Skip to main content

Impossible Traveler Response

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles impossible traveler alerts.

An Impossible Traveler event occurs when multiple login attempts seen for a user from multiple remote countries in a short period of time, which shouldn't be possible. This may indicate the account is compromised.

Attacker's Goals:

Gain user-account credentials.

Investigative Actions:

Investigate the IP addresses and identities involved in the detected activity using:

  • Impossible Traveler - Enrichment playbook
  • CalculateGeoDistance automation

Response Actions

The playbook's first response actions are based on the data available within the alert. In that phase, the playbook will execute:

  • Manual block indicators if the IP address found malicious
  • Manual disable user
  • Manual clear of the user’s sessions (Okta)

When the playbook continues, after validating the activity with the user’s manager, another phase of response actions is being executed, which includes:

  • Auto block indicators

External Resources:

Impossible traveler alert

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Containment Plan
  • Impossible Traveler - Enrichment
  • Ticket Management - Generic

Integrations#

This playbook does not use any integrations.

Scripts#

  • impossibleTravelerGetDistance
  • Set
  • CreateArray

Commands#

  • closeInvestigation
  • setParentIncidentFields

Playbook Inputs#


NameDescriptionDefault ValueRequired
MaxMilesPerHourAllowedThe maximum miles per hour that is considered reasonable. If the geographical distance and difference in time between logins is greater than this value, the user will be considered an impossible traveler.400Optional
WhitelistedIPsA comma separated list of IP addresses that are allowed to be used across long distances.Optional
ContactUserManagerWhether to ask the user manager for the legitimacy of the login events, in case of an alleged impossible traveler.TrueOptional
AutoContainmentWhether to execute auto containment.FalseOptional
AbuseIPDBThresholdThe score needed from AbuseIPDB to consider IP address as malicious.80Optional
preInvestigationContainmentWhether to execute containment prior investigation phaseOptional
AllowlistCIDRA comma separated list of CIDR that are allowed to be used across long distances.lists.CIDR - AllowlistOptional
usernameThe username to iterate over.alert.usernameOptional
domainThe organization domain.Optional
ShouldOpenTicketWhether to open a ticket automatically in a ticketing system. (True/False).FalseOptional
serviceNowShortDescriptionA short description of the ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
serviceNowImpactThe impact for the new ticket. Leave empty for ServiceNow default impact.Optional
serviceNowUrgencyThe urgency of the new ticket. Leave empty for ServiceNow default urgency.Optional
serviceNowSeverityThe severity of the new ticket. Leave empty for ServiceNow default severity.Optional
serviceNowTicketTypeThe ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".Optional
serviceNowCategoryThe category of the ServiceNow ticket.Optional
serviceNowAssignmentGroupThe group to which to assign the new ticket.Optional
ZendeskPriorityThe urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".Optional
ZendeskRequesterThe user who requested this ticket.Optional
ZendeskStatusThe state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".Optional
ZendeskSubjectThe value of the subject field for this ticket.XSIAM Incident ID - ${parentIncidentFields.incident_id}Optional
ZendeskTagsThe array of tags applied to this ticket.Optional
ZendeskTypeThe type of this ticket. Allowed values are "problem", "incident", "question", or "task".Optional
ZendeskAssigneThe agent currently assigned to the ticket.Optional
ZendeskCollaboratorsThe users currently CC'ed on the ticket.Optional
descriptionThe ticket description.${parentIncidentFields.description}. ${parentIncidentFields.xdr_url}Optional
addCommentPerEndpointWhether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.TrueOptional
CommentToAddComment for the ticket.${alert.name}. Alert ID: ${alert.id}Optional

Playbook Outputs#


PathDescriptionType
Account.Email.AddressThe email address object associated with the Account.string
DBotScoreIndicator, Score, Type, Vendor.unknown
Account.IDThe unique Account DN (Distinguished Name).string
Account.UsernameThe username of the Account.string
Account.EmailThe email address associated with the Account.unknown
Account.TypeThe type of the Account entity.string
Account.GroupsThe groups that the Account is a part of.unknown
AccountAccount objectunknown
Account.DisplayNameThe display name of the Account.string
Account.ManagerThe manager of the Account.string
DBotScore.IndicatorThe indicator value.string
DBotScore.TypeThe indicator's type.string
DBotScore.VendorThe indicator's vendor.string
DBotScore.ScoreThe indicator's score.number
IPThe IP objects.unknown
EndpointThe Endpoint's object.unknown
Endpoint.HostnameThe hostname to enrich.string
Endpoint.OSThe Endpoint OS.string
Endpoint.IPThe list of Endpoint IP addresses.unknown
Endpoint.MACThe list of Endpoint MAC addresses.unknown
Endpoint.DomainThe domain name of the Endpoint.string

Playbook Image#


Impossible Traveler Response