Skip to main content

Impossible Traveler

Download With Dependencies

Catch the impossible traveler. This Content Pack helps you quickly determine the legitimacy of remote access attempts and contain malicious activity.

These days when modern applications are moving to cloud computing, access often requires that various authentications take place in order to remotely access company resources. This remote access comes with risks, one of which is the risk of an “impossible traveler”. When the user supposedly connects to the company network more than once from two different faraway locations, in a very short period of time, the connection raises suspicion as to the authenticity of the user. This kind of incident needs to be quickly investigated and treated accordingly.

This pack provides the necessary configuration and checks for determining the legitimacy of remote access attempts, and takes appropriate steps to quickly contain any malicious user activity.

What does this pack do?
  • Gathers IP-based information from the addresses used to initiate the connections
  • Retrieves information about the user account that initiated the connections
  • Calculates the time and distance between user login attempts
  • Generates a geographical map of the deduced travel path of the user
  • Determines, based on IPs on allow list, manager decision and supposed speed of travel, whether the traveler is an impossible traveler
  • Allows the analyst to block IPs used by the user and disable the user in case of compromise

As part of this pack, you will also get out-of-the-box incident fields, layouts and a playbook for impossible traveler investigations. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSOAR Developer Docs

Impossible_Traveler

These days when modern applications are moving to cloud computing, access often requires that various authentications take place in order to remotely access company resources. This remote access comes with risks, one of which is the risk of an “impossible traveler”. When the user supposedly connects to the company network more than once from two different faraway locations, in a very short period of time, the connection raises suspicion as to the authenticity of the user. This kind of incident needs to be quickly investigated and treated accordingly.

This pack provides the necessary configuration and checks for determining the legitimacy of remote access attempts, and takes appropriate steps to quickly contain any malicious user activity.

What does this pack do?
  • Gathers IP-based information from the addresses used to initiate the connections
  • Retrieves information about the user account that initiated the connections
  • Calculates the time and distance between user login attempts
  • Generates a geographical map of the deduced travel path of the user
  • Determines, based on IPs on allow list, manager decision and supposed speed of travel, whether the traveler is an impossible traveler
  • Allows the analyst to block IPs used by the user and disable the user in case of compromise

As part of this pack, you will also get out-of-the-box incident fields, layouts and a playbook for impossible traveler investigations. All of these are easily customizable to suit the needs of your organization.

For more information, visit our Cortex XSIAM Developer Docs

Impossible_Traveler

PUBLISHER

Cortex

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedSeptember 23, 2020
Last ReleaseApril 7, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.