Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

VMware SD-WAN Edge - IDSIPS Alert triggered Search API

Back
Id44f78dbf-9f29-4ec0-aaca-ab5bf0b559af
RulenameVMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)
DescriptionThe VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available.



This analytics rule analyses Search API streams. Search API queries report only IDS/IPS Alerts. In case you would also need Network Flood Protection, please enable Syslog collection using AMA.
SeverityHigh
TacticsLateralMovement
TechniquesT1210
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-alert-api.yaml
Version1.0.0
Arm template44f78dbf-9f29-4ec0-aaca-ab5bf0b559af.json
Deploy To Azure
VMware_SDWAN_FirewallLogs_CL
| project TimeGenerated, signature, severity, category, signatureId, actionTaken, edgeName, sourceIp, protocol, sourcePort, destinationIp, destinationPort, domainName, attackSource, attackTarget, firewallPolicyName
query: |
  VMware_SDWAN_FirewallLogs_CL
  | project TimeGenerated, signature, severity, category, signatureId, actionTaken, edgeName, sourceIp, protocol, sourcePort, destinationIp, destinationPort, domainName, attackSource, attackTarget, firewallPolicyName  
entityMappings:
- fieldMappings:
  - columnName: domainName
    identifier: DomainName
  entityType: DNS
- fieldMappings:
  - columnName: sourceIp
    identifier: Address
  entityType: IP
description: |-
  The VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available.

  This analytics rule analyses Search API streams. Search API queries report only IDS/IPS Alerts. In case you would also need Network Flood Protection, please enable Syslog collection using AMA.  
customDetails:
  IDPS_Event_Category: category
  IDPS_Signature: signature
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 44f78dbf-9f29-4ec0-aaca-ab5bf0b559af
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
name: VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-alert-api.yaml
kind: Scheduled
triggerOperator: gt
version: 1.0.0
suppressionDuration: 5h
relevantTechniques:
- T1210
queryFrequency: 1h
queryPeriod: 1h
alertDetailsOverride:
  alertDynamicProperties: []
tactics:
- LateralMovement
triggerThreshold: 0
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByAlertDetails: []
    reopenClosedIncident: false
    groupByCustomDetails: []
    groupByEntities: []
    enabled: true
    matchingMethod: AllEntities
    lookbackDuration: 1h
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/44f78dbf-9f29-4ec0-aaca-ab5bf0b559af')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/44f78dbf-9f29-4ec0-aaca-ab5bf0b559af')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "44f78dbf-9f29-4ec0-aaca-ab5bf0b559af",
        "customDetails": {
          "IDPS_Event_Category": "category",
          "IDPS_Signature": "signature"
        },
        "description": "The VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available.\n\nThis analytics rule analyses Search API streams. Search API queries report only IDS/IPS Alerts. In case you would also need Network Flood Protection, please enable Syslog collection using AMA.",
        "displayName": "VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "domainName",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sourceIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-alert-api.yaml",
        "query": "VMware_SDWAN_FirewallLogs_CL\n| project TimeGenerated, signature, severity, category, signatureId, actionTaken, edgeName, sourceIp, protocol, sourcePort, destinationIp, destinationPort, domainName, attackSource, attackTarget, firewallPolicyName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1210"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}