Pulse / Ivanti Secure Connect
Overview
Pulse Connect Secure is an SSL VPN solution for remote and mobile users.
Related Built-in Rules
Benefit from SEKOIA.IO built-in rules and upgrade Pulse Connect Secure with the following detection capabilities out-of-the-box.
SEKOIA.IO x Pulse Connect Secure on ATT&CK Navigator
Potential Azure AD Phishing Page (Adversary-in-the-Middle)
Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication.
- Effort: intermediate
RYUK Ransomeware - martinstevens Username
Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.
- Effort: elementary
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Authentication logs |
Events are produced when a user authenticate on services of the company my means of the VPN |
Web logs |
Events are produced on web service access |
Network device logs |
Events are produced on VPN connection |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "id=firewall time=\"2021-01-28 13:46:08\" pri=6 fw=172.16.128.22 vpn=CB2XXPCS02 ivs=Root user=bob realm=\"SEKOIA_User\" roles=\"VDI-Pulse_User_Role\" proto=auth src=176.134.164.62 dst= dstname= type=vpn op= arg=\"\" result= sent= rcvd= agent=\"\" duration= msg=\"AUT24804: Host Checker policy 'Sekoia_Host Checker' failed on host '176.134.164.62' address '00-d8-61-35-80-81' for user 'bob' reason 'Rule-Antivirus_Check:Le logiciel antivirus indiqu\u00e9 dans les exigences de s\u00e9curit\u00e9 n'est pas install\u00e9.'.\"",
"event": {
"code": "AUT24804",
"provider": "auth"
},
"action": {
"name": "AUT24804"
},
"network": {
"forwarded_ip": "172.16.128.22"
},
"service": {
"name": "CB2XXPCS02",
"type": "vpn"
},
"user": {
"name": "bob",
"domain": "SEKOIA_User",
"roles": [
"VDI-Pulse_User_Role"
]
},
"source": {
"ip": "176.134.164.62",
"address": "176.134.164.62"
},
"related": {
"ip": [
"176.134.164.62"
],
"user": [
"bob"
]
}
}
{
"message": "id=firewall time=\"2021-01-28 13:46:05\" pri=6 fw=172.16.128.22 vpn=CB2XXPCS02 ivs=Root user=alice realm=\"SEKOIA_User\" roles=\"SEKOIA_User_Role\" proto=auth src=19.160.74.9 dst= dstname= type=vpn op= arg=\"\" result= sent= rcvd= agent=\"\" duration= msg=\"AUT24803: Host Checker policy 'Sekoia_Host Checker' passed on host '19.160.74.9' address '60-f2-62-ea-2d-a1' for user 'alice'.\"",
"event": {
"code": "AUT24803",
"provider": "auth"
},
"action": {
"name": "AUT24803"
},
"network": {
"forwarded_ip": "172.16.128.22"
},
"service": {
"name": "CB2XXPCS02",
"type": "vpn"
},
"user": {
"name": "alice",
"domain": "SEKOIA_User",
"roles": [
"SEKOIA_User_Role"
]
},
"source": {
"ip": "19.160.74.9",
"address": "19.160.74.9"
},
"related": {
"ip": [
"19.160.74.9"
],
"user": [
"alice"
]
}
}
{
"message": "id=firewall time=\"2021-01-28 14:14:04\" pri=6 fw=172.16.128.22 vpn=CB2XXPCS02 ivs=Default Network user=bob realm=\"SEKOIA_User\" roles=\"\" proto=auth src=176.168.192.159 dst= dstname= type=vpn op= arg=\"\" result= sent= rcvd= agent=\"\" duration= msg=\"AUT23457: Login failed using auth server RSA (ACE Server). Reason: Failed\"",
"event": {
"code": "AUT23457",
"provider": "auth"
},
"action": {
"name": "AUT23457"
},
"network": {
"forwarded_ip": "172.16.128.22"
},
"service": {
"name": "CB2XXPCS02",
"type": "vpn"
},
"user": {
"name": "bob",
"domain": "SEKOIA_User"
},
"source": {
"ip": "176.168.192.159",
"address": "176.168.192.159"
},
"related": {
"ip": [
"176.168.192.159"
],
"user": [
"bob"
]
}
}
{
"message": "id=firewall time=\"2021-03-04 17:05:15\" pri=6 fw=172.16.128.22 vpn=CB2XXPCS02 ivs=Default Network user=System realm=\"\" roles=\"\" proto= src=93.19.66.118 dst= dstname= type=vpn op= arg=\"\" result= sent= rcvd= agent=\"\" duration= msg=\"AUT31556: Unauthenticated request url /dana/js?prot=1&svc=4 came from IP 93.19.66.118.\"",
"event": {
"code": "AUT31556"
},
"action": {
"name": "AUT31556"
},
"network": {
"forwarded_ip": "172.16.128.22"
},
"service": {
"name": "CB2XXPCS02",
"type": "vpn"
},
"user": {
"name": "System"
},
"source": {
"ip": "93.19.66.118",
"address": "93.19.66.118"
},
"url": {
"path": "/dana/js?prot=1&svc=4"
},
"related": {
"ip": [
"93.19.66.118"
],
"user": [
"System"
]
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
event.code |
keyword |
Identification code for this event. |
event.provider |
keyword |
Source of the event. |
network.forwarded_ip |
ip |
Host IP address when the source IP address is the proxy. |
service.name |
keyword |
Name of the service. |
service.type |
keyword |
The type of the service. |
source.ip |
ip |
IP address of the source. |
url.path |
wildcard |
Path of the request, such as "/search". |
user.domain |
keyword |
Name of the directory the user is a member of. |
user.name |
keyword |
Short name or login of the user. |
user.roles |
keyword |
Array of user roles at the time of the event. |
Configure
As of now, the main solution to collect Pulse Secure Connect logs leverages the Rsyslog recipe along with the WELF log format offered by Pulse Secure. Please share your experiences with other recipes by editing this documentation.
Rsyslog
Please refer to the documentation of Pulse Secure Connect to forward events to your syslog concentrator. The reader can consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.