VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
suppressionDuration: 5h
name: VMware Cloud Web Security - Data Loss Prevention Violation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
severity: Medium
suppressionEnabled: false
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
version: 1.0.0
customDetails:
CWS_Policy_Name: policyName
CWS_Rule_Name: ruleMatched
requiredDataConnectors:
- dataTypes:
- CWS
connectorId: VMwareSDWAN
kind: Scheduled
triggerThreshold: 0
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
queryPeriod: 1h
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
lookbackDuration: 5h
enabled: true
reopenClosedIncident: false
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
createIncident: true
triggerOperator: gt
query: |-
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
eventGroupingSettings:
aggregationKind: AlertPerResult
queryFrequency: 1h
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: userId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: sourceIp
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: casbAppName
- entityType: URL
fieldMappings:
- identifier: Url
columnName: dstUrl
