vCenter
| where Message has_all ('ImpersonateUser', 'VcIntegrity', 'root')
| extend user = 'root'
name: vCenter - Root impersonation
id: f1fcb22c-b459-42f2-a7ee-7276b5f1309c
description: |
'Detects when root impersonation occurs.'
triggerThreshold: 0
entityMappings:
- fieldMappings:
- columnName: user
identifier: Name
entityType: Account
version: 1.0.2
triggerOperator: gt
query: |
vCenter
| where Message has_all ('ImpersonateUser', 'VcIntegrity', 'root')
| extend user = 'root'
tactics:
- PrivilegeEscalation
kind: Scheduled
queryFrequency: 1h
severity: Medium
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
- vcenter_CL
connectorId: CustomLogsAma
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMware vCenter/Analytic Rules/vCenter-Root impersonation.yaml
relevantTechniques:
- T1078
