VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
suppressionEnabled: false
entityMappings:
- fieldMappings:
- columnName: userId
identifier: Name
entityType: Account
- fieldMappings:
- columnName: sourceIp
identifier: Address
entityType: IP
- fieldMappings:
- columnName: casbAppName
identifier: Name
entityType: CloudApplication
- fieldMappings:
- columnName: dstUrl
identifier: Url
entityType: URL
incidentConfiguration:
groupingConfiguration:
groupByCustomDetails: []
reopenClosedIncident: false
enabled: true
matchingMethod: AllEntities
groupByEntities: []
lookbackDuration: 5h
groupByAlertDetails: []
createIncident: true
version: 1.0.0
suppressionDuration: 5h
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
customDetails:
CWS_Rule_Name: ruleMatched
CWS_Policy_Name: policyName
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- CWS
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
queryFrequency: 1h
query: |-
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
severity: Medium
queryPeriod: 1h
name: VMware Cloud Web Security - Data Loss Prevention Violation
triggerThreshold: 0
kind: Scheduled
