Impossible travel GitLab event

This rule is part of a beta feature. To learn more, contact Support.
gitlab

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Set up the gitlab integration.

Goal

Detect an Impossible Travel event when two successful events occur in a short time frame from geographically far locations.

Strategy

The Impossible Travel detection type’s algorithm compares the GeoIP data of the last log and the current log to determine if the user {{@usr.name}} traveled more than 500km at over 1,000km/hr.

Triage and response

  1. Determine if the user {{@usr.name}} should have authenticated from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}.
  2. If {{@user.name}} should not authenticated from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.
  3. Audit any instance actions that may have occurred after the illegitimate login.