I have been creating a security operations center (SOC) specific to VMware vSphere using VMware vRealize Log Insight (vRLI). This SOC project shows the power of vRLI and the wealth of data available within vSphere 6.5. The original goal was to just gain visibility into my own environment. However, after showing the simple views to a few folks, it has grown from there and continues to grow.
This is the official page for the Texiwill’s Security vRLI Security Operations Center. Eventually I may change the name and am looking for suggestions, let me know what you think.
Updates
Vote for the VMworld 2017 Session: Security Operations for VMware vSphere with VMware vRealize Log Insight [1361]
2017-04-25 Release 1.0-RC7 contains changes to dashboard names. We no longer use vSphere but ESXi as appropriate. This clarifies usage. The Datastore Browser dashboard has been updated. (Props to fellow VMware vExpert Justin Bias for pointing out a problem). I added to the ESXi Config Changes dashboard tracking of shell usage. We give an alert anytime a shell command is used from within SSH or direct access.
2017-04-12 Release 1.0-RC6 contains the new vSphere Config Changes dashboard. This dashboard shows you how the underlying ESXi environments configuration is change. It has been tested with a number of different changes such as networking, options, etc.
2017-03-25 Release 1.0-RC5 with some more cleanups, specifically the removal of duplicate extracted fields owned by the vSphere content pack. The first dashboard changed to be just a general Activity dashboard and the API Invocations dashboard is now the Login/Logout and API Invocations dashboard. The goal of this new dashboard is to line up vCenter login/logouts with the actual vSphere API Invocations performed. We still pay attention to direct activity against vSphere hosts.
2017-03-17 Release 1.0-RC4 with major cleanups and addition of API Invocations dashboard. Also added some missing views to other dashboards: File Copies, DROP by Firewall, Improved Configuration Change tracking.
SOC Resources
There are a number of resources already for the content pack. @mikefoley has been telling people on twitter to show your security teams this content pack. I agree!
- Security Operations with VMware vRealize Log Insight the official write-up on why I built the SOC, what is in the SOC, and how to use the SOC (more on how soon).
- GitHub Repository for the vRLI Content Pack
SOC Screen Shots
There will be more screen shots coming soon!
Let me know
Let me know what you would like to see. You can find me on Slack, Twitter, Google+, Email, etc. You can even leave a comment here. I am interested in adding even more functionality, so let me know what interests you.