VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
Id | a88ead0a-f022-48d6-8f53-e5a164c4c72e |
Rulename | VMware SD-WAN Edge - Device Congestion Alert - Packet Drops |
Description | The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on. |
Severity | Medium |
Tactics | Impact |
Techniques | T1498 |
Required data connectors | VMwareSDWAN |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml |
Version | 1.0.0 |
Arm template | a88ead0a-f022-48d6-8f53-e5a164c4c72e.json |
VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
query: |-
VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
suppressionEnabled: false
description: The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.
id: a88ead0a-f022-48d6-8f53-e5a164c4c72e
name: VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
reopenClosedIncident: false
groupByEntities: []
groupByAlertDetails: []
matchingMethod: AllEntities
enabled: true
groupByCustomDetails: []
requiredDataConnectors:
- dataTypes:
- SDWAN
connectorId: VMwareSDWAN
eventGroupingSettings:
aggregationKind: SingleAlert
triggerThreshold: 0
suppressionDuration: 5h
queryPeriod: 1h
version: 1.0.0
tactics:
- Impact
triggerOperator: gt
relevantTechniques:
- T1498
customDetails:
edgeSerialNumber: edgeSerialNumber
severity: Medium
kind: Scheduled
queryFrequency: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
"properties": {
"alertRuleTemplateName": "a88ead0a-f022-48d6-8f53-e5a164c4c72e",
"customDetails": {
"edgeSerialNumber": "edgeSerialNumber"
},
"description": "The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.",
"displayName": "VMware SD-WAN Edge - Device Congestion Alert - Packet Drops",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml",
"query": "VMware_VECO_EventLogs_CL\n| where event == \"EDGE_CONGESTED\"\n| where message contains \"high number of packet drops\"\n| extend edgeSerialNumber = extract(\"edgeSerialNumber: (.+)$\", 1, detail)",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1498"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}