Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware Cloud Web Security - Web Access Policy Violation

VMware Cloud Web Security - Web Access Policy Violation

Back
Idb84a1f62-ad30-4ae1-8b21-3d304d8aa818
RulenameVMware Cloud Web Security - Web Access Policy Violation
DescriptionVMware Cloud Web Security reported access events which were violating web access policy rules. Additional investigation might be required.
SeverityMedium
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policyviolation.yaml
Version1.0.0
Arm templateb84a1f62-ad30-4ae1-8b21-3d304d8aa818.json
Deploy To Azure
VMware_CWS_Weblogs_CL
| where action == "block"

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 5h
    enabled: false
    groupByEntities: []
    groupByCustomDetails: []
    groupByAlertDetails: []
    matchingMethod: AllEntities
    reopenClosedIncident: false
id: b84a1f62-ad30-4ae1-8b21-3d304d8aa818
queryPeriod: 1h
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
name: VMware Cloud Web Security - Web Access Policy Violation
query: |
  VMware_CWS_Weblogs_CL
  | where action == "block"  
severity: Medium
triggerOperator: gt
kind: Scheduled
suppressionDuration: 5h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policyviolation.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: VMwareSDWAN
  dataTypes:
  - CWS
description: VMware Cloud Web Security reported access events which were violating web access policy rules. Additional investigation might be required.
suppressionEnabled: false
version: 1.0.0
entityMappings:
- fieldMappings:
  - columnName: sourceIp
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: virusList
    identifier: Name
  entityType: Malware
- fieldMappings:
  - columnName: url
    identifier: Url
  entityType: URL
- fieldMappings:
  - columnName: userId
    identifier: AadUserId
  entityType: Account

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/b84a1f62-ad30-4ae1-8b21-3d304d8aa818')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/b84a1f62-ad30-4ae1-8b21-3d304d8aa818')]",
      "properties": {
        "alertRuleTemplateName": "b84a1f62-ad30-4ae1-8b21-3d304d8aa818",
        "customDetails": null,
        "description": "VMware Cloud Web Security reported access events which were violating web access policy rules. Additional investigation might be required.",
        "displayName": "VMware Cloud Web Security - Web Access Policy Violation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Malware",
            "fieldMappings": [
              {
                "columnName": "virusList",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "url",
                "identifier": "Url"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "userId",
                "identifier": "AadUserId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cws-policyviolation.yaml",
        "query": "VMware_CWS_Weblogs_CL\n| where action == \"block\"\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}