VMware SD-WAN Edge - IDSIPS Alert triggered Search API

Back


Id	44f78dbf-9f29-4ec0-aaca-ab5bf0b559af
Rulename	VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)
Description	The VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available. This analytics rule analyses Search API streams. Search API queries report only IDS/IPS Alerts. In case you would also need Network Flood Protection, please enable Syslog collection using AMA.
Severity	High
Tactics	LateralMovement
Techniques	T1210
Required data connectors	VMwareSDWAN
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-alert-api.yaml
Version	1.0.0
Arm template	44f78dbf-9f29-4ec0-aaca-ab5bf0b559af.json

KQL

VMware_SDWAN_FirewallLogs_CL
| project TimeGenerated, signature, severity, category, signatureId, actionTaken, edgeName, sourceIp, protocol, sourcePort, destinationIp, destinationPort, domainName, attackSource, attackTarget, firewallPolicyName

YAML

queryPeriod: 1h
triggerThreshold: 0
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    groupByCustomDetails: []
    reopenClosedIncident: false
    groupByAlertDetails: []
    groupByEntities: []
    matchingMethod: AllEntities
    enabled: true
queryFrequency: 1h
id: 44f78dbf-9f29-4ec0-aaca-ab5bf0b559af
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-alert-api.yaml
severity: High
alertDetailsOverride:
  alertDynamicProperties: []
entityMappings:
- entityType: DNS
  fieldMappings:
  - columnName: domainName
    identifier: DomainName
- entityType: IP
  fieldMappings:
  - columnName: sourceIp
    identifier: Address
relevantTechniques:
- T1210
requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - SDWAN
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: 5h
name: VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)
query: |
  VMware_SDWAN_FirewallLogs_CL
  | project TimeGenerated, signature, severity, category, signatureId, actionTaken, edgeName, sourceIp, protocol, sourcePort, destinationIp, destinationPort, domainName, attackSource, attackTarget, firewallPolicyName  
customDetails:
  IDPS_Event_Category: category
  IDPS_Signature: signature
tactics:
- LateralMovement
triggerOperator: gt
kind: Scheduled
suppressionEnabled: false
version: 1.0.0
description: |-
  The VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available.

  This analytics rule analyses Search API streams. Search API queries report only IDS/IPS Alerts. In case you would also need Network Flood Protection, please enable Syslog collection using AMA.

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/44f78dbf-9f29-4ec0-aaca-ab5bf0b559af')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/44f78dbf-9f29-4ec0-aaca-ab5bf0b559af')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "44f78dbf-9f29-4ec0-aaca-ab5bf0b559af",
        "customDetails": {
          "IDPS_Event_Category": "category",
          "IDPS_Signature": "signature"
        },
        "description": "The VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available.\n\nThis analytics rule analyses Search API streams. Search API queries report only IDS/IPS Alerts. In case you would also need Network Flood Protection, please enable Syslog collection using AMA.",
        "displayName": "VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "domainName",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sourceIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-alert-api.yaml",
        "query": "VMware_SDWAN_FirewallLogs_CL\n| project TimeGenerated, signature, severity, category, signatureId, actionTaken, edgeName, sourceIp, protocol, sourcePort, destinationIp, destinationPort, domainName, attackSource, attackTarget, firewallPolicyName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1210"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}