VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"
customDetails:
Client_MAC_Address: client_mac
DHCP_Parameter_List: dhcp_param_list
name: VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected
id: 69c0644f-4ad5-41b6-9e09-a94c072ab80e
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
- SDWAN
connectorId: VMwareSDWAN
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.0
severity: Informational
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-lanside-devicedetect.yaml
queryPeriod: 1h
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: hostname
- identifier: OSFamily
columnName: os_description
- identifier: OSVersion
columnName: os_version
entityType: Host
- fieldMappings:
- identifier: Address
columnName: client_ipv4addr
entityType: IP
incidentConfiguration:
groupingConfiguration:
groupByAlertDetails: []
lookbackDuration: 1h
reopenClosedIncident: false
groupByCustomDetails: []
groupByEntities: []
matchingMethod: AllEntities
enabled: true
createIncident: true
queryFrequency: 1h
suppressionDuration: 5h
alertDetailsOverride:
alertDynamicProperties: []
query: |+
VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"
kind: Scheduled
description: This analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.
triggerOperator: gt
