Hi All!
How to correlate events from PaloAlto VPN logs and Windows authentication per user, comparing src_ip and machine_name?
- Identify user and internal IP that the workstation received.
- Correlate through the internal IP which user is authenticated on the respective workstation.
If different, trigger alert and send email.
Eg vpn access log
Feb 17 13:58:01 server.pa01 1,2021/02/17 13:58:00,011901013191,GLOBALPROTECT,0,2305,2021/02/17 13:58:00,vsys1,gateway-connected,connected,,IPSec,domain\user.a1,BR,NOTE01,192.168.93.210,0.0.0.0,10.10.1.10,0.0.0.0,es11-3120-f2g9-g4e7,NOTE01,5.1.5,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,SSLVPN,3533509,0x0
Eg Windows authentication log:
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{24345625-6264-3934-2E362B28D20C}'/><EventID>4624</EventID><Version>1</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-02-17T16:21:26.693248600Z'/><EventRecordID>1195483947</EventRecordID><Correlation/><Execution ProcessID='736' ThreadID='13684'/><Channel>Security</Channel><Computer>DC01.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>domain\user.a1</Data><Data Name='TargetUserName'>user.a1</Data><Data Name='TargetDomainName'>domain</Data><Data Name='TargetLogonId'>0x395adc303</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>NOTE01</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>128</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>10.10.1.10</Data><Data Name='IpPort'>49191</Data><Data Name='ImpersonationLevel'>%%1833</Data></EventData></Event>
Thanks in advanced!
