VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail
suppressionEnabled: false
id: 6364be84-9f13-4fd8-8b4a-8ccb43a89376
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- SDWAN
suppressionDuration: 5h
query: |+
VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
enabled: false
groupByCustomDetails: []
lookbackDuration: 5h
groupByEntities: []
matchingMethod: AllEntities
triggerThreshold: 0
kind: Scheduled
severity: Informational
queryPeriod: 1h
customDetails:
idpsSignatureVersion: idpsSignatureVersion
edgeSerialNumber: edgeSerialNumber
queryFrequency: 1h
triggerOperator: gt
alertDetailsOverride:
alertDynamicProperties: []
alertDescriptionFormat: '{{message}} '
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
description: The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
name: VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
version: 1.0.0
