails": null,
"description": "This Analytics rule provides notifications when a VMware CWS policy has been modified. These alerts serve audit purposes. Policy changes might lower the level of security controls.",
"displayName": "VMware Cloud Web Security - Policy Change Detected",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policychange.yaml",
"query": "VMware_VECO_EventLogs_CL\n| where event == \"CWS_EVENT\"\n| extend cwsPolicyAction = todynamic(detail).subEvent\n| where cwsPolicyAction contains \"SECURITY_RULE\"\n| extend cwsRuleName = todynamic(detail).name\n| extend cwsRuleType = todynamic(detail).data.ruleType\n| extend cwsPolicyName = todynamic(detail).policyName\n\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Informational",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}