Analytic rule catalog
VMware Cloud Web Security - Policy Publish Event
Back
| Id | b26a7d97-6b6e-43ab-870e-eb18460ae602 |
| Rulename | VMware Cloud Web Security - Policy Publish Event |
| Description | This alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic. |
| Severity | Informational |
| Required data connectors | VMwareSDWAN |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 1h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sase-cws-policy-publish.yaml |
| Version | 1.0.0 |
| Arm template | b26a7d97-6b6e-43ab-870e-eb18460ae602.json |
VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
| extend cwsPolicyName = todynamic(detail).policyName
queryPeriod: 1h
kind: Scheduled
suppressionEnabled: false
query: |+
VMware_VECO_EventLogs_CL
| where event == "CWS_EVENT"
| extend cwsPolicyAction = todynamic(detail).subEvent
| where cwsPolicyAction == "CWS_POLICY_PUBLISHED"
| extend cwsPolicyName = todynamic(detail).policyName
suppressionDuration: 5h
alertDetailsOverride:
alertDescriptionFormat: |-
CWS Policy Published: {{cwsPolicyName}}
During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
alertDynamicProperties: []
severity: Informational
queryFrequency: 1h
triggerOperator: gt
id: b26a7d97-6b6e-43ab-870e-eb18460ae602
name: VMware Cloud Web Security - Policy Publish Event
triggerThreshold: 0
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- CWS
description: This alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sase-cws-policy-publish.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
groupingConfiguration:
enabled: true
groupByCustomDetails: []
groupByAlertDetails: []
lookbackDuration: 1h
groupByEntities: []
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
version: 1.0.0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b26a7d97-6b6e-43ab-870e-eb18460ae602')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b26a7d97-6b6e-43ab-870e-eb18460ae602')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "CWS Policy Published: {{cwsPolicyName}}\n\nDuring publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.",
"alertDynamicProperties": []
},
"alertRuleTemplateName": "b26a7d97-6b6e-43ab-870e-eb18460ae602",
"customDetails": null,
"description": "This alert is capturing events when VMware CWS policies were published. During publish, the VMware Edge Cloud Orchestrator deploys the CWS policies in SASE POPs, making them effective. All new rules will be enforced. Depending on the contents of the policy, this might create an impact on the CWS Data Plane traffic.",
"displayName": "VMware Cloud Web Security - Policy Publish Event",
"enabled": true,
"entityMappings": null,
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware%20SD-WAN%20and%20SASE/Analytic%20Rules/vmw-sase-cws-policy-publish.yaml",
"query": "VMware_VECO_EventLogs_CL\n| where event == \"CWS_EVENT\"\n| extend cwsPolicyAction = todynamic(detail).subEvent\n| where cwsPolicyAction == \"CWS_POLICY_PUBLISHED\"\n| extend cwsPolicyName = todynamic(detail).policyName\n\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Informational",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}