VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction contains "SECURITY_RULE"
| extend cwsRuleName = todynamic(detail).name
| extend cwsRuleType = todynamic(detail).data.ruleType
| extend cwsPolicyName = todynamic(detail).policyName
id: 3efebd49-c985-431b-9da8-d7d397092d18
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policychange.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
requiredDataConnectors:
- dataTypes:
- CWS
connectorId: VMwareSDWAN
queryFrequency: 1h
suppressionEnabled: false
queryPeriod: 1h
triggerThreshold: 0
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 1h
groupByAlertDetails: []
reopenClosedIncident: false
matchingMethod: AllEntities
groupByCustomDetails: []
groupByEntities: []
enabled: true
createIncident: true
query: |+
VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction contains "SECURITY_RULE"
| extend cwsRuleName = todynamic(detail).name
| extend cwsRuleType = todynamic(detail).data.ruleType
| extend cwsPolicyName = todynamic(detail).policyName
name: VMware Cloud Web Security - Policy Change Detected
kind: Scheduled
description: This Analytics rule provides notifications when a VMware CWS policy has been modified. These alerts serve audit purposes. Policy changes might lower the level of security controls.
severity: Informational
suppressionDuration: 5h
version: 1.0.0
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductComponentName
value: cwsRuleType
alertDescriptionFormat: |+
CWS Policy Change Detected:
CWS Policy Name: {{cwsPolicyName}}
- Rule changed: {{cwsRuleName}}
- Audited Action: {{cwsPolicyAction}}
