VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
queryPeriod: 1h
suppressionEnabled: false
kind: Scheduled
id: a88ead0a-f022-48d6-8f53-e5a164c4c72e
name: VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
description: The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.
tactics:
- Impact
customDetails:
edgeSerialNumber: edgeSerialNumber
suppressionDuration: 5h
triggerOperator: gt
query: |-
VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
queryFrequency: 1h
incidentConfiguration:
groupingConfiguration:
lookbackDuration: 5h
reopenClosedIncident: false
groupByEntities: []
matchingMethod: AllEntities
enabled: true
groupByAlertDetails: []
groupByCustomDetails: []
createIncident: true
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml
requiredDataConnectors:
- dataTypes:
- SDWAN
connectorId: VMwareSDWAN
version: 1.0.0
relevantTechniques:
- T1498
severity: Medium
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
"properties": {
"alertRuleTemplateName": "a88ead0a-f022-48d6-8f53-e5a164c4c72e",
"customDetails": {
"edgeSerialNumber": "edgeSerialNumber"
},
"description": "The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.",
"displayName": "VMware SD-WAN Edge - Device Congestion Alert - Packet Drops",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml",
"query": "VMware_VECO_EventLogs_CL\n| where event == \"EDGE_CONGESTED\"\n| where message contains \"high number of packet drops\"\n| extend edgeSerialNumber = extract(\"edgeSerialNumber: (.+)$\", 1, detail)",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"techniques": [
"T1498"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}