VMware ESXi - Root login

let p_lookback = 14d;
let t_lookback = 1h;
let root_ips = VMwareESXi
| where TimeGenerated between (ago(p_lookback) .. ago(t_lookback))
| where SyslogMessage has_all ('UserLoginSessionEvent', 'root', 'logged in')
| extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
| summarize makeset(SrcIpAddr);
VMwareESXi
| where TimeGenerated > ago(t_lookback)
| where SyslogMessage has_all ('UserLoginSessionEvent', 'root', 'logged in')
| extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
| where SrcIpAddr !in (root_ips)
| extend IPCustomEntity = SrcIpAddr

description: |
    'Detects when root user login from uncommon IP address.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiRootLogin.yaml
queryFrequency: 1h
version: 1.0.3
requiredDataConnectors:
- datatypes:
  - Syslog
  connectorId: SyslogAma
status: Available
query: |
  let p_lookback = 14d;
  let t_lookback = 1h;
  let root_ips = VMwareESXi
  | where TimeGenerated between (ago(p_lookback) .. ago(t_lookback))
  | where SyslogMessage has_all ('UserLoginSessionEvent', 'root', 'logged in')
  | extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
  | summarize makeset(SrcIpAddr);
  VMwareESXi
  | where TimeGenerated > ago(t_lookback)
  | where SyslogMessage has_all ('UserLoginSessionEvent', 'root', 'logged in')
  | extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
  | where SrcIpAddr !in (root_ips)
  | extend IPCustomEntity = SrcIpAddr  
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
kind: Scheduled
severity: High
tactics:
- InitialAccess
- PrivilegeEscalation
id: deb448a8-6a9d-4f8c-8a95-679a0a2cd62c
triggerOperator: gt
relevantTechniques:
- T1078
queryPeriod: 14d
name: VMware ESXi - Root login
triggerThreshold: 0