Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure

VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure

Back
Id840b050f-842b-4264-8973-d4f9b65facb5
RulenameVMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure
DescriptionThe VMware SD-WAN Edge appliance received packets that failed a Reverse Path Forwarding (RPF) Check.



Reverse path forwarding (RPF) check is a network security mechanism that verifies whether the source IP address of a packet is reachable through the incoming interface on which the packet is received. The packet is dropped if the source IP address is not reachable through the incoming interface.



RPF checks prevent spoofing attacks, in which an attacker uses a forged source IP address to make it appear that the packets are coming from a trusted source. This can allow the attacker to gain unauthorized network access or launch a denial-of-service attack against a target system.



An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.



This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.
SeverityLow
TacticsImpact
TechniquesT1498
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-rpfcheck.yaml
Version1.0.0
Arm template840b050f-842b-4264-8973-d4f9b65facb5.json
Deploy To Azure
Syslog
| where SyslogMessage contains "VCF Drop"
| where SyslogMessage contains "Reverse path forwarding check fail"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
| project
    TimeGenerated,
    EdgeFwAction,
    EdgeName,
    SrcIpAddress,
    IpProtocol,
    DstIpAddress,
    pcktCount,
    SyslogTag

relevantTechniques:
- T1498
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    groupByCustomDetails: []
    groupByAlertDetails: []
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
    groupByEntities: []
name: VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddress
  entityType: IP
triggerThreshold: 0
id: 840b050f-842b-4264-8973-d4f9b65facb5
tactics:
- Impact
version: 1.0.0
customDetails:
  Edge_Name: EdgeName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-rpfcheck.yaml
queryPeriod: 1h
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionDuration: 5h
queryFrequency: 1h
severity: Low
suppressionEnabled: false
description: |-
  The VMware SD-WAN Edge appliance received packets that failed a Reverse Path Forwarding (RPF) Check.

  Reverse path forwarding (RPF) check is a network security mechanism that verifies whether the source IP address of a packet is reachable through the incoming interface on which the packet is received. The packet is dropped if the source IP address is not reachable through the incoming interface.

  RPF checks prevent spoofing attacks, in which an attacker uses a forged source IP address to make it appear that the packets are coming from a trusted source. This can allow the attacker to gain unauthorized network access or launch a denial-of-service attack against a target system.

  An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.

  This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.  
query: |+
  Syslog
  | where SyslogMessage contains "VCF Drop"
  | where SyslogMessage contains "Reverse path forwarding check fail"
  | project-rename EdgeName=HostName
  | project-away Computer, HostIP, SourceSystem, Type
  | extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
  | extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
  | extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
  | extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
  | extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
  | extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
  | extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
  | project
      TimeGenerated,
      EdgeFwAction,
      EdgeName,
      SrcIpAddress,
      IpProtocol,
      DstIpAddress,
      pcktCount,
      SyslogTag  

triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/840b050f-842b-4264-8973-d4f9b65facb5')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/840b050f-842b-4264-8973-d4f9b65facb5')]",
      "properties": {
        "alertRuleTemplateName": "840b050f-842b-4264-8973-d4f9b65facb5",
        "customDetails": {
          "Edge_Name": "EdgeName"
        },
        "description": "The VMware SD-WAN Edge appliance received packets that failed a Reverse Path Forwarding (RPF) Check.\n\nReverse path forwarding (RPF) check is a network security mechanism that verifies whether the source IP address of a packet is reachable through the incoming interface on which the packet is received. The packet is dropped if the source IP address is not reachable through the incoming interface.\n\nRPF checks prevent spoofing attacks, in which an attacker uses a forged source IP address to make it appear that the packets are coming from a trusted source. This can allow the attacker to gain unauthorized network access or launch a denial-of-service attack against a target system.\n\nAn IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.\n\nThis analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.",
        "displayName": "VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-rpfcheck.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"VCF Drop\"\n| where SyslogMessage contains \"Reverse path forwarding check fail\"\n| project-rename EdgeName=HostName\n| project-away Computer, HostIP, SourceSystem, Type\n| extend OverlaySegmentName = extract(\"SEGMENT_NAME=(.+) COUNT=\", 1, SyslogMessage)\n| extend IpProtocol = extract(\"PROTO=(.+) SRC=\", 1, SyslogMessage)\n| extend SrcIpAddress = extract(\"SRC=(.+) DST=\", 1, SyslogMessage)\n| extend DstIpAddress = extract(\"DST=(.+) REASON=\", 1, SyslogMessage)\n| extend EdgeFwAction = extract(\"ACTION=(.+) SEGMENT=\", 1, SyslogMessage)\n| extend SyslogTag = extract(\"^(.+): ACTION=\", 1, SyslogMessage)\n| extend pcktCount = extract(\"COUNT=([0-9]+)$\", 1, SyslogMessage)\n| project\n    TimeGenerated,\n    EdgeFwAction,\n    EdgeName,\n    SrcIpAddress,\n    IpProtocol,\n    DstIpAddress,\n    pcktCount,\n    SyslogTag\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1498"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}