Impossible traveler

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	6 Hours
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AzureAD OR Okta
Detection Modules	Identity Analytics
ATT&CK Tactic	Credential Access (TA0006) Resource Development (TA0042)
ATT&CK Technique	Compromise Accounts (T1586) Brute Force: Password Guessing (T1110.001)
Severity	Low

Description

User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.
This may indicate the account is compromised.

Attacker's Goals

Gain user-account credentials.

Investigative actions

Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.

Variations

Impossible traveler - non-interactive SSO authentication

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.
This may indicate the account is compromised.

Attacker's Goals

Gain user-account credentials.

Investigative actions

Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.

Impossible traveler - SSO

Cortex XDR Analytics Alert Reference by data source

Synopsis

Description

Attacker's Goals

Investigative actions

Variations

Synopsis

Description

Attacker's Goals

Investigative actions