Our next-gen architecture is built to help you make sense of your ever-growing data.

Watch a 4-min demo video!

Quick Start Security for MongoDB

thank you

Thank you!

We got your information.

MongoDB
MongoDB icon

Coralogix Extension For MongoDB Includes:

Dashboards - 5

Gain instantaneous visualization of all your MongoDB data.

MongoDB - Client Metadata Overview
MongoDB - Client Metadata Overview
MongoDB - Access Overview
MongoDB - Access Overview
MongoDB - General Overview
MongoDB - General Overview
MongoDB - Network Overview
MongoDB - Network Overview
MongoDB - Other Components Overview
MongoDB - Other Components Overview

Alerts - 8

Stay on top of MongoDB key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Possible Brute Force Detected

This alert will trigger when receiving a MongoDB ACCESS log indicating a series of failed authentication attempts, originating from different users in a short period of time Impact Can be indicative of an attacker attempting to brute force access to MongoDB Mitigation Check and confirm whether this was a legitimate activity. In the attribute log fields, notice the Authentication DB, Principal Name and Source IP/Port - check wether these appear to be originating from a legitimate source. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133

Authentication Succeeded for Same User from different IPs

This alert will trigger when receiving a MongoDB ACCESS log indicating a successful authentication was made for the same user from different IP in a short period of time (Impossible traveler scenario) Impact Can be indicative of an attacker controlled user using stolen credentials to access the DB from outside the internal network, establishing an initial foothold. Mitigation Check and confirm whether this was a legitimate activity. In the attribute log fields, notice the Authentication DB, Principal Name and Source IP/Port - check wether these appear to be originating from a legitimate source. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133

Authentication Succeeded from Public IP

This alert will trigger when receiving a MongoDB ACCESS log indicating a successful authentication being made from a public IP Impact Can be indicative of an attacker controlled user using stolen credentials to access the DB from outside the internal network, establishing an initial foothold. Mitigation Check and confirm whether this was a legitimate activity. In the attribute log fields, notice the Authentication DB, Principal Name and Source IP/Port - check wether these appear to be originating from a legitimate source. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133

Authentication Failed

This alert will trigger when a MongoDB ACCESS log indicating a failed authentication attempt. Impact Can be indicative of a user mistyping their credentials, or a possible Brute Force attempt. Mitigation Check error attributes, namely the error message that will indicate why the authentication failed and for which user. Continue investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133

Checking Authorization Failed

This alert will trigger when a MongoDB ACCESS log indicating a that an authorization check failed is detected. Impact Can be indicative of of an automation misconfiguration in legitimate cases, or a brute force attempt in the malicious context Mitigation Check error attributes, namely the error message that will indicate why the authorization failed and for which user. Continue investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133

Fatal Event Detected

This alert will trigger when a MongoDB log with a Severity level of Fatal is detected. You can learn more about the MongoDB logs severity levels here: https://www.mongodb.com/docs/manual/reference/log-messages/#std-label-log-severity-levels Impact Context dependent. Mitigation Context dependent. Start investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection.

Error Event Detected

This alert will trigger when a MongoDB log with a Severity level of Error is detected. Impact Context dependent. Mitigation Context dependent. Start investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection.

Warning Event Detected

This alert will trigger when a MongoDB log with a Severity level of Warning is detected. You can learn more about the MongoDB logs severity levels here: https://www.mongodb.com/docs/manual/reference/log-messages/#std-label-log-severity-levels Impact Context dependent. Mitigation Context dependent. Start investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection.

Integration

Learn more about Coralogix's out-of-the-box integration with MongoDB in our documentation.

Read More
Schedule Demo