Trend Micro Vision One XDR impossible travel detected for identity activity

This rule is part of a beta feature. To learn more, contact Support.
trend-micro-vision-one-xdr

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect and respond to situations where a user account appears to be active in geographically distinct locations within an impossible time frame. Such activity may indicate account compromise, malicious access, or misconfiguration.

Strategy

Monitor identity activities logged by Trend Micro Vision One XDR, particularly focusing on detecting impossible travel scenarios. This involves identifying instances where a single user account logs in or accesses systems from locations that are geographically far apart in a time span too short for normal travel.

Triage and Response

  1. Confirm the source and nature of the event by reviewing the detectedDateTime: {{@detectedDateTime}} and source fields.
  2. Identify the involved user(s) and associated systems:
    • User Account: {{@usr.name}}
  3. Assess the geographic locations of the activities. Look for discrepancies between locations indicated by IP addresses, considering the short time frame that suggests impossible travel.
  4. If impossible travel is confirmed,
    • Investigate potential compromise of the user account. Review recent activities, changes, and potential unauthorized access.
    • Lock or reset the affected account to prevent further unauthorized actions.
    • Notify the affected user and relevant security teams of the suspicious activity.
PREVIEWING: domalessi/docs-10186