Impossible traveler - SSO

Cortex XDR Analytics Alert Reference


Activation Period 14 Days
Training Period 30 Days
Test Period 6 Hours
Deduplication Period 1 Day
Required Data
  • AzureAD
  • Okta
Required Detection Modules
ATT&CK Tactic
ATT&CK Technique
Severity Low


User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time. This may indicate the account is compromised.

Attacker's Goals

Gain user-account credentials.

Investigative actions

Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.