Managed Sentinel – Alert 263
| Alert ID | MS-A263 |
| Alert Name | Successful VPN connections from same user from multiple IP addresses - SonicWall |
| Description | This alert triggers when the SIEM detects VPN connections from three or more IP addresses within a specific time interval for the same user account. This may indicate that an account has been compromised and malicious actors connect simultaneusly from different locations (impossible travel scenario). |
| Severity Level | Medium |
| Threat Indicator | |
| MITRE ATT&CK Tactics | Exfiltration InitialAccess Impact CredentialAccess |
| Log sources | Common Security Logs |
| False Positives | |
| Recommendations |