VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: hostname
- identifier: OSFamily
columnName: os_description
- identifier: OSVersion
columnName: os_version
- entityType: IP
fieldMappings:
- identifier: Address
columnName: client_ipv4addr
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- SDWAN
suppressionDuration: 5h
severity: Informational
name: VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 69c0644f-4ad5-41b6-9e09-a94c072ab80e
queryPeriod: 1h
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-lanside-devicedetect.yaml
query: |+
VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"
kind: Scheduled
triggerOperator: gt
customDetails:
DHCP_Parameter_List: dhcp_param_list
Client_MAC_Address: client_mac
queryFrequency: 1h
alertDetailsOverride:
alertDynamicProperties: []
description: This analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
groupByEntities: []
lookbackDuration: 1h
enabled: true
groupByCustomDetails: []
matchingMethod: AllEntities
version: 1.0.0
triggerThreshold: 0
