1 Reply Latest reply on Mar 17, 2017 5:18 AM by seckin demir

    SIEM Use Case - VPN and server logons




      We have a requirement to track users that logon via vpn and then go on to logon to servers on our environment, we can see the separate events but have not had success in getting a correlation rule with both of these to trigger or an alarm at the very least.


      Any ideas how this can be achieved this?

        • 1. Re: SIEM Use Case - VPN and server logons
          seckin demir



          I thought that the answer of this question was known by McAfee SIEM customers. However, someone still needs to help for this correlation because of received a call for this post. The answer is that the ESM provides built-in correlation rules for these type of needs and also, you can create a custom correlation rule as below.


          Best Regards


          Seckin Demir

          ESM Correlation.JPG


          Additionally, you can define the VPN Network IP address/Subnet on the second condition to understand logon activity comes from the VPN clients