I would look at doing something like this:

select username, UNIQUECOUNT(sourceip) as 'SrcAddresses' from events where LOGSOURCENAME(logsourceid) ilike '%VPN%' and username is not null GROUP BY username HAVING 'SrcAddresses' > 3 ORDER BY 'SrcAddresses' DESC last 1 HOURS

This search returns grouped usernames from VPN log sources where the same username reports from 3 or more IP addresses in a 1 hour time frame. Optionally, you could expand this by adding the QID for successful logins, filtering down to specific log sources, time of day, etc.

Note: If you are using this query with Windows events, make sure you look at the flash notice I released yesterday for usernames with Windows events as a DSM enhancement introduced a username parsing issue.

Flash Notice Link: The Username Column for Microsoft Windows Events Contains Incorrect Values

Also, take a look at the AQL Open Mic I did last year, this query was in the slide deck for that presentation and has a lot of unique examples.

QRadar Open Mic: AQL / Advanced Searches http://www.ibm.com/support/docview.wss?uid=swg27047840