VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
triggerThreshold: 0
severity: Medium
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
matchingMethod: AllEntities
reopenClosedIncident: false
groupByEntities: []
lookbackDuration: 5h
groupByCustomDetails: []
groupByAlertDetails: []
queryFrequency: 1h
queryPeriod: 1h
suppressionEnabled: false
customDetails:
edgeSerialNumber: edgeSerialNumber
relevantTechniques:
- T1498
triggerOperator: gt
id: a88ead0a-f022-48d6-8f53-e5a164c4c72e
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- SDWAN
version: 1.0.0
name: VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
description: The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.
query: |-
VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
tactics:
- Impact
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
"properties": {
"alertRuleTemplateName": "a88ead0a-f022-48d6-8f53-e5a164c4c72e",
"customDetails": {
"edgeSerialNumber": "edgeSerialNumber"
},
"description": "The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.",
"displayName": "VMware SD-WAN Edge - Device Congestion Alert - Packet Drops",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml",
"query": "VMware_VECO_EventLogs_CL\n| where event == \"EDGE_CONGESTED\"\n| where message contains \"high number of packet drops\"\n| extend edgeSerialNumber = extract(\"edgeSerialNumber: (.+)$\", 1, detail)",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1498"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}
