VMware SD-WAN Edge - IDSIPS Signature Update Succeeded

Back


Id	6364be84-9f13-4fd8-8b4a-8ccb43a89376
Rulename	VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
Description	The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
Severity	Informational
Required data connectors	VMwareSDWAN
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
Version	1.0.0
Arm template	6364be84-9f13-4fd8-8b4a-8ccb43a89376.json

KQL

VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail

YAML

triggerOperator: gt
triggerThreshold: 0
name: VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
queryPeriod: 1h
severity: Informational
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: 5h
kind: Scheduled
queryFrequency: 1h
alertDetailsOverride:
  alertDescriptionFormat: '{{message}} '
  alertDynamicProperties: []
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
customDetails:
  edgeSerialNumber: edgeSerialNumber
  idpsSignatureVersion: idpsSignatureVersion
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    groupByAlertDetails: []
    groupByEntities: []
    enabled: false
    lookbackDuration: 5h
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
description: The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
query: |+
  VMware_VECO_EventLogs_CL
  | where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
  | extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
  | extend todynamic(detail).edgeSerialNumber
  | extend todynamic(detail).data
  | project-rename idpsSignatureData = detail_data
  | project-rename edgeSerialNumber = detail_edgeSerialNumber
  | project-away detail  

id: 6364be84-9f13-4fd8-8b4a-8ccb43a89376
version: 1.0.0

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6364be84-9f13-4fd8-8b4a-8ccb43a89376')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6364be84-9f13-4fd8-8b4a-8ccb43a89376')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{message}} ",
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "6364be84-9f13-4fd8-8b4a-8ccb43a89376",
        "customDetails": {
          "edgeSerialNumber": "edgeSerialNumber",
          "idpsSignatureVersion": "idpsSignatureVersion"
        },
        "description": "The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.",
        "displayName": "VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED\"\n| extend idpsSignatureVersion = extract(\"\\\"version\\\":\\\"([0-9]+)\\\"\", 1, tostring(todynamic(detail).data))\n| extend todynamic(detail).edgeSerialNumber\n| extend todynamic(detail).data\n| project-rename idpsSignatureData = detail_data\n| project-rename edgeSerialNumber = detail_edgeSerialNumber\n| project-away detail\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}