VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
queryPeriod: 1h
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- CWS
severity: Medium
triggerOperator: gt
customDetails:
CWS_Policy_Name: policyName
CWS_Rule_Name: ruleMatched
entityMappings:
- fieldMappings:
- identifier: Name
columnName: userId
entityType: Account
- fieldMappings:
- identifier: Address
columnName: sourceIp
entityType: IP
- fieldMappings:
- identifier: Name
columnName: casbAppName
entityType: CloudApplication
- fieldMappings:
- identifier: Url
columnName: dstUrl
entityType: URL
version: 1.0.0
triggerThreshold: 0
name: VMware Cloud Web Security - Data Loss Prevention Violation
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |-
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
suppressionDuration: 5h
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
groupByAlertDetails: []
enabled: true
groupByEntities: []
groupByCustomDetails: []
lookbackDuration: 5h
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
kind: Scheduled
queryFrequency: 1h
