Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Start Free Trial Get a Demo
Start Free Trial Request Demo

Quick Start Security for OpenVPN

thank you

Thank you!

We got your information.

OpenVPN
OpenVPN icon

Coralogix Extension For OpenVPN Includes:

Alerts - 7

Stay on top of OpenVPN key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

Failed authentication to the web UI

This alert will trigger for a failed authentication attempt to the WEB UI. Malicious actors will try to authenticate to the company's VPN WEB UI in order to create new profiles or compromise already existing profiles in order to prevent users from accessing critical/sensitive assets. Impact Malicious actors might compromise critical/sensitive assets availability. Mitigation Validate with the user that he was the one to fail the authentication. If needed, enforce password change of the relevant user. If needed, block the source IP in the organizations firewall. If needed, further investigate according to company policy. MITRE Tactic: TA0001 MITRE Technique: T1078

Failed authentication attempt from a new IP address

This alert will trigger once there is a failed authentication attempt from an IP address that was not seen in the last 7 days. This type of activity can be caused by a traveling user or by a malicious actor who is trying to gain access to to company resources. Impact Malicious actors might gain access to sensitive assets and data. Mitigation Validate the origin of the IP address. Validate with the user that he was the one to perform this authentication attempt. If needed, enforce password changes to company devices for the relevant users. If needed, block the source IP in the organizations firewall. If needed, further investigate according to company policy. MITRE Tactic: TA0001 MITRE Technique: T1078

Failed authentication attempt for a newly seen user

This alert will trigger once a user that was not seen in the last 7 days will fail an authentication attempt. Malicious actors will try to authenticate to the company's VPN in order to gain access to sensitive assets. Impact Malicious actors might gain access to sensitive assets and data. Mitigation Validate the origin of the IP address. If needed, enforce password changes to company devices for the relevant users. If needed, block the source IP in the organizations firewall. If needed, further investigate according to company policy. MITRE Tactic: TA0001 MITRE Technique: T1078

Same user failed authentication from multiple IPs

This alert will trigger once a single user will fail VPN authentication from more then 10 IP addresses in a time range of 10 minute. Failed authentication from multiple IP addresses indicates that a malicious actor got a hold of the users credential and trying to authenticate to the company's VPN solution in order to gain access to sensitive resources. Impact Malicious actors might gain access to sensitive assets and data. Mitigation Confirm with the user if he was the cause for those authentication. Enforce password changes to company devices for the relevant user. If needed, further investigate according to company policy. MITRE Tactic: TA0001 MITRE Technique: T1078

Multiple users failed authentication from single IP

This alert will trigger once more then 10 different users will fail VPN authentication from a single IP address. Malicious actors will try and authenticate to the company's VPN from compromised computers in order to try and gain access to sensitive assets. This type of activity can indicate a brute force attack trying to obtain user credentials and company access. Impact Malicious actors might gain access to sensitive assets and data. Mitigation Validate the origin of the IP address. Enforce password changes to company devices for the relevant users. If needed, Block the source IP in the organizations firewall. If needed, further investigate according to company policy. MITRE Tactic: TA0001 MITRE Technique: T1078

Multiple user authentication failures

This alert will trigger once the same user will fail more then 5 authentication attempts from the same IP address. Malicious actors will try to authenticate to the company's VPN from compromised computers in order to gain access to sensitive assets. Impact Malicious actors might gain access to sensitive assets and data. Mitigation Validate the origin of the IP address. If needed, enforce password changes to company devices for the relevant users. If needed, block the source IP in the organizations firewall. If needed, further investigate according to company policy. MITRE Tactic: TA0001 MITRE Technique: T1078

No logs from OpenVPN

This rule detects if there are no logs in the last 12 hours for OpenVPN in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Integration

Learn more about Coralogix's out-of-the-box integration with OpenVPN in our documentation.

Read More
Schedule Demo

300+ Integrations

View More
Akamai
Akamai
JIRA
JIRA
Logstash
Logstash
Prometheus
Prometheus
Fluent Bit
Fluent Bit
Kubernetes
Kubernetes
Amazon CloudWatch
Amazon CloudWatch
GCP Log Explorer
GCP Log Explorer
CircleCI
CircleCI
Slack
Slack
PagerDuty
PagerDuty
Jenkins
Jenkins
OTel
OTel
CrowdStrike Falcon
CrowdStrike Falcon
Teams
Teams
AWS Lambda
AWS Lambda
GitHub
GitHub
Azure
Azure
Cortex XSOAR
Cortex XSOAR
AWS S3
AWS S3