How to Monitor the Microsoft AlwaysOn VPN with Azure Sentinel

If you want to have the information from the Microsoft AlwaysOn VPN in Azure Sentinel, do the following:

[1] Make sure you have the Azure Monitor Agent (MMA, Log Analytics Agent) installed and are collecting the Application log. This requires the SecurityEvent Data Connector be enabled, btw.

Add the Application log to the Agent Configuration in the Log Analytics Workspace for Azure Sentinel

[2] Query for “RasClient” in the Event table.

| where Source == "RasClient"
Look for the RenderedDescription data column for goodness

In the Event table for RasClient there’s also a RenderedDescription data column that can be parsed. It contains things like:

  • Tunnel IP address
  • User name
  • Domain
  • Server
  • Port
  • Media type
  • Gateway
  • Termination code
  • And lots more…

Lots of goodness here. Have fun!

Common error codes are shown here: Troubleshoot Always On VPN | Microsoft Docs


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]