Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

VMware SD-WAN Edge - Device Congestion Alert - Packet Drops

Back
Ida88ead0a-f022-48d6-8f53-e5a164c4c72e
RulenameVMware SD-WAN Edge - Device Congestion Alert - Packet Drops
DescriptionThe VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.
SeverityMedium
TacticsImpact
TechniquesT1498
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml
Version1.0.0
Arm templatea88ead0a-f022-48d6-8f53-e5a164c4c72e.json
Deploy To Azure
VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
kind: Scheduled
suppressionEnabled: false
query: |-
  VMware_VECO_EventLogs_CL
  | where event == "EDGE_CONGESTED"
  | where message contains "high number of packet drops"
  | extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)  
relevantTechniques:
- T1498
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
suppressionDuration: 5h
triggerThreshold: 0
queryPeriod: 1h
customDetails:
  edgeSerialNumber: edgeSerialNumber
tactics:
- Impact
id: a88ead0a-f022-48d6-8f53-e5a164c4c72e
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    groupByEntities: []
    lookbackDuration: 5h
    groupByCustomDetails: []
    matchingMethod: AllEntities
    groupByAlertDetails: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml
description: The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.
queryFrequency: 1h
name: VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
severity: Medium
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a88ead0a-f022-48d6-8f53-e5a164c4c72e')]",
      "properties": {
        "alertRuleTemplateName": "a88ead0a-f022-48d6-8f53-e5a164c4c72e",
        "customDetails": {
          "edgeSerialNumber": "edgeSerialNumber"
        },
        "description": "The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.",
        "displayName": "VMware SD-WAN Edge - Device Congestion Alert - Packet Drops",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"EDGE_CONGESTED\"\n| where message contains \"high number of packet drops\"\n| extend edgeSerialNumber = extract(\"edgeSerialNumber: (.+)$\", 1, detail)",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1498"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}