New Cisco AnyConnect VPN log

evtx/Maps/Cisco-Secure-Client-AnyConnect-VPN_csc_vpnagent_2037.map

@@ -0,0 +1,38 @@
+Author: esecrpm
+Description: VPN connection terminated
+EventId: 2037
+Channel: "Cisco Secure Client - AnyConnect VPN"
+Provider: csc_vpnagent
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+
+# Documentation
+# N/A
+#
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="csc_vpnagent" />
+#     <EventID Qualifiers="25600">2037</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-08T15:58:49.2901037Z" />
+#     <EventRecordID>7188</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="0" ThreadID="0" />
+#     <Channel>Cisco Secure Client - AnyConnect VPN</Channel>
+#     <Computer>foobar</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>VPN SESSION END: The VPN connection is terminated.</Data>
+#   </EventData>
+# </Event>

evtx/Maps/Cisco-Secure-Client-AnyConnect-VPN_csc_vpnagent_2039.map

@@ -0,0 +1,38 @@
+Author: esecrpm
+Description: VPN connection established
+EventId: 2039
+Channel: "Cisco Secure Client - AnyConnect VPN"
+Provider: csc_vpnagent
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+
+# Documentation
+# N/A
+#
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="csc_vpnagent" />
+#     <EventID Qualifiers="25600">2039</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-08T15:58:49.2901037Z" />
+#     <EventRecordID>7188</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="0" ThreadID="0" />
+#     <Channel>Cisco Secure Client - AnyConnect VPN</Channel>
+#     <Computer>foobar</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>The VPN connection has been established and can now pass data.</Data>
+#   </EventData>
+# </Event>

evtx/Maps/Cisco-Secure-Client-AnyConnect-VPN_csc_vpnagent_2044.map

@@ -0,0 +1,39 @@
+Author: esecrpm
+Description: Connection to secure gateway established
+EventId: 2044
+Channel: "Cisco Secure Client - AnyConnect VPN"
+Provider: csc_vpnagent
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%PayloadData1%"
+    Values:
+      -
+        Name: PayloadData1
+        Value: "/Event/EventData/Data"
+        Refine: "(?<=, )[^,\\d]+(?=,)"
+
+# Documentation
+# N/A
+#
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="csc_vpnagent" />
+#     <EventID Qualifiers="25600">2044</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-08T15:58:49.2901037Z" />
+#     <EventRecordID>7188</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="4932" ThreadID="0" />
+#     <Channel>Cisco Secure Client - AnyConnect VPN</Channel>
+#     <Computer>foobar</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>The Primary DTLS/SSL connection to the secure gateway has been established.</Data>
+#   </EventData>
+# </Event>

evtx/Maps/Cisco-Secure-Client-AnyConnect-VPN_csc_vpnagent_2073.map

@@ -0,0 +1,38 @@
+Author: esecrpm
+Description: IP Addresses of active interfaces
+EventId: 2073
+Channel: "Cisco Secure Client - AnyConnect VPN"
+Provider: csc_vpnagent
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+
+# Documentation
+# N/A
+#
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="csc_vpnagent" />
+#     <EventID Qualifiers="25600">2073</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-08T15:58:49.2901037Z" />
+#     <EventRecordID>7188</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="0" ThreadID="0" />
+#     <Channel>Cisco Secure Client - AnyConnect VPN</Channel>
+#     <Computer>foobar</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>IP Addresses from active interfaces: Wi-Fi: 192.168.1.1, 2605:A601:A6A7:9D00:nnnn:nnnn:nnnn:nnnn, FE80:0:0:0:nnnn:nnnn:nnnn:nnnn</Data>
+#   </EventData>
+# </Event>

evtx/Maps/Cisco-Secure-Client-AnyConnect-VPN_csc_vpnagent_2086.map

@@ -0,0 +1,38 @@
+Author: esecrpm
+Description: The client's public address is now set
+EventId: 2086
+Channel: "Cisco Secure Client - AnyConnect VPN"
+Provider: csc_vpnagent
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+
+# Documentation
+# N/A
+#
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="csc_vpnagent" />
+#     <EventID Qualifiers="25600">2086</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-08T15:58:49.2901037Z" />
+#     <EventRecordID>7188</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="0" ThreadID="0" />
+#     <Channel>Cisco Secure Client - AnyConnect VPN</Channel>
+#     <Computer>foobar</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>The client's public address is now set to 192.168.1.1</Data>
+#   </EventData>
+# </Event>

evtx/Maps/Cisco-Secure-Client-AnyConnect-VPN_csc_vpnapi_3002.map

@@ -0,0 +1,38 @@
+Author: esecrpm
+Description: Initiating VPN connection to secure gateway
+EventId: 3002
+Channel: "Cisco Secure Client - AnyConnect VPN"
+Provider: csc_vpnapi
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+
+# Documentation
+# N/A
+#
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="csc_vpnapi" />
+#     <EventID Qualifiers="25600">3002</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-08T15:58:49.2901037Z" />
+#     <EventRecordID>7188</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="0" ThreadID="0" />
+#     <Channel>Cisco Secure Client - AnyConnect VPN</Channel>
+#     <Computer>foobar</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>VPN SESSION START: Initiating VPN connection to the secure gateway https://vpngateway.company.com</Data>
+#   </EventData>
+# </Event>

evtx/Maps/Cisco-Secure-Client-AnyConnect-VPN_csc_vpnapi_3026.map

@@ -0,0 +1,38 @@
+Author: esecrpm
+Description: A VPN connection was requested
+EventId: 3026
+Channel: "Cisco Secure Client - AnyConnect VPN"
+Provider: csc_vpnapi
+Maps:
+  -
+    Property: PayloadData1
+    PropertyValue: "%Data%"
+    Values:
+      -
+        Name: Data
+        Value: "/Event/EventData/Data"
+
+# Documentation
+# N/A
+#
+# <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
+#   <System>
+#     <Provider Name="csc_vpnapi" />
+#     <EventID Qualifiers="25600">3026</EventID>
+#     <Version>0</Version>
+#     <Level>4</Level>
+#     <Task>0</Task>
+#     <Opcode>0</Opcode>
+#     <Keywords>0x80000000000000</Keywords>
+#     <TimeCreated SystemTime="2020-10-08T15:58:49.2901037Z" />
+#     <EventRecordID>7188</EventRecordID>
+#     <Correlation />
+#     <Execution ProcessID="0" ThreadID="0" />
+#     <Channel>Cisco Secure Client - AnyConnect VPN</Channel>
+#     <Computer>foobar</Computer>
+#     <Security />
+#   </System>
+#   <EventData>
+#     <Data>An SSL VPN connection to company VPN has been requested by the user.</Data>
+#   </EventData>
+# </Event>