Skip to main content

Impossible Traveler Response

This Playbook is part of the Core - Investigation and Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

This playbook handles impossible traveler alerts.

An Impossible Traveler event occurs when multiple login attempts seen for a user from multiple remote countries in a short period of time, which shouldn't be possible. This may indicate the account is compromised.

Attacker's Goals:

Gain user-account credentials.

Investigative Actions:

Investigate the IP addresses and identities involved in the detected activity using:

  • Impossible Traveler - Enrichment playbook
  • CalculateGeoDistance automation

Response Actions

The playbook's first response actions are based on the data available within the alert. In that phase, the playbook will execute:

  • Manual block indicators if the IP address found malicious
  • Manual disable user
  • Manual clear of the user’s sessions (Okta)

When the playbook continues, after validating the activity with the user’s manager, another phase of response actions is being executed, which includes:

  • Auto block indicators

External Resources:

Impossible traveler alert


This playbook uses the following sub-playbooks, integrations, and scripts.


  • Containment Plan
  • Impossible Traveler - Enrichment


This playbook does not use any integrations.


  • impossibleTravelerGetDistance
  • Set
  • CreateArray


  • closeInvestigation

Playbook Inputs#

NameDescriptionDefault ValueRequired
MaxMilesPerHourAllowedThe maximum miles per hour that is considered reasonable. If the geographical distance and difference in time between logins is greater than this value, the user will be considered an impossible traveler.400Optional
WhitelistedIPsA comma separated list of IP addresses that are allowed to be used across long distances.Optional
ContactUserManagerWhether to ask the user manager for the legitimacy of the login events, in case of an alleged impossible traveler.TrueOptional
AutoContainmentWhether to execute auto containment.FalseOptional
AbuseIPDBThresholdThe score needed from AbuseIPDB to consider IP address as malicious.80Optional
preInvestigationContainmentWhether to execute containment prior investigation phaseOptional
AllowlistCIDRA comma separated list of CIDR that are allowed to be used across long distances.lists.CIDR - AllowlistOptional
usernameThe username to iterate over.alert.usernameOptional
domainThe organization domain.Optional

Playbook Outputs#

Account.Email.AddressThe email address object associated with the Account.string
DBotScoreIndicator, Score, Type, Vendor.unknown
Account.IDThe unique Account DN (Distinguished Name).string
Account.UsernameThe username of the Account.string
Account.EmailThe email address associated with the Account.unknown
Account.TypeThe type of the Account entity.string
Account.GroupsThe groups that the Account is a part of.unknown
AccountAccount objectunknown
Account.DisplayNameThe display name of the Account.string
Account.ManagerThe manager of the Account.string
DBotScore.IndicatorThe indicator value.string
DBotScore.TypeThe indicator's type.string
DBotScore.VendorThe indicator's vendor.string
DBotScore.ScoreThe indicator's score.number
IPThe IP objects.unknown
EndpointThe Endpoint's object.unknown
Endpoint.HostnameThe hostname to enrich.string
Endpoint.OSThe Endpoint OS.string
Endpoint.IPThe list of Endpoint IP addresses.unknown
Endpoint.MACThe list of Endpoint MAC addresses.unknown
Endpoint.DomainThe domain name of the Endpoint.string

Playbook Image#

Impossible Traveler Response