VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"
suppressionEnabled: false
description: This analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.
kind: Scheduled
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- SDWAN
incidentConfiguration:
groupingConfiguration:
enabled: true
groupByEntities: []
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
groupByCustomDetails: []
groupByAlertDetails: []
createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-lanside-devicedetect.yaml
severity: Informational
name: VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected
suppressionDuration: 5h
customDetails:
Client_MAC_Address: client_mac
DHCP_Parameter_List: dhcp_param_list
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
queryPeriod: 1h
query: |+
VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"
alertDetailsOverride:
alertDynamicProperties: []
id: 69c0644f-4ad5-41b6-9e09-a94c072ab80e
queryFrequency: 1h
entityMappings:
- entityType: Host
fieldMappings:
- columnName: hostname
identifier: HostName
- columnName: os_description
identifier: OSFamily
- columnName: os_version
identifier: OSVersion
- entityType: IP
fieldMappings:
- columnName: client_ipv4addr
identifier: Address
triggerOperator: gt
version: 1.0.0
