Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

VMware SD-WAN Edge - IDSIPS Alert triggered Syslog

Back
Ida8e2bfd2-5d9c-4acc-aa55-30029e50d574
RulenameVMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog)
DescriptionThe VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available.



This analytics rule analyzes Syslog streams.
SeverityHigh
TacticsLateralMovement
TechniquesT1210
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-alert-syslog.yaml
Version1.0.0
Arm templatea8e2bfd2-5d9c-4acc-aa55-30029e50d574.json
Deploy To Azure
Syslog
| where SyslogMessage contains "VCF Alert"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend IdpsSignatureName = extract("SIGNATURE=(.+) CATEGORY=", 1, SyslogMessage)
| extend IdpsAlertCategory = extract("CATEGORY=(.+) SEVERITY=", 1, SyslogMessage)
| extend IdpsAlertSeverity = extract("SEVERITY=(.+) SRC_IP=", 1, SyslogMessage)
| extend IdpsSignatureId = extract("SIG_ID=([0-9]+) SIGNATURE=", 1, SyslogMessage)
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) SIG_ID=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=([A-Z]+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend SrcPort = extract("SPT=([0-9]+) DPT=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) SPT=", 1, SyslogMessage)
| extend DstPort = extract("DPT=(.+) DEST_DOMAIN=", 1, SyslogMessage)
| extend VictimIp = extract("TARGET_IP=(.+) TARGET_PORT=", 1, SyslogMessage)
| extend AttackerIp = extract("SRC_IP=(.+) SRC_PORT=", 1, SyslogMessage)
| extend DomainName = extract("DEST_DOMAIN=(.+) FW_POLICY_NAME=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ATP_ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("$(.+): ACTION=", 1, SyslogMessage)
| extend FwPolicyName = extract("FW_POLICY_NAME=(.+) SEGMENT_NAME=", 1, SyslogMessage)
| project
    TimeGenerated,
    IdpsSignatureName,
    IdpsAlertSeverity,
    IdpsAlertCategory,
    IdpsSignatureId,
    EdgeFwAction,
    EdgeName,
    SrcIpAddress,
    IpProtocol,
    SrcPort,
    DstIpAddress,
    DstPort,
    DomainName,
    AttackerIp,
    VictimIp,
    FwPolicyName,
    SyslogTag
relevantTechniques:
- T1210
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: DomainName
    columnName: DomainName
  entityType: DNS
- fieldMappings:
  - identifier: Address
    columnName: VictimIp
  entityType: IP
queryFrequency: 1h
queryPeriod: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-alert-syslog.yaml
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1h
    matchingMethod: AllEntities
    enabled: true
    groupByCustomDetails: []
    groupByAlertDetails: []
    groupByEntities: []
    reopenClosedIncident: false
  createIncident: true
id: a8e2bfd2-5d9c-4acc-aa55-30029e50d574
query: |-
  Syslog
  | where SyslogMessage contains "VCF Alert"
  | project-rename EdgeName=HostName
  | project-away Computer, HostIP, SourceSystem, Type
  | extend IdpsSignatureName = extract("SIGNATURE=(.+) CATEGORY=", 1, SyslogMessage)
  | extend IdpsAlertCategory = extract("CATEGORY=(.+) SEVERITY=", 1, SyslogMessage)
  | extend IdpsAlertSeverity = extract("SEVERITY=(.+) SRC_IP=", 1, SyslogMessage)
  | extend IdpsSignatureId = extract("SIG_ID=([0-9]+) SIGNATURE=", 1, SyslogMessage)
  | extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) SIG_ID=", 1, SyslogMessage)
  | extend IpProtocol = extract("PROTO=([A-Z]+) SRC=", 1, SyslogMessage)
  | extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
  | extend SrcPort = extract("SPT=([0-9]+) DPT=", 1, SyslogMessage)
  | extend DstIpAddress = extract("DST=(.+) SPT=", 1, SyslogMessage)
  | extend DstPort = extract("DPT=(.+) DEST_DOMAIN=", 1, SyslogMessage)
  | extend VictimIp = extract("TARGET_IP=(.+) TARGET_PORT=", 1, SyslogMessage)
  | extend AttackerIp = extract("SRC_IP=(.+) SRC_PORT=", 1, SyslogMessage)
  | extend DomainName = extract("DEST_DOMAIN=(.+) FW_POLICY_NAME=", 1, SyslogMessage)
  | extend EdgeFwAction = extract("ATP_ACTION=(.+) SEGMENT=", 1, SyslogMessage)
  | extend SyslogTag = extract("$(.+): ACTION=", 1, SyslogMessage)
  | extend FwPolicyName = extract("FW_POLICY_NAME=(.+) SEGMENT_NAME=", 1, SyslogMessage)
  | project
      TimeGenerated,
      IdpsSignatureName,
      IdpsAlertSeverity,
      IdpsAlertCategory,
      IdpsSignatureId,
      EdgeFwAction,
      EdgeName,
      SrcIpAddress,
      IpProtocol,
      SrcPort,
      DstIpAddress,
      DstPort,
      DomainName,
      AttackerIp,
      VictimIp,
      FwPolicyName,
      SyslogTag  
customDetails:
  Edge_Name: EdgeName
  IDPS_Signature: IdpsSignatureName
  IDPS_Event_Category: IdpsAlertCategory
suppressionDuration: 5h
kind: Scheduled
tactics:
- LateralMovement
severity: High
name: VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog)
triggerOperator: gt
description: |-
  The VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available.

  This analytics rule analyzes Syslog streams.  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a8e2bfd2-5d9c-4acc-aa55-30029e50d574')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a8e2bfd2-5d9c-4acc-aa55-30029e50d574')]",
      "properties": {
        "alertRuleTemplateName": "a8e2bfd2-5d9c-4acc-aa55-30029e50d574",
        "customDetails": {
          "Edge_Name": "EdgeName",
          "IDPS_Event_Category": "IdpsAlertCategory",
          "IDPS_Signature": "IdpsSignatureName"
        },
        "description": "The VMware SD-WAN Edge appliance captured a potentially malicious traffic flow. Please investigate the IOC information available.\n\nThis analytics rule analyzes Syslog streams.",
        "displayName": "VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "DomainName",
                "identifier": "DomainName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "VictimIp",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-idps-alert-syslog.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"VCF Alert\"\n| project-rename EdgeName=HostName\n| project-away Computer, HostIP, SourceSystem, Type\n| extend IdpsSignatureName = extract(\"SIGNATURE=(.+) CATEGORY=\", 1, SyslogMessage)\n| extend IdpsAlertCategory = extract(\"CATEGORY=(.+) SEVERITY=\", 1, SyslogMessage)\n| extend IdpsAlertSeverity = extract(\"SEVERITY=(.+) SRC_IP=\", 1, SyslogMessage)\n| extend IdpsSignatureId = extract(\"SIG_ID=([0-9]+) SIGNATURE=\", 1, SyslogMessage)\n| extend OverlaySegmentName = extract(\"SEGMENT_NAME=(.+) SIG_ID=\", 1, SyslogMessage)\n| extend IpProtocol = extract(\"PROTO=([A-Z]+) SRC=\", 1, SyslogMessage)\n| extend SrcIpAddress = extract(\"SRC=(.+) DST=\", 1, SyslogMessage)\n| extend SrcPort = extract(\"SPT=([0-9]+) DPT=\", 1, SyslogMessage)\n| extend DstIpAddress = extract(\"DST=(.+) SPT=\", 1, SyslogMessage)\n| extend DstPort = extract(\"DPT=(.+) DEST_DOMAIN=\", 1, SyslogMessage)\n| extend VictimIp = extract(\"TARGET_IP=(.+) TARGET_PORT=\", 1, SyslogMessage)\n| extend AttackerIp = extract(\"SRC_IP=(.+) SRC_PORT=\", 1, SyslogMessage)\n| extend DomainName = extract(\"DEST_DOMAIN=(.+) FW_POLICY_NAME=\", 1, SyslogMessage)\n| extend EdgeFwAction = extract(\"ATP_ACTION=(.+) SEGMENT=\", 1, SyslogMessage)\n| extend SyslogTag = extract(\"$(.+): ACTION=\", 1, SyslogMessage)\n| extend FwPolicyName = extract(\"FW_POLICY_NAME=(.+) SEGMENT_NAME=\", 1, SyslogMessage)\n| project\n    TimeGenerated,\n    IdpsSignatureName,\n    IdpsAlertSeverity,\n    IdpsAlertCategory,\n    IdpsSignatureId,\n    EdgeFwAction,\n    EdgeName,\n    SrcIpAddress,\n    IpProtocol,\n    SrcPort,\n    DstIpAddress,\n    DstPort,\n    DomainName,\n    AttackerIp,\n    VictimIp,\n    FwPolicyName,\n    SyslogTag",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "LateralMovement"
        ],
        "techniques": [
          "T1210"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}