VMware ESXi: ASIM Authentication Parser for Host Access Monitoring

What Changed

Added ASIM Authentication parsers for VMware ESXi hosts, enabling normalized authentication monitoring from VMware hypervisor infrastructure. The parser processes syslog from ESXi DCUI (console) and Hostd (SSH/remote) authentication events.

Parser Impact

The new parser normalizes ESXi authentication events to ASIM Authentication schema v0.1.4:

Data Sources:

Syslog table (general ESXi syslog ingestion)
AVSSyslog/AVSEsxiSyslog tables (Azure VMware Solution specific)

Event Types Supported:

DCUI console logon/logoff events (interactive access)
Hostd SSH authentication (remote access with source IP tracking)
Authentication failures with policy violation details

Key Field Mappings:

Event result determination (Success/Failure from “Accepted/Rejected password”)
Session tracking via TargetSessionId and operation IDs
Source IP extraction for SSH attempts
Username parsing from multiple ESXi log formats
Session timeout detection for DCUI events

No change to existing parser logic — this adds ESXi coverage to the ASIM authentication framework for hypervisor access visibility.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/AVSEsxiSyslog.json
.script/tests/KqlvalidationsTests/CustomTables/AVSSyslog.json
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareESXi/ASimAuthenticationVMwareESXi.json
Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareESXi/README.md
Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareESXi/README.md
Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareESXi/vimAuthenticationVMwareESXi.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationVMwareESXi.md
Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationVMwareESXi.md
Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Parsers/ASimAuthentication/Parsers/ASimAuthenticationVMwareESXi.yaml
Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationVMwareESXi.yaml
Parsers/ASimAuthentication/test/VMware ESXi/VMware_ESXi_ASimAuthenticationVMwareESXi_DataTest.csv
Parsers/ASimAuthentication/test/VMware ESXi/VMware_ESXi_ASimAuthenticationVMwareESXi_SchemaTest.csv
Parsers/ASimAuthentication/test/VMware ESXi/VMware_ESXi_vimAuthenticationVMwareESXi_DataTest.csv
Parsers/ASimAuthentication/test/VMware ESXi/VMware_ESXi_vimAuthenticationVMwareESXi_SchemaTest.csv
Sample Data/ASIM/VMware_ESXi_Authentication_IngestedLogs.csv

What Changed#

Parser Impact#

Affected Files#

What Changed

Parser Impact

Affected Files