Impossible Traveler Response

This playbook handles impossible traveler alerts. An Impossible Traveler event occurs when multiple login attempts seen for a user from multiple remote countries in a short period of time, which shouldn't be possible. This may indicate the account is compromised. **Attacker's Goals:** Gain user-account credentials. **Investigative Actions:** Investigate the IP addresses and identities involved in the detected activity using: * Impossible Traveler - Enrichment playbook * CalculateGeoDistance automation **Response Actions** The playbook's first response actions are based on the data available within the alert. In that phase, the playbook will execute: * Manual block indicators if the IP address found malicious * Manual disable user * Manual clear of the user’s sessions (Okta) When the playbook continues, after validating the activity with the user’s manager, another phase of response actions is being executed, which includes: * Auto block indicators **External Resources:** [Impossible traveler alert](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Impossible-traveler-SSO)

Core · 26 tasks · 28 inputs · 21 outputs

Inputs

  • MaxMilesPerHourAllowed — The maximum miles per hour that is considered reasonable. If the geographical distance and difference in time between logins is greater than this value, the user will be considered an impossible traveler.
  • WhitelistedIPs — A comma separated list of IP addresses that are allowed to be used across long distances.
  • ContactUserManager — Whether to ask the user manager for the legitimacy of the login events, in case of an alleged impossible traveler.
  • AutoContainment — Whether to execute auto containment.
  • AbuseIPDBThreshold — The score needed from AbuseIPDB to consider IP address as malicious.
  • preInvestigationContainment — Whether to execute containment prior investigation phase
  • AllowlistCIDR — A comma separated list of CIDR that are allowed to be used across long distances.
  • username — The username to iterate over.
  • domain — The organization domain.
  • ShouldOpenTicket — Whether to open a ticket automatically in a ticketing system. (True/False).
  • serviceNowShortDescription — A short description of the ticket.
  • serviceNowImpact — The impact for the new ticket. Leave empty for ServiceNow default impact.
  • serviceNowUrgency — The urgency of the new ticket. Leave empty for ServiceNow default urgency.
  • serviceNowSeverity — The severity of the new ticket. Leave empty for ServiceNow default severity.
  • serviceNowTicketType — The ServiceNow ticket type. Options are "incident", "problem", "change_request", "sc_request", "sc_task", or "sc_req_item". Default is "incident".
  • serviceNowCategory — The category of the ServiceNow ticket.
  • serviceNowAssignmentGroup — The group to which to assign the new ticket.
  • ZendeskPriority — The urgency with which the ticket should be addressed. Allowed values are "urgent", "high", "normal", or "low".
  • ZendeskRequester — The user who requested this ticket.
  • ZendeskStatus — The state of the ticket. Allowed values are "new", "open", "pending", "hold", "solved", or "closed".
  • ZendeskSubject — The value of the subject field for this ticket.
  • ZendeskTags — The array of tags applied to this ticket.
  • ZendeskType — The type of this ticket. Allowed values are "problem", "incident", "question", or "task".
  • ZendeskAssigne — The agent currently assigned to the ticket.
  • ZendeskCollaborators — The users currently CC'ed on the ticket.
  • description — The ticket description.
  • addCommentPerEndpoint — Whether to append a new comment to the ticket for each endpoint in the incident. Possible values: True/False.
  • CommentToAdd — Comment for the ticket.

Outputs

  • Account.Email.Address — The email address object associated with the Account.
  • DBotScore — Indicator, Score, Type, Vendor.
  • Account.ID — The unique Account DN (Distinguished Name).
  • Account.Username — The username of the Account.
  • Account.Email — The email address associated with the Account.
  • Account.Type — The type of the Account entity.
  • Account.Groups — The groups that the Account is a part of.
  • Account — Account object
  • Account.DisplayName — The display name of the Account.
  • Account.Manager — The manager of the Account.
  • DBotScore.Indicator — The indicator value.
  • DBotScore.Type — The indicator's type.
  • DBotScore.Vendor — The indicator's vendor.
  • DBotScore.Score — The indicator's score.
  • IP — The IP objects.
  • Endpoint — The Endpoint's object.
  • Endpoint.Hostname — The hostname to enrich.
  • Endpoint.OS — The Endpoint OS.
  • Endpoint.IP — The list of Endpoint IP addresses.
  • Endpoint.MAC — The list of Endpoint MAC addresses.
  • Endpoint.Domain — The domain name of the Endpoint.

Commands used

closeInvestigation setParentIncidentFields

Flowchart

yes yes yes yes yes Approved yes yes Start Start Containment Containment Travel Information Enrichment Travel Information Enrich... Containment Containment Did the user travel more than the allowed MPH? Did the user travel more ... Did the user login from IP addresses on allow list? Did the user login from I... Are there IPs / CIDR configured on allow list? Are there IPs / CIDR conf... Close alert - closeInvestigation Close alert closeInvestigation Process Travel Data Process Travel Data Can the manager be contacted for travel approval? Can the manager be contac... Investigation Investigation Done Done Check if the IP is blacklisted Check if the IP is blackl... Close alert - closeInvestigation Close alert closeInvestigation Impossible Traveler - Enrichment - Impossible Traveler - Enrichment Impossible Traveler - Enr... Impossible Traveler - Enrichment Set containment actions - Set Set containment actions Set Get all Impossible Traveler IP Addresses - CreateArray Get all Impossible Travel... CreateArray Calculate geographical distance between logins - impossibleTravelerGetDistance Calculate geographical di... impossibleTravelerGetDistance Ask manager if travel was expected Ask manager if travel was... Check Manager Response Check Manager Response Containment Plan - Containment Plan Containment Plan Containment Plan Containment Plan - Containment Plan Containment Plan Containment Plan Should execute pre investigation containment? Should execute pre invest... Set Incident Severity to High - setParentIncidentFields Set Incident Severity to ... setParentIncidentFields Should open a ticket automatically in a ticketing system? Should open a ticket auto... Ticket Management - Generic - Ticket Management - Generic Ticket Management - Generic Ticket Management - Generic