VMware SD-WAN Edge - IDSIPS Signature Update Succeeded

Back


Id	6364be84-9f13-4fd8-8b4a-8ccb43a89376
Rulename	VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
Description	The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
Severity	Informational
Required data connectors	VMwareSDWAN
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
Version	1.0.0
Arm template	6364be84-9f13-4fd8-8b4a-8ccb43a89376.json

KQL

VMware_VECO_EventLogs_CL
| where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
| extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
| extend todynamic(detail).edgeSerialNumber
| extend todynamic(detail).data
| project-rename idpsSignatureData = detail_data
| project-rename edgeSerialNumber = detail_edgeSerialNumber
| project-away detail

YAML

id: 6364be84-9f13-4fd8-8b4a-8ccb43a89376
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionEnabled: false
severity: Informational
customDetails:
  edgeSerialNumber: edgeSerialNumber
  idpsSignatureVersion: idpsSignatureVersion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml
requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - SDWAN
alertDetailsOverride:
  alertDynamicProperties: []
  alertDescriptionFormat: '{{message}} '
version: 1.0.0
query: |+
  VMware_VECO_EventLogs_CL
  | where event == "MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED"
  | extend idpsSignatureVersion = extract("\"version\":\"([0-9]+)\"", 1, tostring(todynamic(detail).data))
  | extend todynamic(detail).edgeSerialNumber
  | extend todynamic(detail).data
  | project-rename idpsSignatureData = detail_data
  | project-rename edgeSerialNumber = detail_edgeSerialNumber
  | project-away detail  

queryPeriod: 1h
triggerOperator: gt
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    groupByAlertDetails: []
    groupByCustomDetails: []
    enabled: false
    groupByEntities: []
    matchingMethod: AllEntities
    lookbackDuration: 5h
  createIncident: true
suppressionDuration: 5h
description: The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.
name: VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded
kind: Scheduled
queryFrequency: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6364be84-9f13-4fd8-8b4a-8ccb43a89376')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6364be84-9f13-4fd8-8b4a-8ccb43a89376')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{message}} ",
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "6364be84-9f13-4fd8-8b4a-8ccb43a89376",
        "customDetails": {
          "edgeSerialNumber": "edgeSerialNumber",
          "idpsSignatureVersion": "idpsSignatureVersion"
        },
        "description": "The VMware SD-WAN Edge Management Plane reported a successful IDS/IPS signature update. New signatures might impact Data Plane traffic, therefore an audit event is generated.",
        "displayName": "VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-update-success.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"MGD_ATPUP_APPLY_IDPS_SIGNATURE_SUCCEEDED\"\n| extend idpsSignatureVersion = extract(\"\\\"version\\\":\\\"([0-9]+)\\\"\", 1, tostring(todynamic(detail).data))\n| extend todynamic(detail).edgeSerialNumber\n| extend todynamic(detail).data\n| project-rename idpsSignatureData = detail_data\n| project-rename edgeSerialNumber = detail_edgeSerialNumber\n| project-away detail\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Informational",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}