VMware Cloud Web Security - Data Loss Prevention Violation
Id | d811ef72-66b9-43a3-ba29-cd9e4bf75b74 |
Rulename | VMware Cloud Web Security - Data Loss Prevention Violation |
Description | This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated. |
Severity | Medium |
Required data connectors | VMwareSDWAN |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml |
Version | 1.0.0 |
Arm template | d811ef72-66b9-43a3-ba29-cd9e4bf75b74.json |
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- CWS
suppressionDuration: 5h
severity: Medium
queryFrequency: 1h
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
query: |-
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
queryPeriod: 1h
name: VMware Cloud Web Security - Data Loss Prevention Violation
customDetails:
CWS_Policy_Name: policyName
CWS_Rule_Name: ruleMatched
kind: Scheduled
suppressionEnabled: false
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Account
fieldMappings:
- columnName: userId
identifier: Name
- entityType: IP
fieldMappings:
- columnName: sourceIp
identifier: Address
- entityType: CloudApplication
fieldMappings:
- columnName: casbAppName
identifier: Name
- entityType: URL
fieldMappings:
- columnName: dstUrl
identifier: Url
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByAlertDetails: []
groupByCustomDetails: []
matchingMethod: AllEntities
reopenClosedIncident: false
groupByEntities: []
enabled: true
lookbackDuration: 5h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
"properties": {
"alertRuleTemplateName": "d811ef72-66b9-43a3-ba29-cd9e4bf75b74",
"customDetails": {
"CWS_Policy_Name": "policyName",
"CWS_Rule_Name": "ruleMatched"
},
"description": "This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.",
"displayName": "VMware Cloud Web Security - Data Loss Prevention Violation",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "userId",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "sourceIp",
"identifier": "Address"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "casbAppName",
"identifier": "Name"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "dstUrl",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml",
"query": "VMware_CWS_DLPLogs_CL\n| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}