/
vmw-sase-cwsdlp-violation.yaml
51 lines (51 loc) · 1.38 KB
/
vmw-sase-cwsdlp-violation.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
id: d811ef72-66b9-43a3-ba29-cd9e4bf75b74
name: VMware Cloud Web Security - Data Loss Prevention Violation
version: 1.0.0
kind: Scheduled
description: This Analytics rule receives VMware CWS DLP alerts and combines them with their respective Web Log events. Each Data Loss Prevention event is an alert of policy violations and should be investigated.
severity: Medium
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
requiredDataConnectors:
- connectorId: VMwareSDWAN
dataTypes:
- CWS
query: |-
VMware_CWS_DLPLogs_CL
| join kind=innerunique VMware_CWS_Weblogs_CL on TimeGenerated
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
CWS_Policy_Name: policyName
CWS_Rule_Name: ruleMatched
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: userId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: sourceIp
- entityType: CloudApplication
fieldMappings:
- identifier: Name
columnName: casbAppName
- entityType: URL
fieldMappings:
- identifier: Url
columnName: dstUrl
suppressionDuration: 5h