Skip to main content

Impossible Traveler

This Playbook is part of the Impossible Traveler Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook investigates an event whereby a user has multiple application login attempts from various locations in a short time period (impossible traveler). The playbook gathers user, timestamp and IP information associated with the multiple application login attempts.

The playbook then measures the time difference between the multiple login attempts and computes the distance between the two locations to verify whether it is possible the user could traverse the distance in the amount of time determined. Also, it takes steps to remediate the incident by blocking the offending IPs and disabling the user account, if chosen to do so.


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Block IP - Generic v3
  • IP Enrichment - Generic v2
  • Active Directory - Get User Manager Details


This playbook does not use any integrations.


  • Set
  • EmailAskUser
  • CalculateTimeDifference
  • CalculateGeoDistance


  • rasterize
  • ip
  • setIncident
  • ad-get-user
  • ad-disable-account
  • closeInvestigation

Playbook Inputs#

NameDescriptionDefault ValueRequired
MaxMilesPerHourAllowedThe maximum miles per hour that is still considered reasonable. If the geographical distance and difference in time between logins is greater than this value, the user will be considered an impossible traveler.600Optional
WhitelistedIPsCSV of IP addresses that are allowed to be used across long distances.Optional
AutomaticallyBlockIPsWhether to automatically block the source IPs that the login originated from. Can be False or True.FalseOptional
DefaultMapLinkThe default link from which to create a travel map. The "SOURCE" and "DESTINATION" words are replaced with the previous coordinates and current coordinates of the traveler, respectively.
AutomaticallyDisableUserWhether to automatically disable the impossible traveler account using Active Directory.FalseOptional
ContactUserManagerWhether to ask the user manager for the legitimacy of the login events, in case of an alleged impossible traveler.FalseOptional
InternalRangeA list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: ",," (without quotes).lists.PrivateIPsOptional

Playbook Outputs#

Account.Email.AddressThe email address object associated with the Accountstring
DBotScoreIndicator, Score, Type, Vendorunknown
Account.IDThe unique Account DN (Distinguished Name)string
Account.UsernameThe Account usernamestring
Account.EmailThe email address associated with the Accountunknown
Account.TypeType of the Account entitystring
Account.GroupsThe groups the Account is a part ofunknown
AccountAccount objectunknown
Account.DisplayNameThe Account display namestring
Account.ManagerThe Account's managerstring
DBotScore.IndicatorThe indicator valuestring
DBotScore.TypeThe indicator's typestring
DBotScore.VendorThe indicator's vendorstring
DBotScore.ScoreThe indicator's scorenumber
IPThe IP objectsunknown
EndpointThe Endpoint's objectunknown
Endpoint.HostnameThe hostname to enrichstring
Endpoint.OSEndpoint OSstring
Endpoint.IPList of endpoint IP addressesunknown
Endpoint.MACList of endpoint MAC addressesunknown
Endpoint.DomainEndpoint domain namestring

Playbook Image#

Impossible Traveler