Impossible Traveler

Details
Content
Dependencies
Version History

Catch the impossible traveler. This Content Pack helps you quickly determine the legitimacy of remote access attempts and contain malicious activity.

These days when modern applications are moving to cloud computing, access often requires that various authentications take place in order to remotely access company resources. This remote access comes with risks, one of which is the risk of an “impossible traveler”. When the user supposedly connects to the company network more than once from two different faraway locations, in a very short period of time, the connection raises suspicion as to the authenticity of the user. This kind of incident needs to be quickly investigated and treated accordingly.

This pack provides the necessary configuration and checks for determining the legitimacy of remote access attempts, and takes appropriate steps to quickly contain any malicious user activity.

What does this pack do?

Gathers IP-based information from the addresses used to initiate the connections
Retrieves information about the user account that initiated the connections
Calculates the time and distance between user login attempts
Generates a geographical map of the deduced travel path of the user
Determines, based on IPs on allow list, manager decision and supposed speed of travel, whether the traveler is an impossible traveler
Allows the analyst to block IPs used by the user and disable the user in case of compromise

As part of this pack, you will also get out-of-the-box incident fields, layouts and a playbook for impossible traveler investigations. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSOAR Developer Docs

Impossible_Traveler

This pack provides the necessary configuration and checks for determining the legitimacy of remote access attempts, and takes appropriate steps to quickly contain any malicious user activity.

What does this pack do?

Gathers IP-based information from the addresses used to initiate the connections
Retrieves information about the user account that initiated the connections
Calculates the time and distance between user login attempts
Generates a geographical map of the deduced travel path of the user
Determines, based on IPs on allow list, manager decision and supposed speed of travel, whether the traveler is an impossible traveler
Allows the analyst to block IPs used by the user and disable the user in case of compromise

For more information, visit our Cortex XSIAM Developer Docs

Impossible_Traveler

Automations

Name	Description
CalculateGeoDistance	Compute the distance between two sets of coordinates, in miles.

Incident Fields

Name	Description
Sign In Date Time	The date and time when the second sign in of the user occured, in ISO-8601 format.
Previous Sign In Date Time	The date and time when the first sign in of the user occured, in ISO-8601 format.
Travel Map Link	The link to a map that shows the travel path of the user.
Previous Coordinates	The coordinates of the location from which the user previously logged in.
Coordinates	The coordinates of the location from which the user logged in.
Previous Country	The country from which the user previously logged in.
Previous Source IP	The previous IP Address that the user logged in from.

Incident Types

Name	Description
Impossible Traveler

Layouts

Name	Description
Impossible Traveler Incident

Playbooks

Name	Description
Impossible Traveler	This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler). The playbook gathers user, timestamp and IP information associated with the multiple application login attempts. The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance in the amount of time determined. Also, it takes steps to remediate the incident by blocking the offending IPs and disabling the user account, if chosen to do so.

Name

Description

Impossible Traveler

This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler). The playbook gathers user, timestamp and IP information
associated with the multiple application login attempts.

The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance
in the amount of time determined. Also, it takes steps to remediate the incident by blocking the offending IPs and disabling the user account, if chosen to do so.

Automations

Name	Description
CalculateGeoDistance	Compute the distance between two sets of coordinates, in miles.

Incident Fields

Name	Description
Coordinates	The coordinates of the location from which the user logged in.
Travel Map Link	The link to a map that shows the travel path of the user.
Previous Coordinates	The coordinates of the location from which the user previously logged in.
Previous Sign In Date Time	The date and time when the first sign in of the user occured, in ISO-8601 format.
Sign In Date Time	The date and time when the second sign in of the user occured, in ISO-8601 format.
Previous Source IP	The previous IP Address that the user logged in from.

Incident Types

Name	Description
Impossible Traveler

Playbooks

Name	Description
Impossible Traveler	This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler). The playbook gathers user, timestamp and IP information associated with the multiple application login attempts. The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance in the amount of time determined. Also, it takes steps to remediate the alert by blocking the offending IPs and disabling the user account, if chosen to do so.

Name

Description

Impossible Traveler

The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance
in the amount of time determined. Also, it takes steps to remediate the alert by blocking the offending IPs and disabling the user account, if chosen to do so.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (32)

Pack Name	Pack By
APIVoid	By: Cortex XSOAR
AbuseIPDB	By: Cortex XSOAR
Active Directory Query	By: Cortex XSOAR
AlienVault OTX	By: Cortex XSOAR
Anomali ThreatStream	By: Cortex XSOAR
AutoFocus by Palo Alto Networks	By: Cortex XSOAR
Awake Security	By: Cortex XSOAR
CrowdStrike Falcon Intel	By: Cortex XSOAR
EclecticIQ Platform	By: EclecticIQ
Flashpoint	By: Flashpoint
Chronicle	By: Chronicle
HelloWorld	By: Cortex XSOAR
Ipstack	By: Cortex XSOAR
MISP	By: Cortex XSOAR
Maltiverse	By: Cortex XSOAR
MaxMind GeoIP2	By: Cortex XSOAR
PassiveTotal	By: RiskIQ
PolySwarm	By: PolySwarm
Shodan	By: Cortex XSOAR
SlashNext Phishing Incident Response - Annual Subscription (Direct Subscription)	By: SlashNext
ThreatConnect	By: Cortex XSOAR
ThreatExchange	By: Cortex XSOAR
ThreatMiner	By: Cortex XSOAR
ThreatQ	By: Cortex XSOAR
TruSTAR (Deprecated)	By: TruSTAR
VirusTotal	By: VirusTotal
IBM X-Force Exchange	By: Cortex XSOAR
Zscaler Internet Access	By: Cortex XSOAR
Analyst1	By: Analyst1
Ipinfo	By: Cortex XSOAR
FireEye iSIGHT	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR

1.2.13 - 1619437 (November 10, 2024)

Scripts

CalculateGeoDistance

Updated the Docker image to: demisto/py3-tools:1.0.0.114656.

Related pull requests:
- 37059
- 37052
- 37051

Download

1.2.12 - 938811 (April 7, 2024)

Scripts

CalculateGeoDistance

Updated the Docker image to: demisto/py3-tools:1.0.0.91504.

Related pull requests:
- 33641
- 33516
- 33519
- 33515
- 33329
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458
- 33535
- 33534
- 33537
- 33552
- 33580
- 33553
- 33418
- 33583
- 33555
- 33556
- 33559
- 33560
- 33619
- 33591
- 33602
- 33600
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33458

Download

1.2.11 - 897231 (March 18, 2024)

Playbooks

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

1.2.10 - R828628 (February 14, 2024)

Scripts

CalculateGeoDistance

Updated the Docker image to: demisto/py3-tools:1.0.0.49929.

Related pull requests:
- 25242

Download

1.2.9 - R4718798 (March 1, 2023)

Layouts

Impossible Traveler Incident
This item is no longer supported in XSIAM.

Related pull requests:
- 24221

Download

1.2.8 - R3997825 (November 8, 2022)

Playbooks

Impossible Traveler

Replaced 'Block IP - Generic V2' with 'Block IP - Generic V3' playbook.

Related pull requests:
- 21724

Download

1.2.7 - 3910837 (October 25, 2022)

Playbooks

Impossible Traveler

Fixed an issue where the coordinates were not sent correctly.

Related pull requests:
- 21336

Download

1.2.6 - 3096681 (June 15, 2022)

Scripts

CalculateGeoDistance

Updated the Docker image to: demisto/py3-tools:0.0.1.30715.

Related pull requests:
- 19561

Download

1.2.5 - 2355875 (February 3, 2022)

Incident Fields

Previous Country

Download

1.2.4 - R2146019 (December 21, 2021)

Playbooks

Impossible Traveler

Documentation fixes

Download

1.2.3 - 384775 (June 14, 2021)

Playbooks

Impossible Traveler

Maintenance and stability enhancements.

Download

1.2.2 - R264879 (November 9, 2020)

ImpossibleTraveler

Documentation and metadata improvements.

Download

1.2.1 - R124496 (September 23, 2020)

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	September 23, 2020
Last Release	November 10, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.