VMware SD-WAN - Orchestrator Audit Event

Back


Id	50c86f92-86b0-4ae3-bb94-698da076ca9e
Rulename	VMware SD-WAN - Orchestrator Audit Event
Description	This rule is searching for configuration changes. Configuration changes can override security measures and the overarching security design. Therefore audit events must be accurately tracked.
Severity	Informational
Required data connectors	VMwareSDWAN
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-orchestrator-config-change.yaml
Version	1.0.0
Arm template	50c86f92-86b0-4ae3-bb94-698da076ca9e.json

KQL

VMware_VECO_EventLogs_CL
| where event == "EDIT_PROFILE"
| extend edgeProfile = extract("^profile \\[(.+)\\] [a-z]+ module", 1, message)
| extend configAction = extract("^profile \\[.+\\] (.+) module", 1, message)
| extend edgeModule = extract("^profile \\[.+\\] [a-z]+ module \\[(.+)\\]$", 1, message)
| extend configChange = todynamic(detail).diff
| project TimeGenerated, severity, edgeProfile, configAction, edgeModule, configChange

YAML

id: 50c86f92-86b0-4ae3-bb94-698da076ca9e
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionEnabled: false
severity: Informational
customDetails:
  auditAction: configAction
  edgeModule: edgeModule
  edgeProfile: edgeProfile
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-orchestrator-config-change.yaml
requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - SDWAN
alertDetailsOverride:
  alertDynamicProperties:
  - value: edgeProfile
    alertProperty: ProductComponentName
  alertDescriptionFormat: "There was a configuration change event on the VMware Edge Cloud Orchestrator.\nThe configuration changes are the following:\n{{{configChange}} "
version: 1.0.0
query: |
  VMware_VECO_EventLogs_CL
  | where event == "EDIT_PROFILE"
  | extend edgeProfile = extract("^profile \\[(.+)\\] [a-z]+ module", 1, message)
  | extend configAction = extract("^profile \\[.+\\] (.+) module", 1, message)
  | extend edgeModule = extract("^profile \\[.+\\] [a-z]+ module \\[(.+)\\]$", 1, message)
  | extend configChange = todynamic(detail).diff
  | project TimeGenerated, severity, edgeProfile, configAction, edgeModule, configChange  
queryPeriod: 1h
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    groupByAlertDetails: []
    groupByCustomDetails: []
    enabled: true
    groupByEntities: []
    matchingMethod: AllEntities
    lookbackDuration: 5h
  createIncident: true
suppressionDuration: 5h
description: This rule is searching for configuration changes. Configuration changes can override security measures and the overarching security design. Therefore audit events must be accurately tracked.
name: VMware SD-WAN - Orchestrator Audit Event
kind: Scheduled
queryFrequency: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/50c86f92-86b0-4ae3-bb94-698da076ca9e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/50c86f92-86b0-4ae3-bb94-698da076ca9e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "There was a configuration change event on the VMware Edge Cloud Orchestrator.\nThe configuration changes are the following:\n{{{configChange}} ",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProductComponentName",
              "value": "edgeProfile"
            }
          ]
        },
        "alertRuleTemplateName": "50c86f92-86b0-4ae3-bb94-698da076ca9e",
        "customDetails": {
          "auditAction": "configAction",
          "edgeModule": "edgeModule",
          "edgeProfile": "edgeProfile"
        },
        "description": "This rule is searching for configuration changes. Configuration changes can override security measures and the overarching security design. Therefore audit events must be accurately tracked.",
        "displayName": "VMware SD-WAN - Orchestrator Audit Event",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-orchestrator-config-change.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"EDIT_PROFILE\"\n| extend edgeProfile = extract(\"^profile \\\\[(.+)\\\\] [a-z]+ module\", 1, message)\n| extend configAction = extract(\"^profile \\\\[.+\\\\] (.+) module\", 1, message)\n| extend edgeModule = extract(\"^profile \\\\[.+\\\\] [a-z]+ module \\\\[(.+)\\\\]$\", 1, message)\n| extend configChange = todynamic(detail).diff\n| project TimeGenerated, severity, edgeProfile, configAction, edgeModule, configChange\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Informational",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}