VMware vCenter - Root login

let p_lookback = 14d;
let t_lookback = 1h;
let root_ips = vCenter
| where TimeGenerated between (ago(p_lookback) .. ago(t_lookback))
| where EventType has_all ('UserLoginSessionEvent', 'root', 'logged in')
| summarize make_set(SourceIP,128);
vCenter
| where TimeGenerated > ago(t_lookback)
| where EventType   has_all ('UserLoginSessionEvent', 'root', 'logged in')
| where SourceIP   !in (root_ips)

relevantTechniques:
- T1078
entityMappings:
- fieldMappings:
  - columnName: SourceIP
    identifier: Address
  entityType: IP
triggerThreshold: 0
description: |
    'Detects when root user login from uncommon IP address.'
requiredDataConnectors:
- connectorId: CustomLogsAma
  dataTypes:
  - vcenter_CL
triggerOperator: gt
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware vCenter/Analytic Rules/vCenterRootLogin.yaml
id: 03e8a895-b5ba-49a0-aed3-f9a997d92fbe
queryFrequency: 1h
query: |
  let p_lookback = 14d;
  let t_lookback = 1h;
  let root_ips = vCenter
  | where TimeGenerated between (ago(p_lookback) .. ago(t_lookback))
  | where EventType has_all ('UserLoginSessionEvent', 'root', 'logged in')
  | summarize make_set(SourceIP,128);
  vCenter
  | where TimeGenerated > ago(t_lookback)
  | where EventType   has_all ('UserLoginSessionEvent', 'root', 'logged in')
  | where SourceIP   !in (root_ips)  
severity: High
status: Available
queryPeriod: 14d
name: VMware vCenter - Root login
tactics:
- InitialAccess
- PrivilegeEscalation
kind: Scheduled