Share via

Cisco ASA Concurrent VPN Users - KQL / Azure Sentinel

Prakhar KUMAR 1 Reputation point
2020-12-30T20:00:26.67+00:00

I need to make a timechart of concurrent VPN users connected to my Cisco ASA like the one in the following screenshot:

![52343-image.png

In splunk it was made possible by the awesome query posted here:
https://community.splunk.com/t5/Splunk-Search/Concurrent-Active-VPN-Sessions-on-a-Timechart/m-p/493141#M137524

If I have to use the same logic to achieve the desired result, I just need your help to convert the following part of the above splunk query into KQL:
| sort 0 _time | eval time2=_time | bin span=20m time2 | eval time2=if(status="disconnected",NULL,time2) | eval _time=coalesce(time2,_time) | streamstats count(eval(status="assigned")) as session by user | stats values(eval(if(status="assigned",round(_time),NULL))) as start values(eval(if(status="disconnected",round(_time),NULL))) as end by user session | eval timerange=mvrange(start,end,1200) | mvexpand timerange | rename timerange as _time | timechart span=20m count(user)

Community Center | Not monitored
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2020-12-30T23:54:20.473+00:00

    Hi prakharkumar-2709,

    From my understanding you are connecting your ASA service from Cisco to Azure Sentinel and everything is working fine, and you just need help re-writing a splunk query into KQL. This is more of a KQL question than a Sentinel question so I would suggest reaching out on one of these forums:

    KQL forums- Newest 'kql' Questions - Stack Overflow

    Cisco ASA forums - Newest 'asa' Questions - Stack Overflow

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.