| 123456789101112131415161718192021222324252627282930313233343536373839404142434445 |
- <!--
- SOC Proposal Rules — Appendix B1: VMware vCenter / ESXi
- Simulation profile rule IDs : 100401-100403
- Production profile rule IDs : 110401-110403
- -->
- <group name="soc_mvp,appendix_b,b1,vmware,">
- <!-- ── Simulation profile ── -->
- <!-- ── Production profile (if_group=vmware + real log patterns) ── -->
- <rule id="110401" level="12">
- <if_group>vmware</if_group>
- <match>Login failure</match>
- <description>B1-01 [PROD] vCenter: login failure detected (brute-force indicator)</description>
- <group>soc_prod,b1,vcenter,auth,</group>
- <mitre><id>T1110</id></mitre>
- </rule>
- <rule id="110402" level="8">
- <if_group>vmware</if_group>
- <match>SSH login is enabled</match>
- <description>B1-02 [PROD] ESXi: SSH service enabled on host</description>
- <group>soc_prod,b1,esxi,ssh,</group>
- <mitre><id>T1021.004</id></mitre>
- </rule>
- <rule id="110403" level="12">
- <if_group>vmware</if_group>
- <match>sshd</match>
- <description>B1-03 [PROD] ESXi: SSH authentication event detected</description>
- <group>soc_prod,b1,esxi,ssh,</group>
- <mitre><id>T1021.004</id></mitre>
- </rule>
- <!-- ── Production normalized key=value path (soc-mvp production profile) ── -->
- </group>
|
