We have a requirement to track users that logon via vpn and then go on to logon to servers on our environment, we can see the separate events but have not had success in getting a correlation rule with both of these to trigger or an alarm at the very least.
Any ideas how this can be achieved this?
I thought that the answer of this question was known by McAfee SIEM customers. However, someone still needs to help for this correlation because of received a call for this post. The answer is that the ESM provides built-in correlation rules for these type of needs and also, you can create a custom correlation rule as below.
Additionally, you can define the VPN Network IP address/Subnet on the second condition to understand logon activity comes from the VPN clients