Security and event alerting tools like SIEM may alert that a user has performed an account modification action on the VCSA system during upgrade or patching operations
search cancel

Security and event alerting tools like SIEM may alert that a user has performed an account modification action on the VCSA system during upgrade or patching operations

book

Article ID: 427425

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

  • During upgrade or patching operations the user may receive alerts that permissions and/or group memberships have been altered from 3rd party monitoring tools:

e.g. 

Event Description  senseValue=5,senseDesc='User has performed an account modification action.',usecase_id='XXXXXXX-XXXX-XXXX-XXXXXXXXX'
UBA : Account or Group or Privileges Added  senseValue=5,senseDesc='User has performed an account modification action.',usecase_id='XXXXXXX-XXXX-XXXX-XXXXXXXXX'
Mitre Tactic (custom)  credential access
Mitre Technique (custom)  modify authentication process

Environment

vCenter 9.x

vCenter 8.x

Cause

During an upgrade, permissions often need to be reconfigured or service accounts need to be added to specific local Linux groups on the VCSA to ensure the new version of the software has the necessary execution rights.

Resolution

This is entirely expected during patching or upgrade operations.

Powered by Wolken Software