VMware_VECO_EventLogs_CL
| where event == "EDIT_PROFILE"
| extend edgeProfile = extract("^profile \\[(.+)\\] [a-z]+ module", 1, message)
| extend configAction = extract("^profile \\[.+\\] (.+) module", 1, message)
| extend edgeModule = extract("^profile \\[.+\\] [a-z]+ module \\[(.+)\\]$", 1, message)
| extend configChange = todynamic(detail).diff
| project TimeGenerated, severity, edgeProfile, configAction, edgeModule, configChange
query: |
VMware_VECO_EventLogs_CL
| where event == "EDIT_PROFILE"
| extend edgeProfile = extract("^profile \\[(.+)\\] [a-z]+ module", 1, message)
| extend configAction = extract("^profile \\[.+\\] (.+) module", 1, message)
| extend edgeModule = extract("^profile \\[.+\\] [a-z]+ module \\[(.+)\\]$", 1, message)
| extend configChange = todynamic(detail).diff
| project TimeGenerated, severity, edgeProfile, configAction, edgeModule, configChange
suppressionEnabled: false
description: This rule is searching for configuration changes. Configuration changes can override security measures and the overarching security design. Therefore audit events must be accurately tracked.
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 1h
queryFrequency: 1h
suppressionDuration: 5h
name: VMware SD-WAN - Orchestrator Audit Event
id: 50c86f92-86b0-4ae3-bb94-698da076ca9e
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
lookbackDuration: 5h
groupByEntities: []
groupByAlertDetails: []
matchingMethod: AllEntities
reopenClosedIncident: false
groupByCustomDetails: []
alertDetailsOverride:
alertDynamicProperties:
- alertProperty: ProductComponentName
value: edgeProfile
alertDescriptionFormat: "There was a configuration change event on the VMware Edge Cloud Orchestrator.\nThe configuration changes are the following:\n{{{configChange}} "
kind: Scheduled
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- SDWAN
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-orchestrator-config-change.yaml
version: 1.0.0
severity: Informational
customDetails:
auditAction: configAction
edgeProfile: edgeProfile
edgeModule: edgeModule
eventGroupingSettings:
aggregationKind: SingleAlert
