VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- CWS
connectorId: VMwareSDWAN
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
groupByAlertDetails: []
lookbackDuration: 5h
groupByEntities: []
groupByCustomDetails: []
enabled: true
matchingMethod: AllEntities
createIncident: true
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
severity: Medium
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
CWS_Policy_Name: policyName
CWS_Rule_Name: ruleMatched
query: |-
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
kind: Scheduled
queryPeriod: 1h
name: VMware Cloud Web Security - Data Loss Prevention Violation
queryFrequency: 1h
triggerThreshold: 0
version: 1.0.0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: userId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: sourceIp
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: casbAppName
- entityType: URL
fieldMappings:
- identifier: Url
columnName: dstUrl
triggerOperator: gt
