Impossible Traveler

This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler). The playbook gathers user, timestamp and IP information associated with the multiple application login attempts.

The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance in the amount of time determined. Also, it takes steps to remediate the incident by blocking the offending IPs and disabling the user account, if chosen to do so.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Active Directory - Get User Manager Details
  • IP Enrichment - Generic v2
  • Block IP - Generic v2

Integrations

  • Builtin

Scripts

  • EmailAskUser
  • Set
  • CalculateTimeDifference
  • CalculateGeoDistance

Commands

  • setIncident
  • ip
  • ad-disable-account
  • rasterize
  • ad-get-user
  • closeInvestigation

Playbook Inputs


NameDescriptionDefault ValueSourceRequired
MaxMilesPerHourAllowedThe maximum miles per hour that is still considered reasonable. If the geographical distance and difference in time between logins is greater than this value, the user will be considered an impossible traveler.600Optional
WhitelistedIPsCSV of IP addresses that are allowed to be used across long distances.Optional
AutomaticallyBlockIPsWhether to automatically block the source IPs that the login originated from. Can be False or True.FalseOptional
DefaultMapLinkThe default link from which to create a travel map. The "SOURCE" and "DESTINATION" words are replaced with the previous coordinates and current coordinates of the traveler, respectively.https://bing.com/maps/default.aspx?rtp=pos.SOURCE~pos.DESTINATIONOptional
AutomaticallyDisableUserWhether to automatically disable the impossible traveler account using Active Directory.FalseOptional
ContactUserManagerWhether to ask the user manager for the legitimacy of the login events, in case of an alleged impossible traveler.FalseOptional

Playbook Outputs


PathDescriptionType
Account.Email.AddressThe email address object associated with the Accountstring
DBotScoreIndicator, Score, Type, Vendorunknown
Account.IDThe unique Account DN (Distinguished Name)string
Account.UsernameThe Account usernamestring
Account.EmailThe email address associated with the Accountunknown
Account.TypeType of the Account entitystring
Account.GroupsThe groups the Account is a part ofunknown
AccountAccount objectunknown
Account.DisplayNameThe Account display namestring
Account.ManagerThe Account's managerstring
DBotScore.IndicatorThe indicator valuestring
DBotScore.TypeThe indicator's typestring
DBotScore.VendorThe indicator's vendorstring
DBotScore.ScoreThe indicator's scorenumber
IPThe IP objectsunknown
EndpointThe Endpoint's objectunknown
Endpoint.HostnameThe hostname to enrichstring
Endpoint.OSEndpoint OSstring
Endpoint.IPList of endpoint IP addressesunknown
Endpoint.MACList of endpoint MAC addressesunknown
Endpoint.DomainEndpoint domain namestring

Playbook Image


Impossible_Traveller