Successful VPN connections from different source IP addresses within specific time interval
This alert triggers when the SIEM detects VPN connections from two or more IP addresses within a specific time interval for the same user account. This may indicate that an account has been compromised and malicious actors connect simultaneously from different locations (impossible travel scenario).
MITRE ATT&CK Tactics
1. This alert does not take geo-location data, therefore some false positives can be encountered if VPN session drops and a new IP address is allocated from the ISP provider
1. Investigate the impacted VPN accounts status and ownership
2. If required, reset account access credentials
3. Reach out to end user to validate the situation
4. If proven not be a false positive, perform an investigation via Azure Sentinel console to find out if any other connections inside of corporate network was completed by the VPN users.
5. For extreme conditions, it is recommended to reset all user account credentials across all internal systems where the account is present.