Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware ESXi - Multiple Failed Shell Login via SSH

VMware ESXi - Multiple Failed Shell Login via SSH

Back
Id22d177d5-588c-4f1a-a332-2695f52079bb
RulenameVMware ESXi - Multiple Failed Shell Login via SSH
DescriptionIdentifies a failed ESXi Shell login via SSH in a short TimeFrame. This could be suspicious activity especially if this alert is seen triggering many times within a short time frame which could be evidence of a brute-force attack. TriggerThreshold can be adapted.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSyslogAma
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleFailedSSHLogin.yaml
Version1.0.0
Arm template22d177d5-588c-4f1a-a332-2695f52079bb.json
Deploy To Azure
// To Adapt to your environment
let triggerThreshold = 10;
VMwareESXi
| where SyslogMessage has "sshd"
| where SyslogMessage contains "authentication failure"
| extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage)
| extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage)
| extend SrcIpAddr = extract(@'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
| summarize make_set(SrcUsername),count() by SrcIpAddr,DstHostname
| where count_ >= triggerThreshold
| extend HostCustomEntity = DstHostname

triggerThreshold: 0
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleFailedSSHLogin.yaml
name: VMware ESXi - Multiple Failed Shell Login via SSH
relevantTechniques:
- T1110
status: Available
version: 1.0.0
queryPeriod: 10m
kind: Scheduled
id: 22d177d5-588c-4f1a-a332-2695f52079bb
query: |
  // To Adapt to your environment
  let triggerThreshold = 10;
  VMwareESXi
  | where SyslogMessage has "sshd"
  | where SyslogMessage contains "authentication failure"
  | extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage)
  | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage)
  | extend SrcIpAddr = extract(@'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
  | summarize make_set(SrcUsername),count() by SrcIpAddr,DstHostname
  | where count_ >= triggerThreshold
  | extend HostCustomEntity = DstHostname  
description: |
    Identifies a failed ESXi Shell login via SSH in a short TimeFrame. This could be suspicious activity especially if this alert is seen triggering many times within a short time frame which could be evidence of a brute-force attack. TriggerThreshold can be adapted. 
queryFrequency: 10m
severity: Medium
triggerOperator: gt
tactics:
- CredentialAccess