Showing results for 
Search instead for 
Did you mean: 
Level 7

SIEM Use Case - VPN and server logons


We have a requirement to track users that logon via vpn and then go on to logon to servers on our environment, we can see the separate events but have not had success in getting a correlation rule with both of these to trigger or an alarm at the very least.

Any ideas how this can be achieved this?

0 Kudos
1 Reply
Level 8

Re: SIEM Use Case - VPN and server logons


I thought that the answer of this question was known by McAfee SIEM customers. However, someone still needs to help for this correlation because of received a call for this post. The answer is that the ESM provides built-in correlation rules for these type of needs and also, you can create a custom correlation rule as below.

Best Regards

Seckin Demir

ESM Correlation.JPG

Additionally, you can define the VPN Network IP address/Subnet on the second condition to understand logon activity comes from the VPN clients

0 Kudos