LastPass user impossible travel detected

This rule is part of a beta feature. To learn more, contact Support.

Set up the lastpass integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect LastPass login activity occurring from geographically distant locations within an unrealistic time frame based on the user’s IP address.

Strategy

Monitor LastPass login event logs and IP addresses to identify potential impossible travel scenarios, where a user’s login attempts occur from different locations that would be impossible to travel between within the time frame.

Triage and Response

  1. Check whether the user: {{@usr.name}} could have legitimately logged in from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} within the observed time frame. Consider known travel plans, VPN use, or any authorized activity that could explain the behavior.
  2. If the login activity appears suspicious or cannot be justified, immediately restrict network access from the IP address: {{@network.client.geoip.ipAddress}} to prevent further unauthorized access. Coordinate with IT to lock the user’s LastPass account if necessary.
  3. Escalate the incident to IT security teams and management, providing all relevant details, including user information, IP addresses, locations, timestamps, and any investigative findings. Ensure that all actions taken are documented for future reference and compliance purposes.
  4. If appropriate, notify the user of the detected activity and provide guidance on securing their account, including changing their password, enabling multifactor authentication, and reviewing their account activity for any unauthorized actions.