Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected

VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected

Back
Id69c0644f-4ad5-41b6-9e09-a94c072ab80e
RulenameVMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected
DescriptionThis analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.
SeverityInformational
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-lanside-devicedetect.yaml
Version1.0.0
Arm template69c0644f-4ad5-41b6-9e09-a94c072ab80e.json
Deploy To Azure
VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"

suppressionEnabled: false
entityMappings:
- fieldMappings:
  - columnName: hostname
    identifier: HostName
  - columnName: os_description
    identifier: OSFamily
  - columnName: os_version
    identifier: OSVersion
  entityType: Host
- fieldMappings:
  - columnName: client_ipv4addr
    identifier: Address
  entityType: IP
incidentConfiguration:
  groupingConfiguration:
    groupByCustomDetails: []
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities
    groupByEntities: []
    lookbackDuration: 1h
    groupByAlertDetails: []
  createIncident: true
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-lanside-devicedetect.yaml
suppressionDuration: 5h
description: This analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.
customDetails:
  DHCP_Parameter_List: dhcp_param_list
  Client_MAC_Address: client_mac
requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - SDWAN
triggerOperator: gt
alertDetailsOverride:
  alertDynamicProperties: []
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: 69c0644f-4ad5-41b6-9e09-a94c072ab80e
queryFrequency: 1h
query: |+
  VMware_VECO_EventLogs_CL
  | extend details = todynamic(detail)
  | evaluate bag_unpack(details)
  | where event == "EDGE_NEW_DEVICE"  

severity: Informational
queryPeriod: 1h
name: VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected
triggerThreshold: 0
kind: Scheduled