VMware vCenter
integrations network vmware vcenter
The following instructions are for configuring VMware vCenter to facilitate log ingestion into Secureworks® Taegis™ XDR.
Connectivity Requirements ⫘
| Source | Destination | Port/Protocol |
|---|---|---|
| VMware vCenter | Taegis™ XDR Collector (mgmt IP) | TCP/601 |
Data Provided from Integration ⫘
| Auth | CloudAudit | DNS | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
|---|---|---|---|---|---|---|---|---|---|
| vCenter | D | Y |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the VMware vCenter Platform ⫘
Follow the instructions in the VMware documentation to configure log forwarding.
When defining a Syslog configuration, enter the following information:
| Field | Required Value |
|---|---|
| Server Address | XDR Collector (mgmt IP) |
| Protocol | TCP |
| Port | 601 |
Example Query Language Searches ⫘
To search for auth events from the last 24 hours:
FROM auth WHERE sensor_type = 'VMWARE_VCENTER' and EARLIEST=-24h
To search for managementevent events:
FROM managementevent WHERE sensor_type = 'VMWARE_VCENTER'
To search for auth events associated with a specific user:
FROM auth WHERE sensor_type='VMWARE_VCENTER' AND source_user_name = 'foo'
Sample logs ⫘
Important
XDR DOES NOT support multiple events in a single line. Each line much reference a single event and end with a newline character.
Authentication:
Jan 24 00:33:06 1.2.3.4 1 2023-01-24T02:14:38.893453+00:00 somehost1111 vpxd 31038 - - Event [123445] [1-1] [2022-12-20T02:14:38.892052Z] [vim.event.UserLogoutSessionEvent] [info] [SOMEDOM.LOCAL\Administrator] [] [654321] [User SOMEDOM.LOCAL\Administrator@10.7.007.19 logged out (login time: Tuesday, 20 December, 2022 01:58:49, number of API invocations: 9, user agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000))]
Command Execution:
Jan 24 00:33:06 1.2.3.4 1 2023-01-24T02:16:01.544091+00:00 computername CROND 16388 - - (root) CMD ( test -x /usr/sbin/vpxd_periodic && /usr/sbin/vpxd_periodic >/dev/null 2>&1)
Event Details ⫘
vCenter Event Details