VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack

Syslog
| where SyslogMessage contains "VCF Drop"
| where SyslogMessage contains "packet too big"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
| project
    TimeGenerated,
    EdgeFwAction,
    EdgeName,
    SrcIpAddress,
    IpProtocol,
    DstIpAddress,
    pcktCount,
    SyslogTag

description: |-
  The VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch.

  An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.

  Attackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure.

  This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.  
customDetails:
  Edge_Name: EdgeName
kind: Scheduled
tactics:
- Impact
- DefenseEvasion
severity: Low
triggerThreshold: 0
queryFrequency: 1h
queryPeriod: 1h
relevantTechniques:
- T1498
- T1599
suppressionDuration: 5h
eventGroupingSettings:
  aggregationKind: SingleAlert
id: ce207901-ed7b-49ae-ada7-033e1fbb1240
name: VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    groupByCustomDetails: []
    enabled: true
    matchingMethod: AllEntities
    groupByAlertDetails: []
    groupByEntities: []
    lookbackDuration: 1h
query: |+
  Syslog
  | where SyslogMessage contains "VCF Drop"
  | where SyslogMessage contains "packet too big"
  | project-rename EdgeName=HostName
  | project-away Computer, HostIP, SourceSystem, Type
  | extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
  | extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
  | extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
  | extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
  | extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
  | extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
  | extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
  | project
      TimeGenerated,
      EdgeFwAction,
      EdgeName,
      SrcIpAddress,
      IpProtocol,
      DstIpAddress,
      pcktCount,
      SyslogTag  

triggerOperator: gt
suppressionEnabled: false
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddress
    identifier: Address
  entityType: IP
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-ipfrag-attempt.yaml
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN