Detecting A User Logged Via LAN and Simultaneously Connected to VPN by Designing a Rule with SureLog SIEM
Scenario: This correlation scenario enables the detection of abnormal events in remote connection sessions that are unlikely to occur when users perform their routine tasks. According to this scenario; while a user is logged on to a remote machine through VPN, another user logs in to a remote machine by using that user’s VPN account information. In this case, it is necessary to determine the VPN account information used by the user trying to perform this unwanted situation and from which machine this action is performed. The user behavior correlation rules and alarms shown below describe the steps for determining the situation in the scenario.
This correlation rule uses SureLog’s Expiring List feature, which is automatically deleted after a while. The difference of the Expiring List from the normal lists is that the data in the list is kept in the list for a certain period of time and then deleted. Here we can determine how long to keep the data in the list.
In this correlation scenario, the steps required for the detection of undesired situation are:
The First Correlation Rule: The correlation rule named Monitor the same user logged in both over Remote Desktop and VPN checks whether the user information in the VPN session is in the Logged Users expiring list.
As this correlation rule will check the Logged Users expiring list, this correlation rule must be run firstly as the nature of the scenario. By enabling the Advanced Configuration tab of the correlation rule, the priority of the correlation rule can be changed. By default, all correlation rules have a working priority of 100. Priority is given to the operation of this correlation rule by setting its working priority as 105.
Alarm of The First Correlation Rule: While the Logged Users list contains the source account information (While the user is logged on), an alert is sent by mail if the attacker who has captured the same user account tries to log on to the same machine over VPN from another machine.
Second Correlation Rule: Checks whether the user has opened a remote connection session.
Alarm of Second Correlation Rule: This information is added to the list if the source account information in the user’s remote session logs is not in the Logged Users list.
Third Correlation Rule: Controls whether the user is terminating a remote session connection.
Alarm of Third Correlation Rule: When the user terminates remote session, the source account information in the user’s remote session logs is deleted from the Logged Users list.
This is a chained scenario and we’ve created this scenario with 3 simple steps as above.
With this scenario, when a VPN connection detects by SureLog, first job is to check and see if the user information is in the ‘Logged Users’ expiring list. If the user information is already in the list, the system generates an alarm and then the account information used by the user who is trying VPN and the machine information from which this action is performed, comes as an alarm by e-mail. If not listed, this information is added to the list. If the user logoff, another rule automatically deletes the user information from the list so that session tracking becomes automatic.
As a result of this scenario, while a session is open, it is detected if the second attempt is performed to open the session over VPN with the same user from another machine.