Impossible Travel Auth0 login

auth0

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Set up the auth0 integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect an Impossible Travel event when two successful authentication events occur in a short time frame.

Strategy

The Impossible Travel detection type’s algorithm compares the GeoIP data of the last log and the current log to determine if the user {{@usr.name}} traveled more than 500km at over 1,000km/hr.

Triage and response

  1. Determine if the user {{@usr.name}} should have authenticated from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}.
  2. If {{@user.name}} should not authenticated from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.
  3. Audit any instance actions that may have occurred after the illegitimate login.

NOTE VPNs and other anonymous IPs are filtered out of this signal

Changelog

  • 10 October 2022 - Updated query.
  • 20 November 2023 - Updated group by values to include @usr.id.