Managed Sentinel – Alert 083
| Alert ID | MS-A083 |
| Alert Name | Multiple successful VPN logins for different users from same IP address |
| Description | This alert indicates that two or more VPN users successful connected from the same IP address. |
| Severity Level | Medium |
| Threat Indicator | Compromised Credentials |
| MITRE ATT&CK Tactics | Execution Persistence |
| Log sources | VPN |
| False Positives | 1. Company staff gathering in a single remote location |
| Recommendations | 1. Investigate the impacted VPN accounts status and ownership 2. If required reset account access credentials 3. Reach out to end user to validate the situation 4. If proven not be a false positive, perform an investigation via Azure Sentinel console to find out if any other connections inside of corporate network was completed by the VPN users. |