VMware SD-WAN Edge - IDSIPS Signature Update Succeeded

Back


Id	6364be84-9f13-4fd8-8b4a-8ccb43a89376
Rulename	VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
Description	The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
Severity	Informational
Required data connectors	VMwareSDWAN
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
Version	1.0.0
Arm template	6364be84-9f13-4fd8-8b4a-8ccb43a89376.json

KQL

VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail

YAML

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    groupByEntities: []
    groupByCustomDetails: []
    groupByAlertDetails: []
    matchingMethod: AllEntities
    reopenClosedIncident: false
id: 6364be84-9f13-4fd8-8b4a-8ccb43a89376
alertDetailsOverride:
  alertDynamicProperties: []
  alertDescriptionFormat: '{{message}} '
queryPeriod: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
name: VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
query: |+
  VMware_VECO_EventLogs_CL
  | where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
  | extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
  | extend todynamic(detail).edgeSerialNumber
  | extend todynamic(detail).data
  | project-rename idpsSignatureData = detail_data
  | project-rename edgeSerialNumber = detail_edgeSerialNumber
  | project-away detail  

severity: Informational
customDetails:
  idpsSignatureVersion: idpsSignatureVersion
  edgeSerialNumber: edgeSerialNumber
triggerOperator: gt
kind: Scheduled
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - SDWAN
description: The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
suppressionEnabled: false
version: 1.0.0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6364be84-9f13-4fd8-8b4a-8ccb43a89376')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6364be84-9f13-4fd8-8b4a-8ccb43a89376')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{message}} ",
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "6364be84-9f13-4fd8-8b4a-8ccb43a89376",
        "customDetails": {
          "edgeSerialNumber": "edgeSerialNumber",
          "idpsSignatureVersion": "idpsSignatureVersion"
        },
        "description": "The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.",
        "displayName": "VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED\"\n| extend idpsSignatureVersion = extract(\"\\\"version\\\":\\\"([0-9]+)\\\"\", 1, tostring(todynamic(detail).data))\n| extend todynamic(detail).edgeSerialNumber\n| extend todynamic(detail).data\n| project-rename idpsSignatureData = detail_data\n| project-rename edgeSerialNumber = detail_edgeSerialNumber\n| project-away detail\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}