So its been a while since I have posed… I have been a little busy with work and family!
I need to generate alerts from vRLI when ever someone logs in using a built in account, multiple failed attempts, creating users, changing passwords etc… for security / audit requirements.
I couldn’t find any pre-canned Content Packs in vRLI for this so I thought I would make my own!
So let me start off by stating the obvious… vRLI will need to have all these systems forwarding logs to it from VAMI, syslog or vRLI Agent + you will need to have done the “SMTP Configuration” in vRLI… also some of these alerts are looking for the vSphere.local SSO domain / default tenant so please remember to adapt the query and message to your needs!
Here are the alerts in the content pack, it doesn’t cover everything but its a start and its free…
|Root password changed on ESXi host.
|3 Failed login to NSX Manager in the last 5 minutes
|User logged into NSX manager
|In 5 minutes 3 attempts with an unknown account has been attempted against a standalone PSC.
|3 failed login attempts to a vRealize product in 5 min
|Something tried to SSH with root user but failed more than 3 times in 5 min
|Something has attempted to SSH more than 3 times in 5 minutes into a vRealize product but failed with an unknown account
|Root account was used to SSH into an appliance, ESXi Host, NSX controller etc..
|Within a 5 minute window there has been more than 3 failed attempts to login to a VC
|Detects if vsphere.local user was deleted from the Virtual Center or PSC. —> Adapt this to your required SSO domain.
|The password for a local vsphere.local user has been changed on the Virtual Center or PSC appliance. —> Adapt this to your own SSO domain.
|Detects if a new vsphere.local user was created on the Virtual Center or PSC.
|Someone has logged into the VAMI of the VC or PSC.
|The password for root was changed on the Virtual Center or PSC VAMI.
|Within 5 minutes 3 failed logins occurred to the vRA appliance
|User has logged into the “vSphere.local” tenant —> Adapt this to your own SSO domain.
|More than 3 failed login attempts occurred against vRops with a known local user.
|More than 3 failed login attempts against vRops occurred within 5 minutes by an unknown user account.
|Admin account was used to login to vRops.
|Root user attempted to SSH into vROPS but failed more than 3 times in 5 minutes.
|Root SSHed to the vRops server.
When you import the content pack please make sure to use a local user and use the option “Import into My Content” NOT “Install as content pack”
Download: Security SIEM Alerts vRealize Suite v1.0