Goal

Detect an Impossible Travel event when two business logic events attributed to the same user occur within a short time frame from IPs that are geographically distant from one another.

Strategy

The Impossible Travel detection algorithm compares the most recent business logic events to determine if the user {{@usr.id}} traveled a large distance at a high speed, based on the IP address.

If it does so, an Info signal is triggered.

NOTE VPNs and other known IP anonymizers are filtered out of this signal.

Triage and response

1. Determine if the user {{@usr.id}} plausibly could have traveled from {{@impossible_travel.triggering_locations.first_location.city}} ({{@impossible_travel.triggering_locations.first_location.country}}) to {{@impossible_travel.triggering_locations.second_location.city}}, ({{@impossible_travel.triggering_locations.second_location.country}}) in this timespan. 1.1 Review whether this activity may have gone through a proxy. This would make the signal a false positive.
2. If one of those locations appears unusual, the user may have been compromised. You should reset the credentials of the user and reset their session. Optionally, you may also block them while you’re performing those actions.
3. Audit any recent action from this user.