Why it’s important to integrate your VPN with Microsoft Advanced Threat Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-141781%22%20slang%3D%22en-US%22%3EWhy%20it%E2%80%99s%20important%20to%20integrate%20your%20VPN%20with%20Microsoft%20Advanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-141781%22%20slang%3D%22en-US%22%3E%3CP%3EA%20majority%20of%20IT%20teams%20use%20Virtual%20Private%20Network%20(VPN)%20connections%20as%20a%20method%20to%20grant%20remote%20users%20access%20to%20corporate%20resources%20from%20outside%20the%20company%E2%80%99s%20network.%20A%20VPN%20connection%20provides%20employees%20flexibility%20by%20allowing%20them%20to%20work%20on%20the%20go%20and%20helps%20to%20increase%20productivity.%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3ESince%20VPN%20connections%20are%20fully%20encrypted%2C%20they%20are%20secure%20and%20therefore%20their%20content%20is%20not%20always%20inspected.%20However%2C%20VPN%20offers%20an%20entry%20point%20for%20attackers%20to%20use%20existing%20credentials%20and%20remotely%20connect%20into%20a%20corporate%20network.%20With%20the%20release%20of%20version%201.8%2C%20Advanced%20Threat%20Analytics%20(ATA)%20now%20detects%20when%20and%20where%20credentials%20are%20being%20used%20via%20VPN%20and%20integrates%20that%20data%20into%20your%20investigation.%20This%20new%20capability%20complements%20all%20the%20other%20abnormal%20behavior%20and%20known%20malicious%20detection%20capabilities%20ATA%20already%20provides.%20Capturing%20and%20analyzing%20the%20origin%20of%20VPN%20connections%20increases%20your%20chances%20of%20identifying%20where%20and%20how%20attackers%20are%20leveraging%20stolen%20credentials%20in%20your%20network.%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Slide1.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F26386i692CF0FD0B9256A8%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22Slide1.PNG%22%20alt%3D%22Slide1.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3ERead%20about%20it%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fcloudblogs.microsoft.com%2Fenterprisemobility%2F2018%2F01%2F04%2Fwhy-its-important-to-integrate-your-vpn-with-microsoft-advanced-threat-analytics%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20blog%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-141781%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-156253%22%20slang%3D%22en-US%22%3ERE%3A%20Why%20it%E2%80%99s%20important%20to%20integrate%20your%20VPN%20with%20Microsoft%20Advanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-156253%22%20slang%3D%22en-US%22%3EAny%20timelines%20to%20share%20on%20Citrix%20VPN%20Netscaler%20support%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-152207%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20it%E2%80%99s%20important%20to%20integrate%20your%20VPN%20with%20Microsoft%20Advanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-152207%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20will%20support%20more%20vendors%20due%20customer%20demand.%20Vendors%20that%20support%20radius%20accounting%20can%20possibly%20be%20supported%20quite%20easily.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-151785%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20it%E2%80%99s%20important%20to%20integrate%20your%20VPN%20with%20Microsoft%20Advanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-151785%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20will%20you%20support%20other%20VPN%20vendors%20like%20Barracuda%20NG%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149554%22%20slang%3D%22en-US%22%3ERe%3A%20RE%3A%20Why%20it%E2%80%99s%20important%20to%20integrate%20your%20VPN%20with%20Microsoft%20Advanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149554%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20query%20any%20collection%20in%20mongo%26nbsp%3B%20that%20starts%20with%20%22VpnAuthenticationEvent%22%20to%20see%20if%20you%20are%20getting%20any%20VPN%20events%20into%20ATA.%3C%2FP%3E%0A%3CP%3EThe%20collections%20are%20created%20on%20demand%2C%20so%20if%20you%20see%20you%20have%20those%2C%20at%20some%20point%20events%20were%20coming%20in...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3Efrom%20the%20mongo%20bin%20folder%2C%20run%3A%3C%2FP%3E%0A%3CPRE%3Emongo%20ATA%20--eval%20%22db.getCollectionNames().filter(function%20(c)%20%7B%20return%20c.indexOf('VpnAuthenticationEvent')%20%3D%3D%200%3B%20%7D)%22%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-149486%22%20slang%3D%22en-US%22%3ERE%3A%20Why%20it%E2%80%99s%20important%20to%20integrate%20your%20VPN%20with%20Microsoft%20Advanced%20Threat%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-149486%22%20slang%3D%22en-US%22%3EHello%2C%20need%20assistance%20with%20VPN%20integration.%20Using%20Microsoft%20Network%20Policy%20Server%20and%20have%20setup%20accounting%20in%20my%20connection%20policy%20to%20send%20events%20to%20multiple%20gateway%20servers%20but%20nothing%20shows%20up.%20I%20can%20see%20events%20on%20the%20policy%20server%20showing%20remote%20connections.%20Any%20ideas%20on%20where%20i%20can%20go%20for%20help%20or%20what%20to%20look%20for%3F%20Thanks%3C%2FLINGO-BODY%3E
Community Manager

A majority of IT teams use Virtual Private Network (VPN) connections as a method to grant remote users access to corporate resources from outside the company’s network. A VPN connection provides employees flexibility by allowing them to work on the go and helps to increase productivity. 

 

Since VPN connections are fully encrypted, they are secure and therefore their content is not always inspected. However, VPN offers an entry point for attackers to use existing credentials and remotely connect into a corporate network. With the release of version 1.8, Advanced Threat Analytics (ATA) now detects when and where credentials are being used via VPN and integrates that data into your investigation. This new capability complements all the other abnormal behavior and known malicious detection capabilities ATA already provides. Capturing and analyzing the origin of VPN connections increases your chances of identifying where and how attackers are leveraging stolen credentials in your network.  

 

Slide1.PNG

 

Read about it in the Azure blog.

5 Replies
Hello, need assistance with VPN integration. Using Microsoft Network Policy Server and have setup accounting in my connection policy to send events to multiple gateway servers but nothing shows up. I can see events on the policy server showing remote connections. Any ideas on where i can go for help or what to look for? Thanks

You can query any collection in mongo  that starts with "VpnAuthenticationEvent" to see if you are getting any VPN events into ATA.

The collections are created on demand, so if you see you have those, at some point events were coming in...

 

from the mongo bin folder, run:

mongo ATA --eval "db.getCollectionNames().filter(function (c) { return c.indexOf('VpnAuthenticationEvent') == 0; })"

When will you support other VPN vendors like Barracuda NG?  

We will support more vendors due customer demand. Vendors that support radius accounting can possibly be supported quite easily.

Any timelines to share on Citrix VPN Netscaler support?