LastPass user impossible travel detected
Set up the lastpass integration.
Goal
Detect LastPass login activity occurring from geographically distant locations within an unrealistic time frame based on the user’s IP address.
Strategy
Monitor LastPass login event logs and IP addresses to identify potential impossible travel scenarios, where a user’s login attempts occur from different locations that would be impossible to travel between within the time frame.
Triage and Response
- Check whether the user:
{{@usr.name}} could have legitimately logged in from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} within the observed time frame. Consider known travel plans, VPN use, or any authorized activity that could explain the behavior. - If the login activity appears suspicious or cannot be justified, immediately restrict network access from the IP address:
{{@network.client.geoip.ipAddress}} to prevent further unauthorized access. Coordinate with IT to lock the user’s LastPass account if necessary. - Escalate the incident to IT security teams and management, providing all relevant details, including user information, IP addresses, locations, timestamps, and any investigative findings. Ensure that all actions taken are documented for future reference and compliance purposes.
- If appropriate, notify the user of the detected activity and provide guidance on securing their account, including changing their password, enabling multifactor authentication, and reviewing their account activity for any unauthorized actions.
