IBM Cloud Docs
MongoDB extension

MongoDB extension

In IBM Cloud Logs, you can use the MongoDB extension to gain security insights using the logs that are generated in an IBM Cloud account.

MongoDB is a source-available, cross-platform, document-oriented database program. Classified as a NoSQL database product, MongoDB utilizes JSON-like documents with optional schemas.

What this extension deploys

This extension includes one or more items.

Items included when extension is deployed
Includes Number
Alerts 8
Dashboards 5
Enrichments 0
Events to metrics 5
Rules 1
Views 0

Before deploying this extension, make sure that deploying the extension will not cause you to exceed limits for your IBM Cloud Logs instance. If deploying the extension results in limits being exceeded, the deployment will fail.

Deploying the extension

You can deploy this extension in any IBM Cloud Logs instance that collects MongoDB logs. The MongoDB extension includes security alerts and custom dashboards that provide insights into various components of MongoDB.

For more information about deploying the extension, see Deploying, managing, and removing IBM Cloud Logs extensions.

After deploying, verify that the extension configuration handles data in a way that matches your IBM Cloud Logs instance TCO configuration. Alerts, dashboards, and events to metrics are features available for data handled through the Analyze and alert and the Priority insights data pipelines. After you deploy the extension, make sure the configuration meets your needs. For example, if you have TCO policies sending data to the Analyze and alert pipeline, you will need to change the dashboard configured by this extension to use Analyze and Alert data instead of Priority insights.

Dashboard

Five dashboards are provided providing data about MongoDB logs.

MongoDB - Client Metadata Overview

This dashboard provides an overview of MongoDB client metadata. The dashboard includes:

  • Client metadata connections over time by context
  • Total unique client metadata connections
  • Latest activity
  • Top source IPs
  • Source country distribution
  • Top application names
  • Driver names and versions
  • Platform distribution
  • OS architecture distribution

MongoDB - Access Overview

This dashboard provides an overview of the access component, authentication, and authorization activity in MongoDB. The dashboard includes:

  • Access activity over time by message
  • Successful authentication
  • Failed authentication
  • Failed authorization
  • Authentication DB distribution
  • Authentication mechanism distribution
  • Speculative authentication status distribution
  • Latest successful authentication events
  • Latest failed authentication events

MongoDB - General Overview

This dashboard provides a general overview of MongoDB activity over all components. This dashboard includes:

  • Events by components
  • Last activity
  • Top-10 messages
  • Top source IPs
  • Distribution of source countries
  • Distribution of events per component

MongoDB - Network Overview

This dashboard provides an overview of network component activity. The dashboard includes:

  • Network events over time
  • Connection count over time
  • Connection count
  • Source country distribution
  • Latest activity
  • Top source IPs
  • Top-10 messages

MongoDB - Other Components Overview

This dashboard provides an overview of the SHARDING, STORAGE, and CONTROL MongoDB components. The dashboard includes:

  • Events over time by component
  • SHARDING events by context
  • Last SHARDING messages
  • Top SHARDING messages
  • STORAGE events by context
  • Last STORAGE messages
  • Top STORAGE messages
  • CONTROL events by context
  • Last CONTROL messages
  • Top CONTROL messages

Alerts

You can deploy any of the following alerts:

  • MongoDB - Possible Brute Force Detected: This alert will trigger when receiving a MongoDB ACCESS log indicating a series of failed authentication attempts originating from different users in a short period of time.

  • MongoDB - Authentication Succeeded for Same User from different IPs: This alert will trigger when receiving a MongoDB ACCESS log indicating a successful authentication was made for the same user from different IP in a short period of time (impossible traveler scenario).

  • MongoDB - Authentication Succeeded from Public IP: This alert will trigger when receiving a MongoDB ACCESS log indicating a successful authentication being made from a public IP.

  • MongoDB - Authentication Failed: This alert will trigger when a MongoDB ACCESS log indicating a failed authentication attempt is receive.

  • MongoDB - Checking Authorization Failed: This alert will trigger when a MongoDB ACCESS log indicating a that an authorization check failed is detected.

  • MongoDB - Fatal Event Detected: This alert will trigger when a MongoDB log with a Severity level of Fatal is detected. See the MongoDB documentation for information about the MongoDB log severity levels.

  • MongoDB - Error Event Detected: This alert will trigger when a MongoDB log with a Severity level of Error is detected. See the MongoDB documentation for information about the MongoDB log severity levels.

  • MongoDB - Warning Event Detected: This alert will trigger when a MongoDB log with a Severity level of Warning is detected. See the MongoDB documentation for information about the MongoDB log severity levels.

Rules

One rule is provided to extract IP and port information from the log message.

Events to metrics

You can deploy any of the following events to metrics configurations. For details about the created metrics, see the events to metrics definitions.

These events to metrics configurations are used by the extension dashboards. If a dashboard is missing data, make sure the event to metrics configuration is deployed and working correctly for your environment.

  • MongoDB_Access_Metrics
  • MongoDB_General_Metrics
  • MongoDB_Client_Metadata_Metrics
  • MongoDB_Network_Metrics
  • MongoDB_Other_Component_Metrics