VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
relevantTechniques:
- T1498
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
groupByCustomDetails: []
groupByAlertDetails: []
enabled: true
reopenClosedIncident: false
matchingMethod: AllEntities
groupByEntities: []
name: VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
requiredDataConnectors:
- dataTypes:
- SDWAN
connectorId: VMwareSDWAN
triggerThreshold: 0
id: a88ead0a-f022-48d6-8f53-e5a164c4c72e
tactics:
- Impact
version: 1.0.0
customDetails:
edgeSerialNumber: edgeSerialNumber
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml
queryPeriod: 1h
kind: Scheduled
eventGroupingSettings:
aggregationKind: SingleAlert
suppressionDuration: 5h
queryFrequency: 1h
severity: Medium
suppressionEnabled: false
description: The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.
query: |-
VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
"properties": {
"alertRuleTemplateName": "a88ead0a-f022-48d6-8f53-e5a164c4c72e",
"customDetails": {
"edgeSerialNumber": "edgeSerialNumber"
},
"description": "The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.",
"displayName": "VMware SD-WAN Edge - Device Congestion Alert - Packet Drops",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml",
"query": "VMware_VECO_EventLogs_CL\n| where event == \"EDGE_CONGESTED\"\n| where message contains \"high number of packet drops\"\n| extend edgeSerialNumber = extract(\"edgeSerialNumber: (.+)$\", 1, detail)",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1498"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}
