SIEM Use Cases

How to Detect Abnormal VPN User

Employees of corporate firms work in offices and on the field in geographically different places. It is very difficult for these locations and staff to connect to the headquarters from point to point due to costs and infrastructure problems. In these cases, the offices and staff need to securely connect to the headquarters. In order to meet this need, virtual private networks that cryptically carry the outgoing data to the Internet were developed. VPN connections can be conducted between two locations or with the VPN software (VPN Client) installed on the staff computer. As a result of the increased managerial costs due to the VPN software installed on the computer, web-based VPN solutions (SSL VPN) were created. Illegally exploiting these accesses is possible by obtaining the user access information. Illegal VPN access points to the fact that the user broke the speed obstacle and was able to access sources in faraway places in a very short time period.

How to detect Abnormal VPN User

Logsign USO Platform tool can monitor all logs on the VPN condenser and detect the user behind each new connection request and their IP address. When the previous connection request from the same user is concerned, the platform can check both the time and the IP address of this access. Later on, it can associate the IP addresses (Geo Location) with geographical location coordinates by using any prestigious third-party service.

VPN access source logs of the users are collected, and the VPN access detection process begins with Logsign USO platform correlation techniques.


Correlation processes and statistical behavior analysis are conducted in order to list the geographical locations where the user connected at specific times.


Following these steps, correlation rules are triggered, and the case investigation begins from the event management module.


It centralizes security event data and correlates it to facilitate efficient incident response workflows. By integrating with ticketing systems and other incident response tools, it enables security teams to automate the incident response process. Logsign can trigger automatic actions such as isolating a compromised host, blocking malicious IP, Username, URL, Domain, and Hash information, reducing response times, and minimizing the impact of security incidents.

Other SIEM Use Cases