So its been a while since I have posed… I have been a little busy with work and family!

I need to generate alerts from vRLI when ever someone logs in using a built in account, multiple failed attempts, creating users, changing passwords etc… for security / audit requirements.

I couldn’t find any pre-canned Content Packs in vRLI for this so I thought I would make my own!

So let me start off by stating the obvious… vRLI will need to have all these systems forwarding logs to it from VAMI, syslog or vRLI Agent + you will need to have done the “SMTP Configuration” in vRLI… also some of these alerts are looking for the vSphere.local SSO domain / default tenant so please remember to adapt the query and message to your needs!

Here are the alerts in the content pack, it doesn’t cover everything but its a start and its free…

name info
SECURITY_SIEM-ESXI-PasswordChangeRoot Root password changed on ESXi host.
SECURITY_SIEM-NSX-FailedLogins 3 Failed login to NSX Manager in the last 5 minutes
SECURITY_SIEM-NSX-LoginSuccessful User logged into NSX manager
SECURITY_SIEM-PSC-FailedLoginUnknownUser In 5 minutes 3 attempts with an unknown account has been attempted against a standalone PSC.
SECURITY_SIEM-SSH-FailedLogins 3 failed login attempts to a vRealize product in 5 min
SECURITY_SIEM-SSH-FailedRootLogin Something tried to SSH with root user but failed more than 3 times in 5 min
SECURITY_SIEM-SSH-FailedUnknownLogin Something has attempted to SSH more than 3 times in 5 minutes into a vRealize product but failed with an unknown account
SECURITY_SIEM-SSH-RootLoginSuccessful Root account was used to SSH into an appliance, ESXi Host, NSX controller etc..
SECURITY_SIEM-VC-FailedLoginAttempts Within a 5 minute window there has been more than 3 failed attempts to login to a VC
SECURITY_SIEM-VCPSC-LocalUserDeleted Detects if vsphere.local user was deleted from the Virtual Center or PSC. —> Adapt this to your required SSO domain.
SECURITY_SIEM-VCPSC-LocalUserPasswordChanged The password for a local vsphere.local user has been changed on the Virtual Center or PSC appliance. —> Adapt this to your own SSO domain.
SECURITY_SIEM-VCPSC-NewUserCreated Detects if a new vsphere.local user was created on the Virtual Center or PSC.
SECURITY_SIEM-VCPSC-RootLoginToVAMI Someone has logged into the VAMI of the VC or PSC.
SECURITY_SIEM-VCPSC-RootPasswordChanged The password for root was changed on the Virtual Center or PSC VAMI.
SECURITY_SIEM-vRA-FailedLoginAttempts Within 5 minutes 3 failed logins occurred to the vRA appliance&nbsp
SECURITY_SIEM-vRA-vSphereLocalTenantLogin User has logged into the “vSphere.local” tenant —> Adapt this to your own SSO domain.
SECURITY_SIEM-vROPS-FailedLoginAttemptsByLocalUser More than 3 failed login attempts occurred against vRops with a known local user.
SECURITY_SIEM-vROPS-FailedLoginAttemptsByUnknownUser More than 3 failed login attempts against vRops occurred within 5 minutes by an unknown user account.
SECURITY_SIEM-VROPS-LoginByAdminUser Admin account was used to login to vRops.
SECURITY_SIEM-VROPS-SSH-FailedRootLogin Root user attempted to SSH into vROPS but failed more than 3 times in 5 minutes.
SECURITY_SIEM-VROPS-SSH-RootLogin Root SSHed to the vRops server.

When you import the content pack please make sure to use a local user and use the option “Import into My Content” NOT “Install as content pack”

Download: Security SIEM Alerts vRealize Suite v1.0