Managed Sentinel – Alert 263

Alert IDMS-A263
Alert NameSuccessful VPN connections from same user from multiple IP addresses - SonicWall
DescriptionThis alert triggers when the SIEM detects VPN connections from three or more IP addresses within a specific time interval for the same user account. This may indicate that an account has been compromised and malicious actors connect simultaneusly from different locations (impossible travel scenario).
Severity LevelMedium
Threat Indicator
MITRE ATT&CK TacticsExfiltration
InitialAccess
Impact
CredentialAccess
Log sourcesCommon Security Logs
False Positives
Recommendations