VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
customDetails:
edgeSerialNumber: edgeSerialNumber
description: The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: SingleAlert
queryPeriod: 1h
suppressionEnabled: false
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1498
query: |-
VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
queryFrequency: 1h
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- SDWAN
name: VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
severity: Medium
suppressionDuration: 5h
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml
id: a88ead0a-f022-48d6-8f53-e5a164c4c72e
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 5h
groupByAlertDetails: []
groupByEntities: []
reopenClosedIncident: false
groupByCustomDetails: []
enabled: true
matchingMethod: AllEntities
tactics:
- Impact
