Forum Discussion

EricStarker's avatar
EricStarker
Icon for Community Manager rankCommunity Manager
Jan 04, 2018

Why it’s important to integrate your VPN with Microsoft Advanced Threat Analytics

A majority of IT teams use Virtual Private Network (VPN) connections as a method to grant remote users access to corporate resources from outside the company’s network. A VPN connection provides employees flexibility by allowing them to work on the go and helps to increase productivity. 

 

Since VPN connections are fully encrypted, they are secure and therefore their content is not always inspected. However, VPN offers an entry point for attackers to use existing credentials and remotely connect into a corporate network. With the release of version 1.8, Advanced Threat Analytics (ATA) now detects when and where credentials are being used via VPN and integrates that data into your investigation. This new capability complements all the other abnormal behavior and known malicious detection capabilities ATA already provides. Capturing and analyzing the origin of VPN connections increases your chances of identifying where and how attackers are leveraging stolen credentials in your network.  

 

 

Read about it in the Azure blog.

  • Sam Cooks's avatar
    Sam Cooks
    Copper Contributor
    Hello, need assistance with VPN integration. Using Microsoft Network Policy Server and have setup accounting in my connection policy to send events to multiple gateway servers but nothing shows up. I can see events on the policy server showing remote connections. Any ideas on where i can go for help or what to look for? Thanks
    • EliOfek's avatar
      EliOfek
      Icon for Microsoft rankMicrosoft

      You can query any collection in mongo  that starts with "VpnAuthenticationEvent" to see if you are getting any VPN events into ATA.

      The collections are created on demand, so if you see you have those, at some point events were coming in...

       

      from the mongo bin folder, run:

      mongo ATA --eval "db.getCollectionNames().filter(function (c) { return c.indexOf('VpnAuthenticationEvent') == 0; })"
    • Tali Ash's avatar
      Tali Ash
      Icon for Microsoft rankMicrosoft

      We will support more vendors due customer demand. Vendors that support radius accounting can possibly be supported quite easily.

  • Any timelines to share on Citrix VPN Netscaler support?

Resources