VMware ESXi - Low patch disk space

Back


Id	48d992ba-d404-4159-a8c6-46f51d1325c7
Rulename	VMware ESXi - Low patch disk space
Description	This rule is triggered when low patch disk store space is detected.
Severity	Medium
Tactics	Impact
Techniques	T1529
Required data connectors	SyslogAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml
Version	1.0.2
Arm template	48d992ba-d404-4159-a8c6-46f51d1325c7.json

KQL

let threshold = 100;
VMwareESXi
| where SyslogMessage has ('Patch store disk')
| extend sp = toreal(extract(@'free space is:\s(\d+)', 1, SyslogMessage)) / 1000000000
| where sp < threshold
| extend h = 'Hypervisor'
| extend HostCustomEntity = h

YAML

kind: Scheduled
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
description: |
    'This rule is triggered when low patch disk store space is detected.'
severity: Medium
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1529
status: Available
tactics:
- Impact
name: VMware ESXi - Low patch disk space
id: 48d992ba-d404-4159-a8c6-46f51d1325c7
query: |
  let threshold = 100;
  VMwareESXi
  | where SyslogMessage has ('Patch store disk')
  | extend sp = toreal(extract(@'free space is:\s(\d+)', 1, SyslogMessage)) / 1000000000
  | where sp < threshold
  | extend h = 'Hypervisor'
  | extend HostCustomEntity = h  
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
version: 1.0.2
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/48d992ba-d404-4159-a8c6-46f51d1325c7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/48d992ba-d404-4159-a8c6-46f51d1325c7')]",
      "properties": {
        "alertRuleTemplateName": "48d992ba-d404-4159-a8c6-46f51d1325c7",
        "customDetails": null,
        "description": "'This rule is triggered when low patch disk store space is detected.'\n",
        "displayName": "VMware ESXi - Low patch disk space",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiLowPatchDiskSpace.yaml",
        "query": "let threshold = 100;\nVMwareESXi\n| where SyslogMessage has ('Patch store disk')\n| extend sp = toreal(extract(@'free space is:\\s(\\d+)', 1, SyslogMessage)) / 1000000000\n| where sp < threshold\n| extend h = 'Hypervisor'\n| extend HostCustomEntity = h\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Impact"
        ],
        "techniques": [
          "T1529"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}