Virtualization
Use the JSA Virtualization Content Extension to closely monitor your Virtualization deployment.
About the Virtualization Content Extension
The JSA Content Extension pack for Virtualization adds several rules and saved searches that focus on detecting Virtualization activities.
JSA Virtualization Content Extension V1.0.0
The following table shows the custom event properties in JSA Virtualization Content Extension V1.0.0.
The custom properties that are included in the following table are placeholders. You can download other content extensions that include custom properties with these names, or you can create your own.
Table 1: Custom Event Properties in JSA Virtualization Content Extension V1.0.0
Custom Property | Optimized | Found in |
|---|---|---|
Machine ID | Yes |
|
Role Name | Yes |
|
Target User Name | Yes |
|
The following table shows the building blocks and rules in JSA Virtualization Content Extension V1.0.0.
Table 2: Building Blocks and Rules in JSA Virtualization Content Extension V1.0.0
Type | Name | Description |
|---|---|---|
Building Block | BB:CategoryDefinition: User Role Assign Events | Edit this Building Block to include any user role assignment events. |
Building Block | BB:DeviceDefinition: Virtualization | This rule defines all Hypervisors on the system. |
Building Block | BB:DeviceDefinition: Cloud | This rule defines all Cloud sources on the system. |
Building Block | BB:CategoryDefinition: Virtual Machine Restarted | Edit this Building Block to include all events that indicate virtual machine restarted. |
Building Block | BB:CategoryDefinition: Virtual Machine Started | Edit this Building Block to include all events that indicate virtual machine started. |
Building Block | BB:CategoryDefinition: Virtual Machine Stopped | Edit this Building Block to include all events that indicate virtual machine stopped. |
Building Block | BB:CategoryDefinition: Virtual Machine Deleted | Edit this Building Block to include all events that indicate virtual machine deleted. |
Building Block | BB:CategoryDefinition: Configuration Change Events on Virtual Machines | Edit this Building Block to include any configure events. |
Building Block | BB:CategoryDefinition: Network Configuration Update on Virtual Machines | Edit this Building Block to include all events that indicate network configuration update on virtual machines. |
Building Block | BB:CategoryDefinition: System Configuration | This Building Block defines system configuration events. |
Building Block | BB:CategoryDefinition: Virtual Machine Created | Edit this Building Block to include all events that indicate virtual machine created. |
Rule | User Role Changed to Low Privilege Role Names | This rule removes a username from the reference set Users with High Privilege Role Names if the user is given lower privilege role. Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this Reference Set is considered as suspicious in terms of privileges. |
Rule | Sensitive Virtual Machines Unavailable for a Long Period of Time | This rule triggers when a sensitive virtual machine has been stopped and unavailable for a long period of time. Tune the rule by changing the down time for a sensitive virtual machine. |
Rule | User Role Changed to High Privilege Role Names | This rule adds a username to the reference set User with High Privilege Role Names if the user achieved potential high privilege role. Note: The Low Privilege Role Names reference set must be populated with the relevant role names. Anything not defined in this Reference Set is considered as suspicious in terms of privileges. |
Rule | High Privilege User Performing Suspicious Actions | This rule triggers when a user role changes on a higher privilege (e.g. Administrator), followed by suspicious activities. This action can indicate a user changing the permissions to perform malicious actions or accessing unauthorized machines. |
Rule | Multiple Sensitive Virtual Machines Deleted within Short Period of Time | This rule triggers when multiple sensitive machines or security devices are being deleted succinctly. This may indicate an intruder is compromising sensitive information or getting hidden before an attack. Note: The Sensitive Virtual Machines reference set must be populated with the relevant machines name. Note: If authorized users perform this action often, exclude them by adding in a rule condition. See Abnormal Number of Modifications Made on Virtual Machines for an example. |
Rule | Multiple Virtual Security Devices Powered Off within Short Period of Time | This rule triggers when multiple virtual security devices (e.g virtual IDS, virtual SIEM component) are powered off in a short period of time. Note: The Security Devices reference set must be populated with the relevant machine names or IDs. Note: If authorized users perform this action often, exclude them by adding in a rule condition. See Abnormal Number of Modifications Made on Virtual Machines for an example. |
Rule | Abnormal Number of Modifications Made on Virtual Machines | This rule triggers when an abnormal number of configuration updates are performed on virtual machines. A typical administration should not imply multiple configuration updates, such as adding more memory or reducing the storage size for one or multiple machines. This indicates suspicious behaviour Note: Populate the Authorized Users reference set with users who are authorized to perform these actions. |
Rule | Abnormal Number of Virtual Machines Created | This rule triggers when a high number of virtual machines is created in a short period of time. This can show a malicious user behaviour. See Abnormal Number of Modifications Made on Virtual Machines for an example. |
The following table shows the reference data in JSA Virtualization Content Extension V1.0.0.
Table 3: Reference Data in JSA Virtualization Content Extension V1.0.0
Type | Name | Description |
|---|---|---|
Reference Set | Authorized Users | Defines authorized users. This reference set can be used to exclude authorized users from triggering false positives when performing high privileged actions. |
Reference Set | Low Privilege Role Names | Collects usernames with high privilege role names. |
Reference Set | Security Devices | Defines security device names or IDs. |
Reference Set | Sensitive Virtual Machines | Defines sensitive virtual machine names or IDs. |
Reference Set | Users with High Privilege Role Names | Collects usernames with high privilege role names. |
The following table shows the saved searches in JSA Virtualization Content Extension V1.0.0.
Table 4: Saved Searches in JSA Virtualization Content Extension V1.0.0
Name | Description |
|---|---|
VMWare Audit Events | Defines VMware audit events. |
VMWare System Status | Defines Vmware system status events. |