🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

VMware vCenter

integrations network vmware vcenter


The following instructions are for configuring VMware vCenter to facilitate log ingestion into Secureworks® Taegis™ XDR.

Connectivity Requirements

Source Destination Port/Protocol
VMware vCenter Taegis™ XDR Collector (mgmt IP) TCP/601

Data Provided from Integration

  Auth CloudAudit DNS HTTP Management Netflow NIDS Process Thirdparty
vCenter D       Y        

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the VMware vCenter Platform

  1. Follow the instructions in the VMware documentation to log in to the vCenter Server Appliance Management Interface.
  2. Follow the instructions in the VMware documentation to configure log forwarding via Syslog using the following values:
Field Required Value
Server Address XDR Collector (mgmt IP)
Protocol TCP
Port 601

Example Query Language Searches

To search for auth events from the last 24 hours:

FROM auth WHERE sensor_type = 'VMWARE_VCENTER' and EARLIEST=-24h

To search for managementevent events:

FROM managementevent WHERE sensor_type = 'VMWARE_VCENTER'

To search for auth events associated with a specific user:

FROM auth WHERE sensor_type='VMWARE_VCENTER' AND source_user_name = 'foo'

Sample logs

Important

XDR DOES NOT support multiple events in a single line. Each line much reference a single event and end with a newline character.

Authentication:

Jan 24 00:33:06 1.2.3.4 1 2023-01-24T02:14:38.893453+00:00 somehost1111 vpxd 31038 - -  Event [123445] [1-1] [2022-12-20T02:14:38.892052Z] [vim.event.UserLogoutSessionEvent] [info] [SOMEDOM.LOCAL\Administrator] [] [654321] [User SOMEDOM.LOCAL\Administrator@10.7.007.19 logged out (login time: Tuesday, 20 December, 2022 01:58:49, number of API invocations: 9, user agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000))]

Command Execution:

Jan 24 00:33:06 1.2.3.4 1 2023-01-24T02:16:01.544091+00:00 computername CROND 16388 - -  (root) CMD ( test -x /usr/sbin/vpxd_periodic && /usr/sbin/vpxd_periodic >/dev/null 2>&1)

Event Details

vCenter Event Details

vCenter Event Details

 

On this page: