Splunk Search

how to correlate events from PaloAlto VPN logs and Windows authentication per user, comparing src_ip and machine_name?

Path Finder

Hi All!

How to correlate events from PaloAlto VPN logs and Windows authentication per user, comparing src_ip and machine_name?

- Identify user and internal IP that the workstation received.
- Correlate through the internal IP which user is authenticated on the respective workstation.

If different, trigger alert and send email.


Eg vpn access log

Feb 17 13:58:01 server.pa01 1,2021/02/17 13:58:00,011901013191,GLOBALPROTECT,0,2305,2021/02/17 13:58:00,vsys1,gateway-connected,connected,,IPSec,domain\user.a1,BR,NOTE01,,,,,es11-3120-f2g9-g4e7,NOTE01,5.1.5,Windows,"Microsoft Windows 10 Pro , 64-bit",1,,,"",success,,0,,0,SSLVPN,3533509,0x0


Eg Windows authentication log:

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{24345625-6264-3934-2E362B28D20C}'/><EventID>4624</EventID><Version>1</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2021-02-17T16:21:26.693248600Z'/><EventRecordID>1195483947</EventRecordID><Correlation/><Execution ProcessID='736' ThreadID='13684'/><Channel>Security</Channel><Computer>DC01.net</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>domain\user.a1</Data><Data Name='TargetUserName'>user.a1</Data><Data Name='TargetDomainName'>domain</Data><Data Name='TargetLogonId'>0x395adc303</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>NtLmSsp </Data><Data Name='AuthenticationPackageName'>NTLM</Data><Data Name='WorkstationName'>NOTE01</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>NTLM V2</Data><Data Name='KeyLength'>128</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'></Data><Data Name='IpPort'>49191</Data><Data Name='ImpersonationLevel'>%%1833</Data></EventData></Event>


Thanks in advanced!

Labels (1)
0 Karma

Path Finder

Hi @Kwip 

yes, it would have the user name, the workstation name and the internal ip.

For example, there is a workstation that is connected in vpn with a user, but the authenticated user in windows is different. This could characterize a vpn access share, that is, a user may be connecting on behalf of another user.



0 Karma


Hi @jfeitosa_real , 

Do you have all the mentioned values are extracted into fields on both type of logs?

Which value will be same in both and which one may vary? We need at least one common value from both the logs to correlate and compare. 

Say example if the user ID is same in both, We can correlate both the logs and compare the IP address and fire an alert if IP is different from one to another. 

If we need to compare both User ID and IP Address, is there any other common values from both the logs are available? Like, Session ID, Trans ID or something like that?

0 Karma

Path Finder

Hi @Kwip 


You saw my answer. Thanks in advance.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.