Impossible Travel Auth0 login

Set up the auth0 integration.

Goal

Detect an Impossible Travel event when two successful authentication events occur in a short time frame.

Strategy

The Impossible Travel detection type’s algorithm compares the GeoIP data of the last log and the current log to determine if the user {{@usr.name}} traveled more than 500km at over 1,000km/hr.

Triage and response

  1. Determine if the user {{@usr.name}} should have authenticated from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}.
  2. If {{@user.name}} should not authenticated from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.
  3. Audit any instance actions that may have occurred after the illegitimate login.

NOTE VPNs and other anonymous IPs are filtered out of this signal

Changelog

  • 10 October 2022 - Updated query.
  • 20 November 2023 - Updated group by values to include @usr.id.
  • 30 September 2024 - Updated query to replace attribute @threat_intel.results.subcategory:anonymizer.