Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware SD-WAN Edge - IDSIPS Signature Update Succeeded

VMware SD-WAN Edge - IDSIPS Signature Update Succeeded

Back
Id6364be84-9f13-4fd8-8b4a-8ccb43a89376
RulenameVMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
DescriptionThe VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
SeverityInformational
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
Version1.0.0
Arm template6364be84-9f13-4fd8-8b4a-8ccb43a89376.json
Deploy To Azure
VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail

requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - SDWAN
name: VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
queryFrequency: 1h
incidentConfiguration:
  groupingConfiguration:
    groupByEntities: []
    matchingMethod: AllEntities
    enabled: false
    groupByCustomDetails: []
    lookbackDuration: 5h
    groupByAlertDetails: []
    reopenClosedIncident: false
  createIncident: true
triggerThreshold: 0
severity: Informational
alertDetailsOverride:
  alertDescriptionFormat: '{{message}} '
  alertDynamicProperties: []
query: |+
  VMware_VECO_EventLogs_CL
  | where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
  | extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
  | extend todynamic(detail).edgeSerialNumber
  | extend todynamic(detail).data
  | project-rename idpsSignatureData = detail_data
  | project-rename edgeSerialNumber = detail_edgeSerialNumber
  | project-away detail  

suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
version: 1.0.0
queryPeriod: 1h
triggerOperator: gt
customDetails:
  edgeSerialNumber: edgeSerialNumber
  idpsSignatureVersion: idpsSignatureVersion
suppressionEnabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 6364be84-9f13-4fd8-8b4a-8ccb43a89376
kind: Scheduled
description: The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.