Impossible travel scenario observed in Cloudflare logs
Set up the cloudflare integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect an Impossible Travel event within Cloudflare logs.
Strategy
The Impossible Travel detection type’s algorithm compares the GeoIP data of the last log and the current log to determine if the user (@usr.email
) traveled more than 500km at over 1,000km/h.
Triage and response
- Determine if
{{@usr.email}}
should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}
, {{@impossible_travel.triggering_locations.first_location.country}}
and {{@impossible_travel.triggering_locations.second_location.city}}
, {{@impossible_travel.triggering_locations.second_location.country}}
in a short period of time. - If the user should not be connecting from
{{@impossible_travel.triggering_locations.first_location.city}}
, {{@impossible_travel.triggering_locations.first_location.country}}
or {{@impossible_travel.triggering_locations.second_location.city}}
, {{@impossible_travel.triggering_locations.second_location.country}}
, then consider isolating the account and resetting their credentials. - Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.