VMware SD-WAN Edge - IDSIPS Signature Update Succeeded

Back


Id	6364be84-9f13-4fd8-8b4a-8ccb43a89376
Rulename	VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
Description	The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
Severity	Informational
Required data connectors	VMwareSDWAN
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
Version	1.0.0
Arm template	6364be84-9f13-4fd8-8b4a-8ccb43a89376.json

KQL

VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail

YAML

kind: Scheduled
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDescriptionFormat: '{{message}} '
  alertDynamicProperties: []
suppressionDuration: 5h
description: The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
severity: Informational
queryFrequency: 1h
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    enabled: false
    groupByCustomDetails: []
    groupByEntities: []
    groupByAlertDetails: []
  createIncident: true
triggerThreshold: 0
suppressionEnabled: false
customDetails:
  idpsSignatureVersion: idpsSignatureVersion
  edgeSerialNumber: edgeSerialNumber
version: 1.0.0
name: VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
id: 6364be84-9f13-4fd8-8b4a-8ccb43a89376
query: |+
  VMware_VECO_EventLogs_CL
  | where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
  | extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
  | extend todynamic(detail).edgeSerialNumber
  | extend todynamic(detail).data
  | project-rename idpsSignatureData = detail_data
  | project-rename edgeSerialNumber = detail_edgeSerialNumber
  | project-away detail  

requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6364be84-9f13-4fd8-8b4a-8ccb43a89376')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6364be84-9f13-4fd8-8b4a-8ccb43a89376')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{message}} ",
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "6364be84-9f13-4fd8-8b4a-8ccb43a89376",
        "customDetails": {
          "edgeSerialNumber": "edgeSerialNumber",
          "idpsSignatureVersion": "idpsSignatureVersion"
        },
        "description": "The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.",
        "displayName": "VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED\"\n| extend idpsSignatureVersion = extract(\"\\\"version\\\":\\\"([0-9]+)\\\"\", 1, tostring(todynamic(detail).data))\n| extend todynamic(detail).edgeSerialNumber\n| extend todynamic(detail).data\n| project-rename idpsSignatureData = detail_data\n| project-rename edgeSerialNumber = detail_edgeSerialNumber\n| project-away detail\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}