Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Analytics Rule VMware ESXi - Root login Bug #9443

Closed
jeffrywu28 opened this issue Nov 22, 2023 · 7 comments
Closed

Analytics Rule VMware ESXi - Root login Bug #9443

jeffrywu28 opened this issue Nov 22, 2023 · 7 comments
Assignees
@v-sudkharat @v-muuppugund
Labels
Analytic Rules

Comments

@jeffrywu28
Copy link

Describe the bug
If I using the default analytics rule query, that is not showing anything. If I remove the 'UserLoginSessionEvent' on the Syslog messages, the result is showing.

To Reproduce
Steps to reproduce the behavior:

  1. Go to Analytics Rules

  2. Click on

  3. Scroll down to 'VMware ESXi - Root login Bug'

  4. Edit the Query remove the "UserLoginSessionEvent" :
    let p_lookback = 14d;
    let t_lookback = 1h;
    let root_ips = VMwareESXi
    | where TimeGenerated between (ago(p_lookback) .. ago(t_lookback))
    | where SyslogMessage has_all ('root', 'logged in')
    | extend SrcIpAddr = extract(@'root@(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})', 1, SyslogMessage)
    | summarize makeset(SrcIpAddr);
    VMwareESXi
    | where TimeGenerated > ago(t_lookback)
    | where SyslogMessage has_all ('UserLoginSessionEvent', 'root', 'logged in')
    | extend SrcIpAddr = extract(@'root@(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})', 1, SyslogMessage)
    | where SrcIpAddr !in (root_ips)
    | extend IPCustomEntity = SrcIpAddr

  5. See error

Expected behavior
Result of the Query that valid root login

Screenshots
image

Desktop (please complete the following information):

  • OS: MacOS
  • Browser firefox
  • Version latest

Please talk with your creator or team
@github-actions GitHub Actions
Copy link
Contributor

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

@v-sudkharat
Copy link
Contributor

v-sudkharat commented Nov 22, 2023
edited
Loading

Hi @jeffrywu28, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 28-11-2023 . Thanks!

@jeffrywu28
Copy link
Author

Hi @jeffrywu28, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 28-11-2023 . Thanks!

Hi, sure

@v-muuppugund
Copy link
Contributor

Hi @jeffrywu28 ,I am unable to replicate the issue as mentioned above ,please find below screen shot for reference ,Could you please share more details and error screen shots for further trouble shooting and replicating steps
image

@v-sudkharat
Copy link
Contributor

Hi @jeffrywu28, we are waiting for your response on above comment. Thanks!

@v-sudkharat
Copy link
Contributor

Hi @jeffrywu28, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 07-12-2023 date, we will be closing this issue.
Thanks!

@v-sudkharat
Copy link
Contributor

Hi @jeffrywu28, since we have not received a response in the last 5 days, we are closing your issue- #9443 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

@v-muuppugund v-muuppugund

Labels
Analytic Rules
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jeffrywu28 @v-sudkharat @v-muuppugund