How to correlate events from PaloAlto VPN logs and Windows authentication per user, comparing src_ip and machine_name?
- Identify user and internal IP that the workstation received. - Correlate through the internal IP which user is authenticated on the respective workstation.
If different, trigger alert and send email.
Eg vpn access log
Feb 17 13:58:01 server.pa01 1,2021/02/17 13:58:00,011901013191,GLOBALPROTECT,0,2305,2021/02/17 13:58:00,vsys1,gateway-connected,connected,,IPSec,domain\user.a1,BR,NOTE01,192.168.93.210,0.0.0.0,10.10.1.10,0.0.0.0,es11-3120-f2g9-g4e7,NOTE01,5.1.5,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,SSLVPN,3533509,0x0
yes, it would have the user name, the workstation name and the internal ip.
For example, there is a workstation that is connected in vpn with a user, but the authenticated user in windows is different. This could characterize a vpn access share, that is, a user may be connecting on behalf of another user.