VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure

Severity: low
Time window: 1h
Source: github.com/Azure/Azure-Sentinel

The VMware SD-WAN Edge appliance received packets that failed a Reverse Path Forwarding (RPF) Check. Reverse path forwarding (RPF) check is a network security mechanism that verifies whether the source IP address of a packet is reachable through the incoming interface on which the packet is received. The packet is dropped if the source IP address is not reachable through the incoming interface. RPF checks prevent spoofing attacks, in which an attacker uses a forged source IP address to make it appear that the packets are coming from a trusted source. This can allow the attacker to gain unauthorized network access or launch a denial-of-service attack against a target system. An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes. This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.

MITRE ATT&CK coverage

Tactic	Techniques
Impact	`T1498` Network Denial of Service

Rule body kusto

id: 840b050f-842b-4264-8973-d4f9b65facb5
name: VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure
version: 1.0.0
kind: Scheduled
description: |-
  The VMware SD-WAN Edge appliance received packets that failed a Reverse Path Forwarding (RPF) Check.

  Reverse path forwarding (RPF) check is a network security mechanism that verifies whether the source IP address of a packet is reachable through the incoming interface on which the packet is received. The packet is dropped if the source IP address is not reachable through the incoming interface.

  RPF checks prevent spoofing attacks, in which an attacker uses a forged source IP address to make it appear that the packets are coming from a trusted source. This can allow the attacker to gain unauthorized network access or launch a denial-of-service attack against a target system.

  An IP fragmentation attack is a cyberattack that exploits how IP packets are fragmented and reassembled. IP fragmentation is a process by which large IP packets are broken down into smaller packets to transmit them over networks with smaller Maximum Transmission Unit (MTU) sizes.

  This analytics rule analyzes Syslog streams; these alerts are not reported by default if Search API is used.
severity: Low
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
requiredDataConnectors:
  - connectorId: VMwareSDWAN
    dataTypes:
      - SDWAN
tactics:
- Impact
relevantTechniques:
- T1498
query: |+
  Syslog
  | where SyslogMessage contains "VCF Drop"
  | where SyslogMessage contains "Reverse path forwarding check fail"
  | project-rename EdgeName=HostName
  | project-away Computer, HostIP, SourceSystem, Type
  | extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
  | extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
  | extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
  | extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
  | extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
  | extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
  | extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)
  | project
      TimeGenerated,
      EdgeFwAction,
      EdgeName,
      SrcIpAddress,
      IpProtocol,
      DstIpAddress,
      pcktCount,
      SyslogTag
suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 1h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: SingleAlert
customDetails:
  Edge_Name: EdgeName
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddress
suppressionDuration: 5h

Stages and Predicates

Stage 1: `source`

Syslog

Stage 2: `where`

| where SyslogMessage contains "VCF Drop"

Stage 3: `where`

| where SyslogMessage contains "Reverse path forwarding check fail"

Stage 4: `project-rename`

| project-rename EdgeName=HostName

Stage 5: `project-away`

| project-away Computer, HostIP, SourceSystem, Type

Stage 6: `extend` (7 consecutive steps)

| extend OverlaySegmentName = extract("SEGMENT_NAME=(.+) COUNT=", 1, SyslogMessage)
| extend IpProtocol = extract("PROTO=(.+) SRC=", 1, SyslogMessage)
| extend SrcIpAddress = extract("SRC=(.+) DST=", 1, SyslogMessage)
| extend DstIpAddress = extract("DST=(.+) REASON=", 1, SyslogMessage)
| extend EdgeFwAction = extract("ACTION=(.+) SEGMENT=", 1, SyslogMessage)
| extend SyslogTag = extract("^(.+): ACTION=", 1, SyslogMessage)
| extend pcktCount = extract("COUNT=([0-9]+)$", 1, SyslogMessage)

Stage 7: `project`

| project
    TimeGenerated,
    EdgeFwAction,
    EdgeName,
    SrcIpAddress,
    IpProtocol,
    DstIpAddress,
    pcktCount,
    SyslogTag

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`SyslogMessage`	contains	`Reverse path forwarding check fail` `VCF Drop`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`DstIpAddress`	`project`
`EdgeFwAction`	`project`
`EdgeName`	`project`
`IpProtocol`	`project`
`SrcIpAddress`	`project`
`SyslogTag`	`project`
`TimeGenerated`	`project`
`pcktCount`	`project`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure

MITRE ATT&CK coverage

Rule body kusto

Stages and Predicates

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `project-rename`

Stage 5: `project-away`

Stage 6: `extend` (7 consecutive steps)

Stage 7: `project`

Indicators

Output fields

Keyboard shortcuts

Search operators

VMware SD-WAN Edge - Network Anomaly Detection - RPF Check Failure

MITRE ATT&CK coverage

Rule body kusto

Stages and Predicates

Stage 1: source

Stage 2: where

Stage 3: where

Stage 4: project-rename

Stage 5: project-away

Stage 6: extend (7 consecutive steps)

Stage 7: project

Indicators

Output fields

Stage 1: `source`

Stage 2: `where`

Stage 3: `where`

Stage 4: `project-rename`

Stage 5: `project-away`

Stage 6: `extend` (7 consecutive steps)

Stage 7: `project`