Impossible Travel

The Impossible Travel Detector consumes authentication-focused logon events that are ingested into the Secureworks® Taegis™ XDR data lake, looking for unusual pairings that indicate an impossible amount of travel has occurred in the time between logon events for a single user. The unusual events are then published as an alert that displays in the XDR Dashboard.

Impossible Travel Alert

Requirements

This detector requires the following data sources, integrations, or schemas:

• Auth

Inputs

Detections are from the following normalized sources:

• Auth

Outputs

Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard. This detector's alerts are consumed by the Stolen User Credentials Detector.

Configuration Options

This detector is enabled by default when the required data sources or integrations are available in the tenant.

MITRE ATT&CK Category

• MITRE Enterprise ATT&CK - Defense Evasion, Persistence, Privilege Escalation, Initial Access - Valid Accounts. For more information, see MITRE Technique T1078.

Detector Testing

This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.

Note

If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.

FROM alert WHERE metadata.creator.detector.detector_id='app:detect:impossible-travel'

References

• Detectors
  • Stolen User Credentials
• Schemas
  • Auth