heroui logo

MongoDB access allowed from anywhere

Panther Rules

View Source
Summary
This detection rule is designed to monitor the MongoDB Atlas environment for security vulnerabilities related to IP access list configurations. Specifically, it triggers when the address '0.0.0.0/0' is added to the project's IP access list, which would permit remote connections from any internet address, severely undermining the security posture of the database instance. The high severity of this rule highlights the critical risk of unauthorized database access that can arise from such misconfigurations. Responses to rule triggers should be prompt, involving validation of the legitimacy of the entry and removal of '0.0.0.0/0' if deemed inappropriate. The rule utilizes logs of type 'MongoDB.ProjectEvent' to gather the necessary data on changes made to the IP access list. It also incorporates tests to verify whether the access is granted from non-specific IPs, countering the expected results if specific IPs are used, thus ensuring a comprehensive detection mechanism.
Categories
  • Cloud
  • Database
Data Sources
  • Service
  • Logon Session
ATT&CK Techniques
  • T1556.009
  • T1021.007
Created: 2024-04-09