Virtual Private Network (VPN) data is a type of network session data that typically comes from a multi-purpose security appliance. Often, a VPN server is hosted on a corporate firewall, proxy, or similar device. A VPN provides a secure method by which remote network users can authenticate, connect to, and access internal network resources, encrypting traffic between those remote users and the internal resources.
Data visibility
There are two primary types of VPN logs.
Connection Logs
These are the basic logs generated by the majority of VPN devices and services. Information included in these logs reflects activity such as login/logout, dates, times, remote IP addresses, and user login names.
Usage Logs
Also referred to as “activity” data, these logs can include online browsing history and activity that reflects a user's navigation and access of network resources during the session.
Key information
In the Common Information Model, VPN data is typically mapped to the Authentication Data model. This data type has many available fields, but users typically derive the most value out of the fields listed here.
app
The application involved in the event.
duration
The amount of time, in seconds, for the completion of the authentication event.
response_time
The amount of time, in seconds, it took to receive a response in the authentication event.
src
The source involved in the authentication. In the case of endpoint protection authentication, the source is the client. This field is especially of high value when it is used with the iplocation command in a search.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.
|
Data Source |
Sourcetype |
Recommend Add-Ons |
|
Check Point |
sourcetype="opsec:vpn" |
|
|
Palo Alto |
sourcetype="pan:log" |
Related Use Cases
Coming soon!
Comments
0 comments
Please sign in to leave a comment.