VMware Cloud Web Security - Data Loss Prevention Violation

Back


Id	d811ef72-66b9-43a3-ba29-cd9e4bf75b74
Rulename	VMware Cloud Web Security - Data Loss Prevention Violation
Description	This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
Severity	Medium
Required data connectors	VMwareSDWAN
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
Version	1.0.0
Arm template	d811ef72-66b9-43a3-ba29-cd9e4bf75b74.json

KQL

VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated

YAML

triggerOperator: gt
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.0
suppressionEnabled: false
triggerThreshold: 0
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
  - CWS
  connectorId: VMwareSDWAN
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: userId
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: sourceIp
  entityType: IP
- fieldMappings:
  - identifier: Name
    columnName: casbAppName
  entityType: CloudApplication
- fieldMappings:
  - identifier: Url
    columnName: dstUrl
  entityType: URL
query: |-
  VMware_CWS_DLPLogs_CL
  | join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated  
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
customDetails:
  CWS_Policy_Name: policyName
  CWS_Rule_Name: ruleMatched
severity: Medium
name: VMware Cloud Web Security - Data Loss Prevention Violation
queryFrequency: 1h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    groupByEntities: []
    groupByCustomDetails: []
    lookbackDuration: 5h
    groupByAlertDetails: []
    matchingMethod: AllEntities
queryPeriod: 1h
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
      "properties": {
        "alertRuleTemplateName": "d811ef72-66b9-43a3-ba29-cd9e4bf75b74",
        "customDetails": {
          "CWS_Policy_Name": "policyName",
          "CWS_Rule_Name": "ruleMatched"
        },
        "description": "This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.",
        "displayName": "VMware Cloud Web Security - Data Loss Prevention Violation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "userId",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "casbAppName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "dstUrl",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml",
        "query": "VMware_CWS_DLPLogs_CL\n| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}