VPN
VPN data source: vpn
The VPN schema represents events collected from Identity and Access Management (IAM) solutions or from other VPN devices such as Pulse Secure that identify VPN events.
Examples of VPN events include:
-
A Network Policy Server granted full access to a user
-
A user failed to authenticate with a Network Policy Server
Examples of IAM products include:
-
Active Directory
The Intelligence Authentication data type best supports Windows Security Log (or Active Directory) event data. It also supports login success and failure event data from the supported VPN devices.
The Microsoft Windows Security Log contains records of login/logout activity, as well as other securityrelated events specified in the system's Audit Policy. A System Administrator must enable the Windows Audit feature to allow events to be recorded in the Security Log.
Supported SmartConnectors
The following SmartConnectors are used for the collection and ingestion of VPN data:
-
SmartConnector for Microsoft Network Policy Server File
-
SmartConnector for Pulse Secure Pulse Connect Secure Syslog
-
SmartConnector for Citrix NetScaler Syslog
-
SmartConnector for Nortel Contivity Switch Syslog
VPN Schema
The following table describes the default_secops_adm. Events table columns for VPN data.
| Column Name | Type | Required (Y/N) | Description | Example |
|---|---|---|---|---|
| deviceReceiptTime | Integer | Y | The time at which the event related to the activity was received. | 1592839336200 Equivalent GMT - 2020-06-22 15:22:00 |
| sourceUserName | Varchar | Y |
The user involved in authentication for Citrix NetScaler device. Primary entity for vpn data source. |
john.legget |
| destinationUserName | Varchar | Y |
The user involved in authentication. Primary entity for vpn data source. |
john.legget |
| sourceAddressBin | Binary |
N Exception: required for IPbased VPN models. |
The IP address of the VPN user. Secondary entity |
172.1.193.87 |
| sourceGeoCountryCode | Varchar |
N Exception: required for countrybased VPN models. |
The country the user is authenticating from. Secondary entity |
Canada |
| sourceGeoLatitude | Float | N |
The latitude where the VPN connection is initiated. |
45.1234 |
| sourceGeoLongitude | Float | N |
The longitude where the VPN connection is initiated. |
-74.4321 |
| externalId | Varchar | Y |
Unique code assigned to a Network Policy Server events. Typically a Windows event code or -1. Analytics can be configured to accept other values. |
6272 |
| deviceEventClassId | Varchar | Y | Unique code assigned to a Pulse Secure or Citrix NetScaler event. | AUT24326 |
| deviceAction | Varchar | Y | Unique code assigned to a Nortel event. | OK |
| categoryOutcome | Varchar | Y |
The outcome of the event. One of success or failure. For Citrix NetScaler, the outcome is attempt. |
success |
| categoryBehavior | Varchar | Y | The action or behavior associated with the event. | /Authentication/Verify |
| categoryDeviceGroup | Varchar | Y | The type of events for the device. It is used for Pulse Secure, Citrix NetScaler, and Nortel events. | /VPN |
| categoryDeviceType | Varchar | Y | The events generated by a device type irrespective of the device group the events belong to. It is used for Citrix NetScaler and Nortel events. | VPN for Nortel Network-based IDS/IPC for Citrix NetScaler |
| deviceCustomString4 | Varchar | N | The string that further explains why the user failed to authenticate. Usually a hexadecimal code, but can be any string. It is used for NPS events with externalId 6273. | 18 |