Managed Sentinel – Alert 127
| Alert ID | MS-A127 |
| Alert Name | Successful VPN connections from different source IP addresses within specific time interval |
| Description | This alert triggers when the SIEM detects VPN connections from two or more IP addresses within a specific time interval for the same user account. This may indicate that an account has been compromised and malicious actors connect simultaneously from different locations (impossible travel scenario). |
| Severity Level | Medium |
| Threat Indicator | Compromised Credentials |
| MITRE ATT&CK Tactics | Execution Credential Access |
| Log sources | VPN |
| False Positives | 1. This alert does not take geo-location data, therefore some false positives can be encountered if VPN session drops and a new IP address is allocated from the ISP provider |
| Recommendations | 1. Investigate the impacted VPN accounts status and ownership 2. If required, reset account access credentials 3. Reach out to end user to validate the situation 4. If proven not be a false positive, perform an investigation via Azure Sentinel console to find out if any other connections inside of corporate network was completed by the VPN users. 5. For extreme conditions, it is recommended to reset all user account credentials across all internal systems where the account is present. |