VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
version: 1.0.0
queryPeriod: 1h
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: userId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: sourceIp
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: casbAppName
- entityType: URL
fieldMappings:
- identifier: Url
columnName: dstUrl
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware SD-WAN and SASE/Analytic Rules/vmw-sase-cwsdlp-violation.yaml
suppressionDuration: 5h
queryFrequency: 1h
triggerOperator: gt
suppressionEnabled: false
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- CWS
severity: Medium
kind: Scheduled
incidentConfiguration:
groupingConfiguration:
groupByEntities: []
enabled: true
groupByAlertDetails: []
groupByCustomDetails: []
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: 5h
createIncident: true
triggerThreshold: 0
query: |-
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
customDetails:
CWS_Rule_Name: ruleMatched
CWS_Policy_Name: policyName
name: VMware Cloud Web Security - Data Loss Prevention Violation
