Version 2

    This pack has two rules.  One of them infers a "VPNConnection" event with the Info "User Successfully Connected to VPN" and the other infers a "VPNConnection" event with the info "VPN Connection Terminated."

     

    The "Established" rule is based off thresholds for a Cisco ASA, AnyConnect VPN client and LDAP authentication, specifically events 734003 and 746012.

     

    The "Terminated" rule is based off thresholds for event 113019.  The extraneous info for this events does include the duration of the VPN session.

     

    Both rules generate an event with a username.