VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
| extend cwsPolicyName = todynamic(detail).policyName
kind: Scheduled
triggerOperator: gt
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- CWS
queryFrequency: 1h
suppressionDuration: 5h
id: b26a7d97-6b6e-43ab-870e-eb18460ae602
queryPeriod: 1h
version: 1.0.0
query: |+
VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
| extend cwsPolicyName = todynamic(detail).policyName
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride:
alertDynamicProperties: []
alertDescriptionFormat: |-
CWS Policy Published: {{cwsPolicyName}}
During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
suppressionEnabled: false
name: VMware Cloud Web Security - Policy Publish Event
incidentConfiguration:
groupingConfiguration:
groupByCustomDetails: []
lookbackDuration: 1h
reopenClosedIncident: false
enabled: true
matchingMethod: AllEntities
groupByAlertDetails: []
groupByEntities: []
createIncident: true
severity: Informational
triggerThreshold: 0
description: This alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policy-publish.yaml
