If you want to have the information from the Microsoft AlwaysOn VPN in Azure Sentinel, do the following:
[1] Make sure you have the Azure Monitor Agent (MMA, Log Analytics Agent) installed and are collecting the Application log. This requires the SecurityEvent Data Connector be enabled, btw.

[2] Query for “RasClient” in the Event table.
Event
| where Source == "RasClient"

In the Event table for RasClient there’s also a RenderedDescription data column that can be parsed. It contains things like:
- Tunnel IP address
- User name
- Domain
- Server
- Port
- Media type
- Gateway
- Termination code
- And lots more…
Lots of goodness here. Have fun!
Common error codes are shown here: Troubleshoot Always On VPN | Microsoft Docs
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.