⚠️ VMware SASE

⚠️ Unpublished: This item is from a solution that is not yet published on Azure Marketplace or not installed in Content Hub.

VMware SASE Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Solutions Index

Attribute	Value
Publisher	VMware by Broadcom
Support Tier	Partner
Support Link	https://developer.vmware.com/
Categories	domains
Version	1.0.0
Author	VMware by Broadcom
First Published	2023-12-31
Solution Folder	VMware SD-WAN and SASE

The VMware SASE solution provides the capability to ingest telemetry and event data from your VMware SD-WAN fabric and Cloud Web Security service into Microsoft Sentinel through Syslog and the Orchestrator REST API.

Underlying Microsoft Technologies used:

This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:

a. Azure Monitor Log Ingestion API

b. Azure Functions

c. Azure Monitor Agent for Syslog collection

Data Connectors
Tables Used
Content Items

Data Connectors

This solution provides 1 data connector(s):

VMware SD-WAN and SASE Connector

Tables Used

This solution uses 7 table(s):

Table	Used By Connectors	Used By Content
`Heartbeat`	-	Workbooks
`Syslog`	-	Analytics, Workbooks
`VMware_CWS_DLPLogs_CL`	VMware SD-WAN and SASE Connector	Analytics
`VMware_CWS_Health_CL`	VMware SD-WAN and SASE Connector	Workbooks
`VMware_CWS_Weblogs_CL`	VMware SD-WAN and SASE Connector	Analytics, Workbooks
`VMware_SDWAN_FirewallLogs_CL`	-	Analytics
`VMware_VECO_EventLogs_CL`	VMware SD-WAN and SASE Connector	Analytics, Workbooks

Content Items

This solution includes 16 content item(s):

Content Type	Count
Analytic Rules	14
Hunting Queries	1
Workbooks	1

Analytic Rules

Name	Severity	Tactics	Tables Used
VMware Cloud Web Security - Data Loss Prevention Violation	Medium	-	`VMware_CWS_DLPLogs_CL`
VMware Cloud Web Security - Policy Change Detected	Informational	-	`VMware_VECO_EventLogs_CL`
VMware Cloud Web Security - Policy Publish Event	Informational	-	`VMware_VECO_EventLogs_CL`
VMware Cloud Web Security - Web Access Policy Violation	Medium	-	`VMware_CWS_Weblogs_CL`
VMware Edge Cloud Orchestrator - New LAN-Side Client Device Detected	Informational	-	`VMware_VECO_EventLogs_CL`
VMware SD-WAN - Orchestrator Audit Event	Informational	-	`VMware_VECO_EventLogs_CL`
VMware SD-WAN Edge - All Cloud Security Service Tunnels DOWN	Medium	-	`VMware_VECO_EventLogs_CL`
VMware SD-WAN Edge - Device Congestion Alert - Packet Drops	Medium	Impact	`VMware_VECO_EventLogs_CL`
VMware SD-WAN Edge - IDS/IPS Alert triggered (Search API)	High	LateralMovement	`VMware_SDWAN_FirewallLogs_CL`
VMware SD-WAN Edge - IDS/IPS Alert triggered (Syslog)	High	LateralMovement	`Syslog`
VMware SD-WAN Edge - IDS/IPS Signature Update Failed	High	-	`VMware_VECO_EventLogs_CL`
VMware SD-WAN Edge - IDS/IPS Signature Update Succeeded	Informational	-	`VMware_VECO_EventLogs_CL`
VMware SD-WAN Edge - Network Anomaly Detection - Potential Fragmentation Attack	Low	Impact, DefenseEvasion	`Syslog`
VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure	Low	Impact	`Syslog`

Hunting Queries

Name	Tactics	Tables Used
VMware Edge Cloud Orchestrator - High number of login failures from a source IP address	CredentialAccess, InitialAccess	-

Workbooks

Name	Tables Used
VMwareSASESOCDashboard	`Heartbeat` `Syslog` `VMware_CWS_Health_CL` `VMware_CWS_Weblogs_CL` `VMware_VECO_EventLogs_CL`