Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

VMware Cloud Web Security - Data Loss Prevention Violation

Back
Idd811ef72-66b9-43a3-ba29-cd9e4bf75b74
RulenameVMware Cloud Web Security - Data Loss Prevention Violation
DescriptionThis Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
SeverityMedium
Required data connectorsVMwareSDWAN
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
Version1.0.0
Arm templated811ef72-66b9-43a3-ba29-cd9e4bf75b74.json
Deploy To Azure
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
name: VMware Cloud Web Security - Data Loss Prevention Violation
query: |-
  VMware_CWS_DLPLogs_CL
  | join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated  
queryPeriod: 1h
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    groupByCustomDetails: []
    enabled: true
    lookbackDuration: 5h
    groupByEntities: []
    groupByAlertDetails: []
    matchingMethod: AllEntities
customDetails:
  CWS_Policy_Name: policyName
  CWS_Rule_Name: ruleMatched
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - CWS
  connectorId: VMwareSDWAN
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: userId
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: sourceIp
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: casbAppName
    identifier: Name
- entityType: URL
  fieldMappings:
  - columnName: dstUrl
    identifier: Url
eventGroupingSettings:
  aggregationKind: AlertPerResult
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
suppressionEnabled: false
suppressionDuration: 5h
queryFrequency: 1h
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
triggerThreshold: 0
severity: Medium
version: 1.0.0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
      "properties": {
        "alertRuleTemplateName": "d811ef72-66b9-43a3-ba29-cd9e4bf75b74",
        "customDetails": {
          "CWS_Policy_Name": "policyName",
          "CWS_Rule_Name": "ruleMatched"
        },
        "description": "This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.",
        "displayName": "VMware Cloud Web Security - Data Loss Prevention Violation",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "userId",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "sourceIp",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "casbAppName",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "URL",
            "fieldMappings": [
              {
                "columnName": "dstUrl",
                "identifier": "Url"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByAlertDetails": [],
            "groupByCustomDetails": [],
            "groupByEntities": [],
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml",
        "query": "VMware_CWS_DLPLogs_CL\n| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}