Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack

Back
Idce207901-ed7b-49ae-ada7-033e1fbb1240
RulenameVMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
DescriptionThe VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch.



An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.



Attackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure.



This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.
SeverityLow
TacticsImpact
DefenseEvasion
TechniquesT1498
T1599
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-ipfrag-attempt.yaml
Version1.0.0
Arm templatece207901-ed7b-49ae-ada7-033e1fbb1240.json
Deploy To Azure
Syslog
| where SyslogMessage contains "VCF Drop"
| where SyslogMessage contains "packet too big"
| project-rename EdgeName=HostName
| project-away Computer, HostIP, SourceSystem, Type
| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
| project
    TimeGenerated,
    EdgeFwAction,
    EdgeName,
    SrcIpAddress,
    IpProtocol,
    DstIpAddress,
    pcktCount,
    SyslogTag
kind: Scheduled
suppressionEnabled: false
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddress
    identifier: Address
query: |+
  Syslog
  | where SyslogMessage contains "VCF Drop"
  | where SyslogMessage contains "packet too big"
  | project-rename EdgeName=HostName
  | project-away Computer, HostIP, SourceSystem, Type
  | extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
  | extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
  | extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
  | extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
  | extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
  | extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
  | extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
  | project
      TimeGenerated,
      EdgeFwAction,
      EdgeName,
      SrcIpAddress,
      IpProtocol,
      DstIpAddress,
      pcktCount,
      SyslogTag  

relevantTechniques:
- T1498
- T1599
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
suppressionDuration: 5h
triggerThreshold: 0
queryPeriod: 1h
customDetails:
  Edge_Name: EdgeName
tactics:
- Impact
- DefenseEvasion
id: ce207901-ed7b-49ae-ada7-033e1fbb1240
requiredDataConnectors:
- dataTypes:
  - SDWAN
  connectorId: VMwareSDWAN
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    groupByEntities: []
    lookbackDuration: 1h
    groupByCustomDetails: []
    matchingMethod: AllEntities
    groupByAlertDetails: []
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-ipfrag-attempt.yaml
description: |-
  The VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch.

  An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.

  Attackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure.

  This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.  
queryFrequency: 1h
name: VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack
severity: Low
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ce207901-ed7b-49ae-ada7-033e1fbb1240')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ce207901-ed7b-49ae-ada7-033e1fbb1240')]",
      "properties": {
        "alertRuleTemplateName": "ce207901-ed7b-49ae-ada7-033e1fbb1240",
        "customDetails": {
          "Edge_Name": "EdgeName"
        },
        "description": "The VMware SD-WAN Edge appliance received packets potentially part of an IP Fragmentation attack or indicating an MTU mismatch.\n\nAn IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.\n\nAttackers can exploit IP fragmentation in various ways, for example, Denial-of-service attacks, address spoofing, or even information disclosure.\n\nThis analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.",
        "displayName": "VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sdwan-ipfrag-attempt.yaml",
        "query": "Syslog\n| where SyslogMessage contains \"VCF Drop\"\n| where SyslogMessage contains \"packet too big\"\n| project-rename EdgeName=HostName\n| project-away Computer, HostIP, SourceSystem, Type\n| extend OverlaySegmentName = extract(\"SEGMENT_NAME=(.+) COUNT=\", 1, SyslogMessage)\n| extend IpProtocol = extract(\"PROTO=(.+) SRC=\", 1, SyslogMessage)\n| extend SrcIpAddress = extract(\"SRC=(.+) DST=\", 1, SyslogMessage)\n| extend DstIpAddress = extract(\"DST=(.+) REASON=\", 1, SyslogMessage)\n| extend EdgeFwAction = extract(\"ACTION=(.+) SEGMENT=\", 1, SyslogMessage)\n| extend SyslogTag = extract(\"^(.+): ACTION=\", 1, SyslogMessage)\n| extend pcktCount = extract(\"COUNT=([0-9]+)$\", 1, SyslogMessage)\n| project\n    TimeGenerated,\n    EdgeFwAction,\n    EdgeName,\n    SrcIpAddress,\n    IpProtocol,\n    DstIpAddress,\n    pcktCount,\n    SyslogTag\n\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "Impact"
        ],
        "techniques": [
          "T1498",
          "T1599"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}