Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware ESXi - Multiple Failed Shell Login via SSH

VMware ESXi - Multiple Failed Shell Login via SSH

Back
Id22d177d5-588c-4f1a-a332-2695f52079bb
RulenameVMware ESXi - Multiple Failed Shell Login via SSH
DescriptionIdentifies a failed ESXi Shell login via SSH in a short TimeFrame. This could be suspicious activity especially if this alert is seen triggering many times within a short time frame which could be evidence of a brute-force attack. TriggerThreshold can be adapted.
SeverityMedium
TacticsCredentialAccess
TechniquesT1110
Required data connectorsSyslogAma
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleFailedSSHLogin.yaml
Version1.0.0
Arm template22d177d5-588c-4f1a-a332-2695f52079bb.json
Deploy To Azure
// To Adapt to your environment
let triggerThreshold = 10;
VMwareESXi
| where SyslogMessage has "sshd"
| where SyslogMessage contains "authentication failure"
| extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage)
| extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage)
| extend SrcIpAddr = extract(@'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
| summarize make_set(SrcUsername),count() by SrcIpAddr,DstHostname
| where count_ >= triggerThreshold
| extend HostCustomEntity = DstHostname

relevantTechniques:
- T1110
entityMappings:
- fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
  entityType: Host
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
triggerThreshold: 0
description: |
    Identifies a failed ESXi Shell login via SSH in a short TimeFrame. This could be suspicious activity especially if this alert is seen triggering many times within a short time frame which could be evidence of a brute-force attack. TriggerThreshold can be adapted. 
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
triggerOperator: gt
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiMultipleFailedSSHLogin.yaml
id: 22d177d5-588c-4f1a-a332-2695f52079bb
queryFrequency: 10m
query: |
  // To Adapt to your environment
  let triggerThreshold = 10;
  VMwareESXi
  | where SyslogMessage has "sshd"
  | where SyslogMessage contains "authentication failure"
  | extend SrcUsername = extract(@'\[info\]\s+\[(.*?)\]', 1, SyslogMessage)
  | extend DstHostname = extract(@'\[\d+\]\s+\[(.*?)\s+on', 1, SyslogMessage)
  | extend SrcIpAddr = extract(@'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
  | summarize make_set(SrcUsername),count() by SrcIpAddr,DstHostname
  | where count_ >= triggerThreshold
  | extend HostCustomEntity = DstHostname  
severity: Medium
status: Available
queryPeriod: 10m
name: VMware ESXi - Multiple Failed Shell Login via SSH
tactics:
- CredentialAccess
kind: Scheduled