Managed Sentinel – Alert 083

Alert IDMS-A083
Alert NameMultiple successful VPN logins for different users from same IP address
DescriptionThis alert indicates that two or more VPN users successful connected from the same IP address.
Severity LevelMedium
Threat IndicatorCompromised Credentials
MITRE ATT&CK TacticsExecution
Persistence
Log sourcesVPN
False Positives1. Company staff gathering in a single remote location
Recommendations1. Investigate the impacted VPN accounts status and ownership
2. If required reset account access credentials
3. Reach out to end user to validate the situation
4. If proven not be a false positive, perform an investigation via Azure Sentinel console to find out if any other connections inside of corporate network was completed by the VPN users.