VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
| extend cwsPolicyName = todynamic(detail).policyName
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
- CWS
connectorId: VMwareSDWAN
triggerOperator: gt
version: 1.0.0
queryFrequency: 1h
severity: Informational
description: This alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
triggerThreshold: 0
suppressionDuration: 5h
alertDetailsOverride:
alertDynamicProperties: []
alertDescriptionFormat: |-
CWS Policy Published: {{cwsPolicyName}}
During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
name: VMware Cloud Web Security - Policy Publish Event
query: |+
VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
| extend cwsPolicyName = todynamic(detail).policyName
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByCustomDetails: []
matchingMethod: AllEntities
groupByAlertDetails: []
groupByEntities: []
lookbackDuration: 1h
enabled: true
reopenClosedIncident: false
queryPeriod: 1h
kind: Scheduled
id: b26a7d97-6b6e-43ab-870e-eb18460ae602
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policy-publish.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
