PingFederate Admin Alert: impossible travel by user

Docs > Datadog Security > OOTB Rules > PingFederate Admin Alert: impossible travel by user

This rule is part of a beta feature. To learn more, contact Support.

Goal

Detect unusual logs from different geo locations made by a single user.

Strategy

The Impossible Travel detection type’s algorithm compares the GeoIP data of the last log and the current log to determine if the user {{@usr.name}} traveled more than 500km at over 1,000km/h. This detection rule aims to identify potential threats early, allowing for timely investigation and mitigation to protect server resources and maintain service availability.

Triage and response

Investigate the source user {{@usr.name}} with requests from different geo-locations from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}.
Implement immediate measures to block or limit the impact of the suspicious activity if confirmed as a threat.