Cisco VPN

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Cisco Anyconnect VPN Authentication Logs

✅

✅

cisco_anyconnect_vpn_authentication_logs

Key value

S3


Overview

imageThis article details how to ingest logs from Cisco VPN into Hunters.

Cisco AnyConnect Secure Mobility Client is used for secure access to the enterprise network from any device while protecting the organization.

Supported data types

Cisco Anyconnect VPN Authentication Logs

Table name: cisco_anyconnect_vpn_authentication_logs

The authentication logs from Cisco AnyConnect VPN are crucial for monitoring who is accessing the network, when, and how, thus ensuring that only authorized users can connect.

Learn more here.

Send data to Hunters

Hunters supports the ingestion of Cisco AnyConnect VPN logs via an intermediary AWS S3 bucket.

To connect Cisco AnyConnect VPN logs:

  1. Export your logs from Cisco AnyConnect to an AWS S3 bucket by following this guide.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in key value format.

Sep 18 15:01:28 host 1695042087:Acct-Session-Id="308",Acct-Status-Type=Start,User-Name="k.m@abc.com",Alias="",NAS-IP-Addr=88.200.108.100,NAS-Identifier="cvpn-certs",Calling-Station-Id="5.10.100.100",Framed-IP-Address=10.100.201.103,Tunnel-Client-Endpoint=12.21.100.200,Class="AP-CVPN",Acct-Terminate-Cause="",Acct-Session-Time=,Acct-Input-Octets=,Acct-Output-Octets=,Tunnel-Group="AP-CVPN"
Sep 18 15:01:50 host 1695042110:Acct-Session-Id="440",Acct-Status-Type=Start,User-Name="jp@abc.com",Alias="",NAS-IP-Addr=31.100.10.100,NAS-Identifier="cvpn-certs",Calling-Station-Id="31.100.100.100",Framed-IP-Address=10.00.121.100,Tunnel-Client-Endpoint=255.255.100.10,Class="AP-CVPN",Acct-Terminate-Cause="",Acct-Session-Time=,Acct-Input-Octets=,Acct-Output-Octets=,Tunnel-Group="AP-CVPN"