VMware Cloud Web Security - Data Loss Prevention Violation
Id | d811ef72-66b9-43a3-ba29-cd9e4bf75b74 |
Rulename | VMware Cloud Web Security - Data Loss Prevention Violation |
Description | This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated. |
Severity | Medium |
Required data connectors | VMwareSDWAN |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml |
Version | 1.0.0 |
Arm template | d811ef72-66b9-43a3-ba29-cd9e4bf75b74.json |
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
kind: Scheduled
triggerThreshold: 0
eventGroupingSettings:
aggregationKind: AlertPerResult
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
requiredDataConnectors:
- dataTypes:
- CWS
connectorId: VMwareSDWAN
name: VMware Cloud Web Security - Data Loss Prevention Violation
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: userId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: sourceIp
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: casbAppName
- entityType: URL
fieldMappings:
- identifier: Url
columnName: dstUrl
query: |-
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
severity: Medium
queryFrequency: 1h
suppressionEnabled: false
version: 1.0.0
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
suppressionDuration: 5h
incidentConfiguration:
createIncident: true
groupingConfiguration:
groupByAlertDetails: []
lookbackDuration: 5h
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: false
groupByCustomDetails: []
groupByEntities: []
customDetails:
CWS_Policy_Name: policyName
CWS_Rule_Name: ruleMatched
queryPeriod: 1h
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d811ef72-66b9-43a3-ba29-cd9e4bf75b74')]",
"properties": {
"alertRuleTemplateName": "d811ef72-66b9-43a3-ba29-cd9e4bf75b74",
"customDetails": {
"CWS_Policy_Name": "policyName",
"CWS_Rule_Name": "ruleMatched"
},
"description": "This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.",
"displayName": "VMware Cloud Web Security - Data Loss Prevention Violation",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "userId",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "sourceIp",
"identifier": "Address"
}
]
},
{
"entityType": "CloudApplication",
"fieldMappings": [
{
"columnName": "casbAppName",
"identifier": "Name"
}
]
},
{
"entityType": "URL",
"fieldMappings": [
{
"columnName": "dstUrl",
"identifier": "Url"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByAlertDetails": [],
"groupByCustomDetails": [],
"groupByEntities": [],
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml",
"query": "VMware_CWS_DLPLogs_CL\n| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}