VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
tactics:
- Impact
id: a88ead0a-f022-48d6-8f53-e5a164c4c72e
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-device-congestion.yaml
suppressionEnabled: false
description: The VMware Edge Cloud Orchestrator reported an edge congestion event, where the Edge is dropping a large number of packets on one of its interfaces. This could indicate an ongoing Denial of Service attack against an appliance. Please make sure that Network Flood Protection is turned on.
version: 1.0.0
severity: Medium
triggerThreshold: 0
kind: Scheduled
name: VMware SD-WAN Edge - Device Congestion Alert - Packet Drops
query: |-
VMware_VECO_EventLogs_CL
| where event == "EDGE_CONGESTED"
| where message contains "high number of packet drops"
| extend edgeSerialNumber = extract("edgeSerialNumber: (.+)$", 1, detail)
suppressionDuration: 5h
queryPeriod: 1h
eventGroupingSettings:
aggregationKind: SingleAlert
queryFrequency: 1h
triggerOperator: gt
customDetails:
edgeSerialNumber: edgeSerialNumber
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
reopenClosedIncident: false
groupByEntities: []
lookbackDuration: 5h
groupByCustomDetails: []
enabled: true
groupByAlertDetails: []
createIncident: true
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- SDWAN
relevantTechniques:
- T1498
