ASIM Authentication Schema: VMware vCenter Parser Enables Authentication Monitoring for On-Premises and Azure VMware Environments

What Changed

Added comprehensive ASIM Authentication parser support for VMware vCenter, introducing both full (ASimAuthenticationVMwareVCenter) and filtering (vimAuthenticationVMwareVCenter) parsers that normalize vCenter authentication events to the ASIM Authentication schema v0.1.4.

Data Sources

The parser supports VMware vCenter logs ingested via:

• On-premises vCenter: Syslog via AMA agent through DCR into vcenter_CL table
• Azure VMware Solution: Native Azure VMware syslog into AVSVcSyslog table

Detection Logic

• Primary data sources: vcenter_CL and AVSVcSyslog tables
• Core logic: Parses structured vCenter event messages to extract authentication events (UserLoginSessionEvent/UserLogoutSessionEvent) with user identity, source IP, user agent, and session metadata
• Entity types mapped: Account (ActorUsername), IP (SrcIpAddr), and session context

Authentication Event Coverage

This parser normalizes two critical vCenter authentication event types:

• Logon events (vim.event.UserLoginSessionEvent): Captures successful user authentication with source IP and user agent
• Logoff events (vim.event.UserLogoutSessionEvent): Tracks session termination with login duration and API invocation metrics

The parser enables detection of unauthorized vCenter access, privilege escalation attempts, and suspicious administrative activity across both on-premises and Azure VMware environments.

Security Impact

Addresses authentication monitoring blind spot for VMware vCenter environments. Organizations running vSphere infrastructure can now apply ASIM-based authentication detections to monitor administrative access patterns, detect lateral movement through vCenter, and identify suspicious authentication behaviors targeting virtualization infrastructure.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/AVSVcSyslog.json
.script/tests/KqlvalidationsTests/CustomTables/vcenter_CL.json
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthentication/README.md
Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareVCenter/ASimAuthenticationVMwareVCenter.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareVCenter/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareVCenter/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareVCenter/vimAuthenticationVMwareVCenter.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationVMwareVCenter.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationVMwareVCenter.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationVMwareVCenter.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationVMwareVCenter.yaml