Impossible traveler - SSO

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-09-24
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

6 Hours

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • AzureAD
      OR
    • Azure SignIn Log
      OR
    • Duo
      OR
    • Okta
      OR
    • OneLogin
      OR
    • PingOne

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.
This may indicate the account is compromised.

Attacker's Goals

Gain user-account credentials.

Investigative actions

Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.

Variations

Impossible traveler - non-interactive SSO authentication

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.
This may indicate the account is compromised.

Attacker's Goals

Gain user-account credentials.

Investigative actions

Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.


Possible Impossible traveler via SSO

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.
This may indicate the account is compromised.

Attacker's Goals

Gain user-account credentials.

Investigative actions

Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.


SSO impossible traveler from a VPN or proxy

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

User connected from several remote countries, at least one of which is not commonly used in the organization, within a short period of time.
This may indicate the account is compromised.

Attacker's Goals

Gain user-account credentials.

Investigative actions

Check if the user routed their traffic via a VPN, or shared their credentials with a remote employee.