Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware Cloud Web Security - Policy Publish Event

VMware Cloud Web Security - Policy Publish Event

Back
Idb26a7d97-6b6e-43ab-870e-eb18460ae602
RulenameVMware Cloud Web Security - Policy Publish Event
DescriptionThis alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
SeverityInformational
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policy-publish.yaml
Version1.0.0
Arm templateb26a7d97-6b6e-43ab-870e-eb18460ae602.json
Deploy To Azure
VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
| extend cwsPolicyName = todynamic(detail).policyName

description: This alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
queryPeriod: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |+
  VMware_VECO_EventLogs_CL
  | where event == "CWS_EVENT"
  | extend cwsPolicyAction = todynamic(detail).subEvent
  | where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
  | extend cwsPolicyName = todynamic(detail).policyName  

triggerThreshold: 0
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByAlertDetails: []
    groupByCustomDetails: []
    reopenClosedIncident: false
    enabled: true
    lookbackDuration: 1h
    matchingMethod: AllEntities
    groupByEntities: []
severity: Informational
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policy-publish.yaml
requiredDataConnectors:
- dataTypes:
  - CWS
  connectorId: VMwareSDWAN
name: VMware Cloud Web Security - Policy Publish Event
kind: Scheduled
alertDetailsOverride:
  alertDynamicProperties: []
  alertDescriptionFormat: |-
    CWS Policy Published: {{cwsPolicyName}}

    During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.    
id: b26a7d97-6b6e-43ab-870e-eb18460ae602
suppressionDuration: 5h
triggerOperator: gt
queryFrequency: 1h
version: 1.0.0
suppressionEnabled: false

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b26a7d97-6b6e-43ab-870e-eb18460ae602')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b26a7d97-6b6e-43ab-870e-eb18460ae602')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "CWS Policy Published: {{cwsPolicyName}}\n\nDuring publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.",
          "alertDynamicProperties": []
        },
        "alertRuleTemplateName": "b26a7d97-6b6e-43ab-870e-eb18460ae602",
        "customDetails": null,
        "description": "This alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.",
        "displayName": "VMware Cloud Web Security - Policy Publish Event",
        "enabled": true,
        "entityMappings": null,
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policy-publish.yaml",
        "query": "VMware_VECO_EventLogs_CL\n| where event == \"CWS_EVENT\"\n| extend cwsPolicyAction = todynamic(detail).subEvent\n| where cwsPolicyAction == \"CWS_POLICY_PUBLISHED\"\n| extend cwsPolicyName = todynamic(detail).policyName\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Informational",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}