VMware vCenter - Root login

let p_lookback = 14d;
let t_lookback = 1h;
let root_ips = vCenter
| where TimeGenerated between (ago(p_lookback) .. ago(t_lookback))
| where EventType has_all ('UserLoginSessionEvent', 'root', 'logged in')
| summarize make_set(SourceIP,128);
vCenter
| where TimeGenerated > ago(t_lookback)
| where EventType   has_all ('UserLoginSessionEvent', 'root', 'logged in')
| where SourceIP   !in (root_ips)

description: |
    'Detects when root user login from uncommon IP address.'
requiredDataConnectors:
- dataTypes:
  - vcenter_CL
  connectorId: CustomLogsAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware vCenter/Analytic Rules/vCenterRootLogin.yaml
id: 03e8a895-b5ba-49a0-aed3-f9a997d92fbe
name: VMware vCenter - Root login
relevantTechniques:
- T1078
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIP
  entityType: IP
kind: Scheduled
version: 1.0.2
triggerOperator: gt
query: |
  let p_lookback = 14d;
  let t_lookback = 1h;
  let root_ips = vCenter
  | where TimeGenerated between (ago(p_lookback) .. ago(t_lookback))
  | where EventType has_all ('UserLoginSessionEvent', 'root', 'logged in')
  | summarize make_set(SourceIP,128);
  vCenter
  | where TimeGenerated > ago(t_lookback)
  | where EventType   has_all ('UserLoginSessionEvent', 'root', 'logged in')
  | where SourceIP   !in (root_ips)  
status: Available
tactics:
- InitialAccess
- PrivilegeEscalation
queryPeriod: 14d
severity: High
queryFrequency: 1h