VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
| extend cwsPolicyName = todynamic(detail).policyName
name: VMware Cloud Web Security - Policy Publish Event
version: 1.0.0
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- CWS
alertDetailsOverride:
alertDynamicProperties: []
alertDescriptionFormat: |-
CWS Policy Published: {{cwsPolicyName}}
During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
kind: Scheduled
eventGroupingSettings:
aggregationKind: AlertPerResult
description: This alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
queryPeriod: 1h
id: b26a7d97-6b6e-43ab-870e-eb18460ae602
triggerThreshold: 0
queryFrequency: 1h
severity: Informational
suppressionEnabled: false
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policy-publish.yaml
query: |+
VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
| extend cwsPolicyName = todynamic(detail).policyName
triggerOperator: gt
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByEntities: []
reopenClosedIncident: false
enabled: true
groupByCustomDetails: []
matchingMethod: AllEntities
lookbackDuration: 1h
groupByAlertDetails: []
