Skip to main content

Info: Impossible Travel Triggered for the same country

  • February 6, 2024
  • 1 reply
  • 18 views
A
Forum|alt.badge.img+5

Hello Team,

Today we faced an issue, where an alert for Impossible Travel Sucessfull was triggered where the country of thoses IPs are the same.

The below is the rule

rule impossible_travel_login_activity
{
  meta:
     subject = "impossible travel login activity"
     description = "Detects when the same user account is logged into twice in a short period of time but from two different countries. This could indicate a user account credential compromise where an adversary obtains access to an account."


  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.target.user.userid = $target_user
    $e.principal.location.country_or_region != ""
    $e.principal.location.country_or_region = $country
    $e.security_result.action = "ALLOW"
   
  match:
        $target_user over 3h

  outcome:
    $risk_score = 80
    $mitre_attack_tactic = "Initial Access

  condition:
    #country > 1

}
 
Could you please let me know what we are doing wrong here?
 
Thank you in advance.
 
With Regards,
Aravind S

1 reply

malvarez12
Forum|alt.badge.img+1
  • malvarez12Bronze 1
  • Bronze 1
  • May 14, 2024

Greetings Aravind, 

Can you provide some relevant logs/detections for the issue your having? Your logic looks good and I ran your logic in a demo environment and I am not seeing any issue.

Also, as a note: Please consider using a state aswell as a country as a conditions so that you don't miss security relevant user logons in larger countries like the United States. Additionally, consider using $.principal.ip_geo_artifact.location.country_or_region over $.principal.location.country_or_region since the ladder is source based and may not have accurate location data.

Please see the new logic below:

rule impossible_travel_login_activity {
meta:
subject = "impossible travel login activity"
description = "Detects when the same user account is logged into twice in a short period of time but from two different states and countries. This could indicate a user account credential compromise where an adversary obtains access to an account."
events:
$e.metadata.event_type = "USER_LOGIN"
$e.target.user.userid = $target_user
$e.principal.ip_geo_artifact.location.state != ""
$e.principal.ip_geo_artifact.location.state = $state
$e.principal.ip_geo_artifact.location.country_or_region != ""
$e.principal.ip_geo_artifact.location.country_or_region = $country
$e.security_result.action = "ALLOW"
match:
$target_user over 3h
outcome:
$risk_score = 80
$mitre_attack_tactic = "Initial Access"
condition:
#state > 1 and #country > 1
}
N
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.