Managed Sentinel – Alert 162

Alert IDMS-A162
Alert NameSSL VPN login failures - Fortinet
DescriptionThis alert identifies SSL VPN login failures.
Severity LevelLow
Threat IndicatorCompromised Credentials
MITRE ATT&CK TacticsCredential Access
Collection
Log sourcesVPN
False Positives
Recommendations1. Investigate the impacted VPN accounts status and ownership
2. If required reset account access credentials
3. Reach out to end user to validate the situation
4. If proven not be a false positive, perform an investigation via Azure Sentinel console to find out if any other connections inside of corporate network was completed by the VPN users.