Quick Start Security for MongoDB
Thank you!
We got your information.
Coralogix Extension For MongoDB Includes:
Dashboards - 5
Gain instantaneous visualization of all your MongoDB data.
Alerts - 8
Stay on top of MongoDB key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
Possible Brute Force Detected
This alert will trigger when receiving a MongoDB ACCESS log indicating a series of failed authentication attempts, originating from different users in a short period of time Impact Can be indicative of an attacker attempting to brute force access to MongoDB Mitigation Check and confirm whether this was a legitimate activity. In the attribute log fields, notice the Authentication DB, Principal Name and Source IP/Port - check wether these appear to be originating from a legitimate source. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133
Authentication Succeeded for Same User from different IPs
This alert will trigger when receiving a MongoDB ACCESS log indicating a successful authentication was made for the same user from different IP in a short period of time (Impossible traveler scenario) Impact Can be indicative of an attacker controlled user using stolen credentials to access the DB from outside the internal network, establishing an initial foothold. Mitigation Check and confirm whether this was a legitimate activity. In the attribute log fields, notice the Authentication DB, Principal Name and Source IP/Port - check wether these appear to be originating from a legitimate source. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133
Authentication Succeeded from Public IP
This alert will trigger when receiving a MongoDB ACCESS log indicating a successful authentication being made from a public IP Impact Can be indicative of an attacker controlled user using stolen credentials to access the DB from outside the internal network, establishing an initial foothold. Mitigation Check and confirm whether this was a legitimate activity. In the attribute log fields, notice the Authentication DB, Principal Name and Source IP/Port - check wether these appear to be originating from a legitimate source. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133
Authentication Failed
This alert will trigger when a MongoDB ACCESS log indicating a failed authentication attempt. Impact Can be indicative of a user mistyping their credentials, or a possible Brute Force attempt. Mitigation Check error attributes, namely the error message that will indicate why the authentication failed and for which user. Continue investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133
Checking Authorization Failed
This alert will trigger when a MongoDB ACCESS log indicating a that an authorization check failed is detected. Impact Can be indicative of of an automation misconfiguration in legitimate cases, or a brute force attempt in the malicious context Mitigation Check error attributes, namely the error message that will indicate why the authorization failed and for which user. Continue investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection. MITRE Tactic: TA0001 MITRE Technique: T1133
Fatal Event Detected
This alert will trigger when a MongoDB log with a Severity level of Fatal is detected. You can learn more about the MongoDB logs severity levels here: https://www.mongodb.com/docs/manual/reference/log-messages/#std-label-log-severity-levels Impact Context dependent. Mitigation Context dependent. Start investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection.
Error Event Detected
This alert will trigger when a MongoDB log with a Severity level of Error is detected. Impact Context dependent. Mitigation Context dependent. Start investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection.
Warning Event Detected
This alert will trigger when a MongoDB log with a Severity level of Warning is detected. You can learn more about the MongoDB logs severity levels here: https://www.mongodb.com/docs/manual/reference/log-messages/#std-label-log-severity-levels Impact Context dependent. Mitigation Context dependent. Start investigating by examining the MongoDB component affected, the message generate, Source IP/Port and various attributes associated with the relevant component and/or error. Make sure to investigate based on activity that is part of the same context ID/number, as it represents a single connection.
Integration
Learn more about Coralogix's out-of-the-box integration with MongoDB in our documentation.