Thanks in advance for any assistance..
I am trying to create an alert that creates a table that shows sourceIP, country, LogMessageID, VPNuser and VPNgroup for attempted VPN connections. I get the sourceIP for successful session creations to the IP address of the VPN devices.
host= session_state!="denied" destIP= | iplocation sourceIP | table sourceIP country
That search works - I get a table showing all the sourceIPs and corresponding Countries.
I have extracted some fields from the internal firewall logs, LogMessageID, VPNsourceIP, VPNuserID and VPNgroupID.
Then I want to search the internal firewall logs to see if the sessions was successful (LogMessageID = 113039) or unsuccessful (LogMessageID = 302014). If I create a search:
host= (LogMessageID = 113039 OR LogMessageID=302014) | table LogMessageID VPNsourceIP VPNuserID VPNgroupID
Again, I successfully produce a table with the LogMessageID, VPNsourceIP, VPNuserID, and VPNgroupID.
Now I want to combine the two searches in an alert that triggers each time a VPN session is attempted:
host= session_state!="denied" destIP= | iplocation sourceIP | (haven't found the correct command) [ host= VPNsourceIP=sourceIP (LogMessageID = 113039 OR LogMessageID=302014) | return LogMessID=LogMessageID VPNuser=VPNuserID VPNgroup=VPNgroupID ] | table sourceIP Country LogMessID VPNuser VPNgroup
Currently I get a table with the sourceIP and country, but the other 3 columns are blank.
Thanks for your assistance.
↧