Support & Downloads

Quisque actraqum nunc no dolor sit ametaugue dolor. Lorem ipsum dolor sit amet, consyect etur adipiscing elit.

Contact Info
198 West 21th Street, Suite 721
New York, NY 10010
[email protected]
+88 (0) 101 0000 000
Follow Us
SIEM Uncategorized    

VPN Security Monitoring SureLog SIEM Use Cases

  • Monitor VPN connection from an anonymous proxy
    • Monitor connection to VPN providers and datacenters. Sample list:
https://github.com/MISP/misp-warninglists/blob/main/lists/vpn-ipv4/list.json
  • vpnoverdns.com is a free service providing VPN functionality over DNS. DNS resolutions for *.tun.vpnoverdns.com indicate usage of their VPN service. The service describes itself as “Data exfiltration, for those times when everything else is blocked. Detect DNS requests to “*.tun.vpnoverdns.com”
  • Detect multiple VPN logon failures
  • Detect too many failed VPN logins
  • Detect VPN access from a disabled account
  • Detect VPN connection source IP from an unauthorized location
  • Detect VPN activity from a malicious/blacklisted network address
  • Detect Local Login and VPN Login by Same User
  • Detect Successful VPN Logon From Outside your Country 
  • Detect Successful VPN connections from different geo-locations as your users are only supposed to working from certain Geographic’s 
  • Detect Unusual Top User
  • Detect User Login from 2+ Countries Within 1 Hour
  • Detect Abnormal VPN session duration 
  • Detect First VPN connection from an unknown device
  • Detect First VPN connection from a device for a user
  • Detect First VPN connection from a device for organization
  • Detect First VPN access from a new device
  • Detect Abnormal amount of data uploaded during a VPN session
  • Detect Increase of company-related data files access during VPN connection
  • Detect MFA from a new device for a user
  • Detect Physical badge access after VPN access
  • Detect Malicious VPN source IP
  • Track users that logon via VPN and then go on to logon to servers on your environment
  • Detect Multiple VPN accounts failed login from single IP
  • Detect a successful VPN login followed by the transfer of one or more files to the source host, followed by a VPN logoff by the same user within 2 minutes.
  • Detect 2 concurrent logins from 2 remote locations
  • Detect multiple concurrent VPN/remote access logins from different locations using the same user account
  • Create an alert to when a specific user logs in via VPN
  • Detect VPN Connection beyond 24 Hour 
  • Detect VPN Access from Internal IP Address 
  • Detect VPN access from overseas
  • Detect Long-lasting VPN session
  • Detect VPN connection with the non-whitelisted country
  • Detect unauthorized VPN usage
  • Detect concurrent VPN authentications from the same user
  • Detect VPN access from a disabled account
  • Detect if a security alert -malware found on host- triggered during a VPN session
  • Detect a user VPNs to the network from a new location for the first time, then accesses a shared file system
  • Detect when a VPN connection is created with a service or machine account

Like
Share