VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"
severity: Informational
eventGroupingSettings:
aggregationKind: AlertPerResult
queryPeriod: 1h
name: VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-lanside-devicedetect.yaml
entityMappings:
- fieldMappings:
- columnName: hostname
identifier: HostName
- columnName: os_description
identifier: OSFamily
- columnName: os_version
identifier: OSVersion
entityType: Host
- fieldMappings:
- columnName: client_ipv4addr
identifier: Address
entityType: IP
version: 1.0.0
suppressionEnabled: false
id: 69c0644f-4ad5-41b6-9e09-a94c072ab80e
queryFrequency: 1h
triggerThreshold: 0
triggerOperator: gt
incidentConfiguration:
groupingConfiguration:
groupByEntities: []
lookbackDuration: 1h
enabled: true
matchingMethod: AllEntities
reopenClosedIncident: false
groupByCustomDetails: []
groupByAlertDetails: []
createIncident: true
query: |+
VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"
suppressionDuration: 5h
customDetails:
Client_MAC_Address: client_mac
DHCP_Parameter_List: dhcp_param_list
description: This analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- SDWAN
alertDetailsOverride:
alertDynamicProperties: []
kind: Scheduled
