VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml
suppressionEnabled: false
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: 5h
groupByCustomDetails: []
groupByEntities: []
enabled: true
groupByAlertDetails: []
createIncident: true
suppressionDuration: 5h
queryPeriod: 1h
name: VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
eventGroupingSettings:
aggregationKind: SingleAlert
customDetails:
edgeSerialNumber: edgeSerialNumber
version: 1.0.0
description: The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.
severity: Medium
tactics:
- Impact
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- SDWAN
queryFrequency: 1h
id: a88ead0a-f022-48d6-8f53-e5a164c4c72e
triggerThreshold: 0
query: |-
VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
relevantTechniques:
- T1498
kind: Scheduled
triggerOperator: gt
