Skip to content

Commit

Permalink
fix: impossible travel short distances tweak (#783)
Browse files Browse the repository at this point in the history 
* fix: add some jitter for likely geoip based inaccuracies

* fix: formatting wanted to reorder imports on gcp_dns_zone_modified_or_deleted
  • Loading branch information
Ed⁦ authored Jun 13, 2023
1 parent 2a30d3e commit 280fcf3
Show file tree
Hide file tree
Showing 3 changed files with 100 additions and 1 deletion.
2 changes: 1 addition & 1 deletion rules/gcp_audit_rules/gcp_dns_zone_modified_or_deleted.py
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
from panther_base_helpers import deep_get
from gcp_base_helpers import gcp_alert_context
from panther_base_helpers import deep_get


def rule(event):
Expand Down
9 changes: 9 additions & 0 deletions rules/standard_rules/impossible_travel_login.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,4 +181,13 @@ def alert_context(event):
def severity(_):
if IS_VPN or IS_APPLE_PRIVATE_RELAY:
return "INFO"
# time = distance/speed
distance = deep_get(EVENT_CITY_TRACKING, "distance", default=None)
speed = deep_get(EVENT_CITY_TRACKING, "speed", default=None)
if speed and distance:
time = distance / speed
# time of 0.1666 is 10 minutes
if time < 0.1666 and distance < 50:
# This is likely a GEOIP inaccuracy
return "LOW"
return "HIGH"
90 changes: 90 additions & 0 deletions rules/standard_rules/impossible_travel_login.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -553,3 +553,93 @@ Tests:
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0"
}
- Name: Short Distances and Short Timedeltas
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"city": "Los Angeles",
"country": "US",
"lat": "34.05223",
"lng": "-118.24368",
"p_event_time": "2023-06-12T22:23:51.964000",
"postal_code": "90009",
"region": "California",
"region_code": "CA",
"source_ip": "12.12.12.12",
"timezone": "America/Los_Angeles"
}
]
Log:
{
"actor": {
"alternateId": "homer.simpson@company.com",
"displayName": "Homer Simpson",
"id": "00uwuwuwuwuwuwuwuwuw",
"type": "User"
},
"authenticationContext": {
"authenticationStep": 0,
"externalSessionId": "idx1234"
},
"client": {
"device": "Computer",
"ipAddress": "12.12.12.12",
"userAgent": {
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36"
},
"zone": "null"
},
"debugContext": {
"debugData": {
}
},
"device": {
},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_success",
"outcome": {
"result": "SUCCESS"
},
"p_event_time": "2023-06-12T22:26:01.951000",
"p_enrichment": {
"ipinfo_location": {
"client.ipAddress": {
"city": "Anaheim",
"country": "US",
"lat": "33.8085",
"lng": "-117.9228",
"p_event_time": "2023-06-12T22:26:01.951000",
"postal_code": "92802",
"region": "California",
"region_code": "CA",
"source_ip": "12.12.12.11",
"timezone": "America/Los_Angeles"
}
}
},
"p_log_type": "Okta.SystemLog",
"p_source_label": "Okta Logs",
"p_parse_time": "2023-06-12T22:29:01.951000",
"published": "2023-06-12 22:26:01.951000",
"request": {
"ipChain": [
]
},
"securityContext": {
},
"severity": "INFO",
"target": [
],
"transaction": {
},
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0"
}

0 comments on commit 280fcf3

Please sign in to comment.