Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware Cloud Web Security - Policy Change Detected

VMware Cloud Web Security - Policy Change Detected

Back
Id3efebd49-c985-431b-9da8-d7d397092d18
RulenameVMware Cloud Web Security - Policy Change Detected
DescriptionThis Analytics rule provides notifications when a VMware CWS policy has been modified. These alerts serve audit purposes. Policy changes might lower the level of security controls.
SeverityInformational
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policychange.yaml
Version1.0.0
Arm template3efebd49-c985-431b-9da8-d7d397092d18.json
Deploy To Azure
VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction contains "SECURITY_RULE"
| extend cwsRuleName = todynamic(detail).name
| extend cwsRuleType = todynamic(detail).data.ruleType
| extend cwsPolicyName = todynamic(detail).policyName

requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - CWS
alertDetailsOverride:
  alertDynamicProperties:
  - value: cwsRuleType
    alertProperty: ProductComponentName
  alertDescriptionFormat: |+
    CWS Policy Change Detected:

    CWS Policy Name: {{cwsPolicyName}}
     - Rule changed: {{cwsRuleName}}
        - Audited Action: {{cwsPolicyAction}}    

suppressionDuration: 5h
severity: Informational
queryFrequency: 1h
id: 3efebd49-c985-431b-9da8-d7d397092d18
query: |+
  VMware_VECO_EventLogs_CL
  | where event == "CWS_EVENT"
  | extend cwsPolicyAction = todynamic(detail).subEvent
  | where cwsPolicyAction contains "SECURITY_RULE"
  | extend cwsRuleName = todynamic(detail).name
  | extend cwsRuleType = todynamic(detail).data.ruleType
  | extend cwsPolicyName = todynamic(detail).policyName  

queryPeriod: 1h
name: VMware Cloud Web Security - Policy Change Detected
kind: Scheduled
suppressionEnabled: false
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
description: This Analytics rule provides notifications when a VMware CWS policy has been modified. These alerts serve audit purposes. Policy changes might lower the level of security controls.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policychange.yaml
eventGroupingSettings:
  aggregationKind: AlertPerResult
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByAlertDetails: []
    groupByCustomDetails: []
    matchingMethod: AllEntities
    reopenClosedIncident: false
    groupByEntities: []
    enabled: true
    lookbackDuration: 1h

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3efebd49-c985-431b-9da8-d7d397092d18')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3efebd49-c985-431b-9da8-d7d397092d18')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CWS Policy Change Detected:\n\nCWS Policy Name: {{cwsPolicyName}}\n - Rule changed: {{cwsRuleName}}\n    - Audited Action: {{cwsPolicyAction}}\n\n",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductComponentName",
              "value": "cwsRuleType"
            }
          ]
        },
        "alertRuleTemplateName": "3efebd49-c985-431b-9da8-d7d397092d18",
        "customDetails": null,
        "description": "This Analytics rule provides notifications when a VMware CWS policy has been modified. These alerts serve audit purposes. Policy changes might lower the level of security controls.",
        "displayName": "VMware Cloud Web Security - Policy Change Detected",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policychange.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"CWS_EVENT\"\n| extend cwsPolicyAction = todynamic(detail).subEvent\n| where cwsPolicyAction contains \"SECURITY_RULE\"\n| extend cwsRuleName = todynamic(detail).name\n| extend cwsRuleType = todynamic(detail).data.ruleType\n| extend cwsPolicyName = todynamic(detail).policyName\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}