Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

VMware SD-WAN - Orchestrator Audit Event

Back
Id50c86f92-86b0-4ae3-bb94-698da076ca9e
RulenameVMware SD-WAN - Orchestrator Audit Event
DescriptionThis rule is searching for configuration changes. Configuration changes can override security measures and the overarching security design. Therefore audit events must be accurately tracked.
SeverityInformational
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-orchestrator-config-change.yaml
Version1.0.0
Arm template50c86f92-86b0-4ae3-bb94-698da076ca9e.json
Deploy To Azure
VMware_VECO_EventLogs_CL
| where event == "EDIT_PROFILE"
| extend edgeProfile = extract("^profile \\[(.+)\\] [a-z]+ module", 1, message)
| extend configAction = extract("^profile \\[.+\\] (.+) module", 1, message)
| extend edgeModule = extract("^profile \\[.+\\] [a-z]+ module \\[(.+)\\]$", 1, message)
| extend configChange = todynamic(detail).diff
| project TimeGenerated, severity, edgeProfile, configAction, edgeModule, configChange
customDetails:
  auditAction: configAction
  edgeProfile: edgeProfile
  edgeModule: edgeModule
id: 50c86f92-86b0-4ae3-bb94-698da076ca9e
alertDetailsOverride:
  alertDescriptionFormat: "There was a configuration change event on the VMware Edge Cloud Orchestrator.\nThe configuration changes are the following:\n{{{configChange}} "
  alertDynamicProperties:
  - alertProperty: ProductComponentName
    value: edgeProfile
query: |
  VMware_VECO_EventLogs_CL
  | where event == "EDIT_PROFILE"
  | extend edgeProfile = extract("^profile \\[(.+)\\] [a-z]+ module", 1, message)
  | extend configAction = extract("^profile \\[.+\\] (.+) module", 1, message)
  | extend edgeModule = extract("^profile \\[.+\\] [a-z]+ module \\[(.+)\\]$", 1, message)
  | extend configChange = todynamic(detail).diff
  | project TimeGenerated, severity, edgeProfile, configAction, edgeModule, configChange  
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-orchestrator-config-change.yaml
description: This rule is searching for configuration changes. Configuration changes can override security measures and the overarching security design. Therefore audit events must be accurately tracked.
name: VMware SD-WAN - Orchestrator Audit Event
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 5h
    groupByCustomDetails: []
  createIncident: true
suppressionEnabled: false
triggerThreshold: 0
severity: Informational
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.0
kind: Scheduled
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50c86f92-86b0-4ae3-bb94-698da076ca9e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50c86f92-86b0-4ae3-bb94-698da076ca9e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "There was a configuration change event on the VMware Edge Cloud Orchestrator.\nThe configuration changes are the following:\n{{{configChange}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductComponentName",
              "value": "edgeProfile"
            }
          ]
        },
        "alertRuleTemplateName": "50c86f92-86b0-4ae3-bb94-698da076ca9e",
        "customDetails": {
          "auditAction": "configAction",
          "edgeModule": "edgeModule",
          "edgeProfile": "edgeProfile"
        },
        "description": "This rule is searching for configuration changes. Configuration changes can override security measures and the overarching security design. Therefore audit events must be accurately tracked.",
        "displayName": "VMware SD-WAN - Orchestrator Audit Event",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-orchestrator-config-change.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"EDIT_PROFILE\"\n| extend edgeProfile = extract(\"^profile \\\\[(.+)\\\\] [a-z]+ module\", 1, message)\n| extend configAction = extract(\"^profile \\\\[.+\\\\] (.+) module\", 1, message)\n| extend edgeModule = extract(\"^profile \\\\[.+\\\\] [a-z]+ module \\\\[(.+)\\\\]$\", 1, message)\n| extend configChange = todynamic(detail).diff\n| project TimeGenerated, severity, edgeProfile, configAction, edgeModule, configChange\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}