Forum Discussion

Mudslideyo's avatar
Mudslideyo
Copper Contributor
May 08, 2023

VPN events in Security.microsoft.com

Hello,

 

I knew how to find the VPN related events in the old portal but I can't seem to find them in the new portal at https://security.microsoft.com.  Can someone provide me an example of what I am looking for?

 

Thanks!

  • josequintino's avatar
    josequintino
    Iron Contributor
    Hello Mudslideyo
    To find VPN-related events in the Microsoft Defender for Endpoint portal, you can follow these steps:

    Sign in to the Microsoft Defender for Endpoint portal at https://security.microsoft.com.

    Navigate to the "Incidents" or "Threat & Vulnerability Management" section. The exact location of these options may vary depending on the portal's interface.

    Look for a filter or search bar that allows you to specify event types or keywords. In this case, you can enter "VPN" or related terms to filter the events specifically related to VPN activities.

    Alternatively, you can also check the "Alerts" section or any other relevant sections where security events and alerts are displayed. Look for events with VPN-related indicators, such as IP addresses, connection status, or authentication failures.

    If the portal provides an advanced search option, you can use it to create a custom query to filter VPN-related events. For example, you can search for events related to specific VPN protocols (e.g., OpenVPN, IKEv2, L2TP) or events associated with VPN-related keywords (e.g., "VPN connection established," "VPN authentication failed").

    It's important to note that the steps provided above are general guidelines, and the actual process may vary depending on the interface and features of the Microsoft Defender for Endpoint portal. If you're unable to find the VPN-related events using these steps, it might be helpful to consult the portal's documentation or contact Microsoft support for further assistance.
  • Are you searching for the VPN Connection events?
    You can find them on the Advanced hunting section

    IdentityLogonEvents
    | where LogonType == "VPN Connection"

Resources