VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
suppressionDuration: 5h
triggerOperator: gt
queryPeriod: 1h
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
- CWS
connectorId: VMwareSDWAN
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
eventGroupingSettings:
aggregationKind: AlertPerResult
triggerThreshold: 0
suppressionEnabled: false
kind: Scheduled
entityMappings:
- fieldMappings:
- identifier: Name
columnName: userId
entityType: Account
- fieldMappings:
- identifier: Address
columnName: sourceIp
entityType: IP
- fieldMappings:
- identifier: Name
columnName: casbAppName
entityType: CloudApplication
- fieldMappings:
- identifier: Url
columnName: dstUrl
entityType: URL
query: |-
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
customDetails:
CWS_Policy_Name: policyName
CWS_Rule_Name: ruleMatched
name: VMware Cloud Web Security - Data Loss Prevention Violation
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
severity: Medium
incidentConfiguration:
groupingConfiguration:
enabled: true
groupByEntities: []
lookbackDuration: 5h
groupByAlertDetails: []
matchingMethod: AllEntities
reopenClosedIncident: false
groupByCustomDetails: []
createIncident: true
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
