Hi - I wanted to ask if anyone here was able to create a query to search for failed client-side VPN authentication? (I.e. if an attacker knows a legitimate user’s email but enters in the wrong password on a VPN app on the desktop.) We currently have our Firewalls and Radius Servers setup as our event sources within IDR.
What are you using? We have this set-up both through our Cisco side and also our Palo-Alto side. Just make sure you are using the correct log level so that failed VPN auth’s are logged and sent over syslog.
For example: where(“result” != “SUCCESS” and “Service” = “VPN”) is a query we use on the Cisco FTD side of things.
We’re using Cisco VPN and FPFW.
Yep that query will work for you when you select the “Ingress Authentication” logset and choose the firewalls that you’d like to see the data for.
1 Like
Thank you!
1 Like