Managed Sentinel – Alert 127

Alert IDMS-A127
Alert NameSuccessful VPN connections from different source IP addresses within specific time interval
DescriptionThis alert triggers when the SIEM detects VPN connections from two or more IP addresses within a specific time interval for the same user account. This may indicate that an account has been compromised and malicious actors connect simultaneously from different locations (impossible travel scenario).
Severity LevelMedium
Threat IndicatorCompromised Credentials
MITRE ATT&CK TacticsExecution
Credential Access
Log sourcesVPN
False Positives1. This alert does not take geo-location data, therefore some false positives can be encountered if VPN session drops and a new IP address is allocated from the ISP provider
Recommendations1. Investigate the impacted VPN accounts status and ownership
2. If required, reset account access credentials
3. Reach out to end user to validate the situation
4. If proven not be a false positive, perform an investigation via Azure Sentinel console to find out if any other connections inside of corporate network was completed by the VPN users.
5. For extreme conditions, it is recommended to reset all user account credentials across all internal systems where the account is present.