If you want to have the information from the Microsoft AlwaysOn VPN in Azure Sentinel, do the following:
 Make sure you have the Azure Monitor Agent (MMA, Log Analytics Agent) installed and are collecting the Application log. This requires the SecurityEvent Data Connector be enabled, btw.
 Query for “RasClient” in the Event table.
Event | where Source == "RasClient"
In the Event table for RasClient there’s also a RenderedDescription data column that can be parsed. It contains things like:
- Tunnel IP address
- User name
- Media type
- Termination code
- And lots more…
Lots of goodness here. Have fun!
Common error codes are shown here: Troubleshoot Always On VPN | Microsoft Docs
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]