VPN Security Monitoring SureLog SIEM Use Cases
- Monitor VPN connection from an anonymous proxy
- Monitor connection to VPN providers and datacenters. Sample list:
- vpnoverdns.com is a free service providing VPN functionality over DNS. DNS resolutions for *.tun.vpnoverdns.com indicate usage of their VPN service. The service describes itself as “Data exfiltration, for those times when everything else is blocked. Detect DNS requests to “*.tun.vpnoverdns.com”
- Detect multiple VPN logon failures
- Detect too many failed VPN logins
- Detect VPN access from a disabled account
- Detect VPN connection source IP from an unauthorized location
- Detect VPN activity from a malicious/blacklisted network address
- Detect Local Login and VPN Login by Same User
- Detect Successful VPN Logon From Outside your Country
- Detect Successful VPN connections from different geo-locations as your users are only supposed to working from certain Geographic’s
- Detect Unusual Top User
- Detect User Login from 2+ Countries Within 1 Hour
- Detect Abnormal VPN session duration
- Detect First VPN connection from an unknown device
- Detect First VPN connection from a device for a user
- Detect First VPN connection from a device for organization
- Detect First VPN access from a new device
- Detect Abnormal amount of data uploaded during a VPN session
- Detect Increase of company-related data files access during VPN connection
- Detect MFA from a new device for a user
- Detect Physical badge access after VPN access
- Detect Malicious VPN source IP
- Track users that logon via VPN and then go on to logon to servers on your environment
- Detect Multiple VPN accounts failed login from single IP
- Detect a successful VPN login followed by the transfer of one or more files to the source host, followed by a VPN logoff by the same user within 2 minutes.
- Detect 2 concurrent logins from 2 remote locations
- Detect multiple concurrent VPN/remote access logins from different locations using the same user account
- Create an alert to when a specific user logs in via VPN
- Detect VPN Connection beyond 24 Hour
- Detect VPN Access from Internal IP Address
- Detect VPN access from overseas
- Detect Long-lasting VPN session
- Detect VPN connection with the non-whitelisted country
- Detect unauthorized VPN usage
- Detect concurrent VPN authentications from the same user
- Detect VPN access from a disabled account
- Detect if a security alert -malware found on host- triggered during a VPN session
- Detect a user VPNs to the network from a new location for the first time, then accesses a shared file system
- Detect when a VPN connection is created with a service or machine account
1 Comment
Share