• Monitor VPN connection from an anonymous proxy
o Monitor connection to VPN providers and datacenters. Sample list:
https://github.com/MISP/misp-warninglists/blob/main/lists/vpn-ipv4/list.json
• vpnoverdns.com is a free service providing VPN functionality over DNS. DNS resolutions for *.tun.vpnoverdns.com indicate usage of their VPN service. The service describes itself as “Data exfiltration, for those times when everything else is blocked. Detect DNS requests to “*.tun.vpnoverdns.com”
• Detect multiple VPN logon failures
• Detect too many failed VPN logins
• Detect VPN access from a disabled account
• Detect VPN connection source IP from an unauthorized location
• Detect VPN activity from a malicious/blacklisted network address
• Detect Local Login and VPN Login by Same User
• Detect Successful VPN Logon From Outside your Country
• Detect Successful VPN connections from different geo-locations as your users are only supposed to working from certain Geographic’s
• Detect Unusual Top User
• Detect User Login from 2+ Countries Within 1 Hour
• Detect Abnormal VPN session duration
• Detect First VPN connection from an unknown device
• Detect First VPN connection from a device for a user
• Detect First VPN connection from a device for organization
• Detect First VPN access from a new device
• Detect Abnormal amount of data uploaded during a VPN session
• Detect Increase of company-related data files access during VPN connection
• Detect MFA from a new device for a user
• Detect Physical badge access after VPN access
• Detect Malicious VPN source IP
• Track users that logon via VPN and then go on to logon to servers on your environment
• Detect Multiple VPN accounts failed login from single IP
• Detect a successful VPN login followed by the transfer of one or more files to the source host, followed by a VPN logoff by the same user within 2 minutes.
• Detect 2 concurrent logins from 2 remote locations
• Detect multiple concurrent VPN/remote access logins from different locations using the same user account
• Create an alert to when a specific user logs in via VPN
• Detect VPN Connection beyond 24 Hour
• Detect VPN Access from Internal IP Address
• Detect VPN access from overseas
• Detect Long-lasting VPN session
• Detect VPN connection with the non-whitelisted country
• Detect unauthorized VPN usage
• Detect concurrent VPN authentications from the same user
• Detect VPN access from a disabled account
• Detect if a security alert -malware found on host- triggered during a VPN session
• Detect a user VPNs to the network from a new location for the first time, then accesses a shared file system
• Detect when a VPN connection is created with a service or machine account
