Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected

Back
Id69c0644f-4ad5-41b6-9e09-a94c072ab80e
RulenameVMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected
DescriptionThis analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.
SeverityInformational
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-lanside-devicedetect.yaml
Version1.0.0
Arm template69c0644f-4ad5-41b6-9e09-a94c072ab80e.json
Deploy To Azure
VMware_VECO_EventLogs_CL
| extend details = todynamic(detail)
| evaluate bag_unpack(details)
| where event == "EDGE_NEW_DEVICE"
customDetails:
  Client_MAC_Address: client_mac
  DHCP_Parameter_List: dhcp_param_list
id: 69c0644f-4ad5-41b6-9e09-a94c072ab80e
alertDetailsOverride:
  alertDynamicProperties: []
query: |+
  VMware_VECO_EventLogs_CL
  | extend details = todynamic(detail)
  | evaluate bag_unpack(details)
  | where event == "EDGE_NEW_DEVICE"  

suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-lanside-devicedetect.yaml
description: This analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.
name: VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 1h
    groupByCustomDetails: []
  createIncident: true
suppressionEnabled: false
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: hostname
  - identifier: OSFamily
    columnName: os_description
  - identifier: OSVersion
    columnName: os_version
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: client_ipv4addr
triggerThreshold: 0
severity: Informational
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
eventGroupingSettings:
  aggregationKind: AlertPerResult
queryFrequency: 1h
queryPeriod: 1h
version: 1.0.0
kind: Scheduled
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/69c0644f-4ad5-41b6-9e09-a94c072ab80e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/69c0644f-4ad5-41b6-9e09-a94c072ab80e')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "69c0644f-4ad5-41b6-9e09-a94c072ab80e",
        "customDetails": {
          "Client_MAC_Address": "client_mac",
          "DHCP_Parameter_List": "dhcp_param_list"
        },
        "description": "This analytics rule creates notifications of newly connected devices. These clients are connected to the LAN interface of the Edge.",
        "displayName": "VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "hostname",
                "identifier": "HostName"
              },
              {
                "columnName": "os_description",
                "identifier": "OSFamily"
              },
              {
                "columnName": "os_version",
                "identifier": "OSVersion"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "client_ipv4addr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-lanside-devicedetect.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| extend details = todynamic(detail)\n| evaluate bag_unpack(details)\n| where event == \"EDGE_NEW_DEVICE\"\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}