Detection rules › Panther
Impossible Travel for Login Action
A user has subsequent logins from two geographic locations that are very far apart
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
Rule body yaml
AnalysisType: rule
Filename: impossible_travel_login.py
RuleID: "Standard.ImpossibleTravel.Login"
DisplayName: "Impossible Travel for Login Action"
Enabled: true
LogTypes:
- Asana.Audit
- AWS.CloudTrail
- Notion.AuditLogs
- Okta.SystemLog
Tags:
- Identity & Access Management
- Initial Access:Valid Accounts
Reports:
MITRE ATT&CK:
- TA0001:T1078
Severity: High
Description: A user has subsequent logins from two geographic locations that are very far apart
Runbook: |
Reach out to the user if needed to validate the activity, then lock the account.
If the user responds that the geolocation on the new location is incorrect, you can directly
report the inaccuracy via https://ipinfo.io/corrections
Reference: https://expertinsights.com/insights/what-are-impossible-travel-logins/#:~:text=An%20impossible%20travel%20login%20is,of%20the%20logins%20is%20fraudulent
SummaryAttributes:
- p_any_usernames
- p_any_ip_addresses
- p_any_domain_names
# All test cases for this detection will need to include:
# * p_log_type ( for udm)
# Alerting test cases for this detection will need to include:
# * p_source_label
# * p_event_time
Tests:
- Name: CloudTrail not ConsoleLogin
ExpectedResult: false
Log: { "eventType": "logout", "p_log_type": "AWS.CloudTrail" }
- Name: CloudTrail ConsoleLogin no history
ExpectedResult: false
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
Log:
{
"additionalEventData": { "MFAUsed": "No", "MobileVersion": "No" },
"awsRegion": "us-east-1",
"eventCategory": "Management",
"eventName": "ConsoleLogin",
"eventSource": "signin.amazonaws.com",
"eventTime": "2023-05-26 20:14:51",
"eventType": "AwsConsoleSignIn",
"eventVersion": "1.08",
"managementEvent": true,
"p_event_time": "2023-05-26 20:14:51",
"p_enrichment":
{
"ipinfo_location":
{
"sourceIPAddress":
{
"city": "Auckland",
"country": "NZ",
"lat": "-36.84853",
"lng": "174.76349",
"p_match": "12.12.12.12",
"postal_code": "1010",
"region": "Auckland",
"region_code": "AUK",
"timezone": "Pacific/Auckland",
},
},
},
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "2023-05-26 20:19:14.002",
"p_source_label": "LogSource Name",
"readOnly": false,
"recipientAccountId": "123456789012",
"responseElements": { "ConsoleLogin": "Success" },
"sourceIPAddress": "12.12.12.12",
"tlsDetails":
{
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "signin.aws.amazon.com",
"tlsVersion": "TLSv1.3",
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"userIdentity":
{
"type": "IAMUser",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:user/tester",
"accountId": "123456789012",
"userName": "tester",
},
}
- Name: CloudTrail ConsoleLogin with history
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"p_event_time": "2023-05-26 18:14:51",
"city": "New York City",
"country": "US",
"lat": "40.71427",
"lng": "-74.00597",
"postal_code": "10004",
"region": "New York",
"region_code": "NY",
"timezone": "America/New_York"
}
]
Log:
{
"additionalEventData": { "MFAUsed": "No", "MobileVersion": "No" },
"awsRegion": "us-east-1",
"eventCategory": "Management",
"eventName": "ConsoleLogin",
"eventSource": "signin.amazonaws.com",
"eventTime": "2023-05-26 20:14:51",
"eventType": "AwsConsoleSignIn",
"eventVersion": "1.08",
"managementEvent": true,
"p_event_time": "2023-05-26 20:14:51",
"p_enrichment":
{
"ipinfo_location":
{
"sourceIPAddress":
{
"city": "Auckland",
"country": "NZ",
"lat": "-36.84853",
"lng": "174.76349",
"p_match": "12.12.12.12",
"postal_code": "1010",
"region": "Auckland",
"region_code": "AUK",
"timezone": "Pacific/Auckland",
},
},
},
"p_log_type": "AWS.CloudTrail",
"p_parse_time": "2023-05-26 20:19:14.002",
"p_source_label": "LogSource Name",
"readOnly": false,
"recipientAccountId": "123456789012",
"responseElements": { "ConsoleLogin": "Success" },
"sourceIPAddress": "12.12.12.12",
"tlsDetails":
{
"cipherSuite": "TLS_AES_128_GCM_SHA256",
"clientProvidedHostHeader": "signin.aws.amazon.com",
"tlsVersion": "TLSv1.3",
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
"userIdentity":
{
"type": "IAMUser",
"principalId": "1111",
"arn": "arn:aws:iam::123456789012:user/tester",
"accountId": "123456789012",
"userName": "tester",
},
}
- Name: Okta Not sign-in
ExpectedResult: false
Log: { "eventType": "logout", "p_log_type": "Okta.SystemLog" }
- Name: Okta sign-in with history and impossible travel
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"p_event_time": "2023-05-26 18:14:51",
"city": "New York City",
"country": "US",
"lat": "40.71427",
"lng": "-74.00597",
"postal_code": "10004",
"region": "New York",
"region_code": "NY",
"timezone": "America/New_York"
}
]
Log:
{
"actor":
{
"alternateId": "homer.simpson@company.com",
"displayName": "Homer Simpson",
"id": "00uwuwuwuwuwuwuwuwuw",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "idx1234" },
"client":
{
"device": "Computer",
"ipAddress": "12.12.12.12",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
},
"zone": "null",
},
"debugContext": { "debugData": {} },
"device": {},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_success",
"outcome": { "result": "SUCCESS" },
"p_event_time": "2023-05-26 20:18:51",
"p_enrichment":
{
"ipinfo_location":
{
"client.ipAddress":
{
"city": "Auckland",
"country": "NZ",
"lat": "-36.84853",
"lng": "174.76349",
"p_match": "12.12.12.12",
"postal_code": "1010",
"region": "Auckland",
"region_code": "AUK",
"timezone": "Pacific/Auckland",
},
},
},
"p_log_type": "Okta.SystemLog",
"p_source_label": "Okta Logs",
"p_parse_time": "2023-05-26 20:22:51.888",
"published": "2023-05-26 20:18:51.888",
"request": { "ipChain": [] },
"securityContext": {},
"severity": "INFO",
"target": [],
"transaction": {},
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0",
}
- Name: Okta sign-in with history and impossible travel, Apple Private Relay
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"p_event_time": "2023-05-26 18:14:51",
"city": "New York City",
"country": "US",
"lat": "40.71427",
"lng": "-74.00597",
"postal_code": "10004",
"region": "New York",
"region_code": "NY",
"timezone": "America/New_York"
}
]
Log:
{
"actor":
{
"alternateId": "homer.simpson@company.com",
"displayName": "Homer Simpson",
"id": "00uwuwuwuwuwuwuwuwuw",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "idx1234" },
"client":
{
"device": "Computer",
"ipAddress": "12.12.12.12",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
},
"zone": "null",
},
"debugContext": { "debugData": {} },
"device": {},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_success",
"outcome": { "result": "SUCCESS" },
"p_event_time": "2023-05-26 20:18:51",
"p_enrichment":
{
"ipinfo_location":
{
"client.ipAddress":
{
"city": "Los Angeles",
"country": "US",
"lat": "34.05223",
"lng": "-118.24368",
"p_match": "12.12.12.12",
"postal_code": "90009",
"region": "California",
"region_code": "CA",
"timezone": "America/Los_Angeles",
},
},
"ipinfo_privacy":
{
"client.ipAddress":
{
"hosting": true,
"p_match": "12.12.12.12",
"proxy": false,
"relay": true,
"service": "Apple Private Relay",
"tor": false,
"vpn": false,
},
},
},
"p_log_type": "Okta.SystemLog",
"p_source_label": "Okta Logs",
"p_parse_time": "2023-05-26 20:22:51.888",
"published": "2023-05-26 20:18:51.888",
"request": { "ipChain": [] },
"securityContext": {},
"severity": "INFO",
"target": [],
"transaction": {},
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0",
}
- Name: Okta sign-in with history and impossible travel, VPN with service
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"p_event_time": "2023-05-26 18:14:51",
"city": "New York City",
"country": "US",
"lat": "40.71427",
"lng": "-74.00597",
"postal_code": "10004",
"region": "New York",
"region_code": "NY",
"timezone": "America/New_York"
}
]
Log:
{
"actor":
{
"alternateId": "homer.simpson@company.com",
"displayName": "Homer Simpson",
"id": "00uwuwuwuwuwuwuwuwuw",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "idx1234" },
"client":
{
"device": "Computer",
"ipAddress": "12.12.12.12",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
},
"zone": "null",
},
"debugContext": { "debugData": {} },
"device": {},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_success",
"outcome": { "result": "SUCCESS" },
"p_event_time": "2023-05-26 20:18:51",
"p_enrichment":
{
"ipinfo_location":
{
"client.ipAddress":
{
"city": "Los Angeles",
"country": "US",
"lat": "34.05223",
"lng": "-118.24368",
"p_match": "12.12.12.12",
"postal_code": "90009",
"region": "California",
"region_code": "CA",
"timezone": "America/Los_Angeles",
},
},
"ipinfo_privacy":
{
"client.ipAddress":
{
"hosting": false,
"p_match": "12.12.12.12",
"proxy": false,
"relay": false,
"service": "Private Internet Access",
"tor": false,
"vpn": true,
},
},
},
"p_log_type": "Okta.SystemLog",
"p_source_label": "Okta Logs",
"p_parse_time": "2023-05-26 20:22:51.888",
"published": "2023-05-26 20:18:51.888",
"request": { "ipChain": [] },
"securityContext": {},
"severity": "INFO",
"target": [],
"transaction": {},
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0",
}
- Name: Okta sign-in with history and impossible travel, VPN with no service
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"p_event_time": "2023-05-26 18:14:51",
"city": "New York City",
"country": "US",
"lat": "40.71427",
"lng": "-74.00597",
"postal_code": "10004",
"region": "New York",
"region_code": "NY",
"timezone": "America/New_York"
}
]
Log:
{
"actor":
{
"alternateId": "homer.simpson@company.com",
"displayName": "Homer Simpson",
"id": "00uwuwuwuwuwuwuwuwuw",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "idx1234" },
"client":
{
"device": "Computer",
"ipAddress": "12.12.12.12",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
},
"zone": "null",
},
"debugContext": { "debugData": {} },
"device": {},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_success",
"outcome": { "result": "SUCCESS" },
"p_event_time": "2023-05-26 20:18:51",
"p_enrichment":
{
"ipinfo_location":
{
"client.ipAddress":
{
"city": "Los Angeles",
"country": "US",
"lat": "34.05223",
"lng": "-118.24368",
"p_match": "12.12.12.12",
"postal_code": "90009",
"region": "California",
"region_code": "CA",
"timezone": "America/Los_Angeles",
},
},
"ipinfo_privacy":
{
"client.ipAddress":
{
"hosting": false,
"proxy": false,
"relay": false,
"service": "",
"tor": false,
"vpn": true,
},
},
},
"p_log_type": "Okta.SystemLog",
"p_source_label": "Okta Logs",
"p_parse_time": "2023-05-26 20:22:51.888",
"published": "2023-05-26 20:18:51.888",
"request": { "ipChain": [] },
"securityContext": {},
"severity": "INFO",
"target": [],
"transaction": {},
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0",
}
- Name: Short Distances and Short Timedeltas
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"city": "Los Angeles",
"country": "US",
"lat": "34.05223",
"lng": "-118.24368",
"p_event_time": "2023-06-12T22:23:51.964000",
"postal_code": "90009",
"region": "California",
"region_code": "CA",
"timezone": "America/Los_Angeles"
}
]
Log:
{
"actor":
{
"alternateId": "homer.simpson@company.com",
"displayName": "Homer Simpson",
"id": "00uwuwuwuwuwuwuwuwuw",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "idx1234" },
"client":
{
"device": "Computer",
"ipAddress": "12.12.12.11",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
},
"zone": "null",
},
"debugContext": { "debugData": {} },
"device": {},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_success",
"outcome": { "result": "SUCCESS" },
"p_event_time": "2023-06-12T22:26:01.951000",
"p_enrichment":
{
"ipinfo_location":
{
"client.ipAddress":
{
"p_match": "12.12.12.11",
"city": "Anaheim",
"country": "US",
"lat": "33.8085",
"lng": "-117.9228",
"p_event_time": "2023-06-12T22:26:01.951000",
"postal_code": "92802",
"region": "California",
"region_code": "CA",
"timezone": "America/Los_Angeles",
},
},
},
"p_log_type": "Okta.SystemLog",
"p_source_label": "Okta Logs",
"p_parse_time": "2023-06-12T22:29:01.951000",
"published": "2023-06-12 22:26:01.951000",
"request": { "ipChain": [] },
"securityContext": {},
"severity": "INFO",
"target": [],
"transaction": {},
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0",
}
- Name: Asana ImpossibleTravel
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"p_event_time": "2023-06-12T21:26:01.951000",
"city": "New York City",
"country": "US",
"lat": "40.71427",
"lng": "-74.00597",
"postal_code": "10004",
"region": "New York",
"region_code": "NY",
"timezone": "America/New_York"
}
]
Log:
{
"actor":
{
"actor_type": "user",
"email": "homer.simpsons@simpsons.com",
"gid": "1234567890",
"name": "Homer Simpson",
},
"context":
{
"client_ip_address": "1.2.3.4",
"context_type": "web",
"user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
},
"created_at": "2023-05-26 18:24:51.413",
"details": { "method": ["SAML"] },
"event_category": "logins",
"event_type": "user_login_succeeded",
"gid": "123456789",
"resource":
{
"email": "homer.simpsons@simpsons.com",
"gid": "1234567890",
"name": "Homer Simpson",
"resource_type": "user",
},
"p_log_type": "Asana.Audit",
"p_source_label": "Asana Logs",
"p_enrichment": {
# ipinfo privacy reset is needed for unit testing
"ipinfo_privacy":
{ "context.client_ip_address": { "p_match": "1.2.3.4" } },
"ipinfo_location":
{
"context.client_ip_address":
{
"p_match": "1.2.3.4",
"city": "Anaheim",
"country": "US",
"lat": "33.8085",
"lng": "-117.9228",
"p_event_time": "2023-06-12T22:26:01.951000",
"postal_code": "92802",
"region": "California",
"region_code": "CA",
"timezone": "America/Los_Angeles",
},
},
},
"p_event_time": "2023-06-12T22:26:01.951000",
}
- Name: Notion Impossible Travel
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"p_event_time": "2023-10-03T18:26:01.951000",
"source_ip": "192.168.100.101",
"city": "Minas Tirith",
"country": "Gondor",
"lat": "0.00000",
"lng": "0.00000",
"p_match": "192.168.100.101",
"postal_code": "55555",
"region": "Pellenor",
"region_code": "PL",
"timezone": "Middle Earth/Pellenor"
}
]
Log:
{
"event":
{
"actor":
{
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"object": "user",
"person": { "email": "aragorn.elessar@lotr.com" },
"type": "person",
},
"details": { "authType": "saml" },
"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"ip_address": "192.168.100.100",
"timestamp": "2023-10-03T19:02:28.044000Z",
"type": "user.login",
"workspace_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
},
"p_enrichment":
{
"ipinfo_location":
{
"event.ip_address":
{
"city": "Barad-Dur",
"lat": "100.00000",
"lng": "0.00000",
"country": "Mordor",
"postal_code": "55555",
"p_match": "192.168.100.100",
"region": "Mount Doom",
"region_code": "MD",
"timezone": "Middle Earth/Mordor",
},
},
},
"p_event_time": "2023-10-03T19:02:28.044000Z",
"p_log_type": "Notion.AuditLogs",
"p_source_label": "Notion-Panther-Labs",
}
- Name: First hit from VPN should not fail
ExpectedResult: false
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: ""
Log:
{
"actor":
{
"alternateId": "homer.simpson@company.com",
"displayName": "Homer Simpson",
"id": "00uwuwuwuwuwuwuwuwuw",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "idx1234" },
"client":
{
"device": "Computer",
"ipAddress": "12.12.12.12",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
},
"zone": "null",
},
"debugContext": { "debugData": {} },
"device": {},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_success",
"outcome": { "result": "SUCCESS" },
"p_event_time": "2023-05-26 20:18:51",
"p_enrichment":
{
"ipinfo_location":
{
"client.ipAddress":
{
"city": "Los Angeles",
"country": "US",
"lat": "34.05223",
"lng": "-118.24368",
"p_match": "12.12.12.12",
"postal_code": "90009",
"region": "California",
"region_code": "CA",
"timezone": "America/Los_Angeles",
},
},
"ipinfo_privacy":
{
"client.ipAddress":
{
"hosting": true,
"p_match": "12.12.12.12",
"proxy": false,
"relay": true,
"service": "Apple Private Relay",
"tor": false,
"vpn": false,
},
},
},
"p_log_type": "Okta.SystemLog",
"p_source_label": "Okta Logs",
"p_parse_time": "2023-05-26 20:22:51.888",
"published": "2023-05-26 20:18:51.888",
"request": { "ipChain": [] },
"securityContext": {},
"severity": "INFO",
"target": [],
"transaction": {},
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0",
}
- Name: Okta sign-in with history and impossible travel, no VPN, Intelsat ASN
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"p_event_time": "2023-05-26 18:14:51",
"city": "Los Angeles",
"country": "US",
"lat": "4.05223",
"lng": "-118.24368",
"postal_code": "90009",
"region": "California",
"region_code": "CA",
"timezone": "America/Los_Angeles"
}
]
Log:
{
"actor":
{
"alternateId": "homer.simpson@company.com",
"displayName": "Homer Simpson",
"id": "00uwuwuwuwuwuwuwuwuw",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "idx1234" },
"client":
{
"device": "Computer",
"ipAddress": "164.86.38.26",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
},
"zone": "null",
},
"debugContext": { "debugData": {} },
"device": {},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_success",
"outcome": { "result": "SUCCESS" },
"p_event_time": "2023-05-26 20:18:51",
"p_enrichment":
{
"ipinfo_asn":
{
"client.ipAddress":
{
"asn": "AS22351",
"domain": "intelsat.com",
"name": "INTELSAT GLOBAL SERVICE CORPORATION",
"p_match": "164.86.38.26",
"route": "164.86.38.0/23",
"type": "isp",
},
},
"ipinfo_location":
{
"client.ipAddress":
{
"city": "Tysons Corner",
"country": "US",
"lat": "38.953",
"lng": "-77.2295",
"p_match": "164.86.38.26",
"postal_code": "22102",
"region": "Virginia",
"region_code": "VA",
"timezone": "America/America/New_York",
},
},
"ipinfo_privacy":
{
"client.ipAddress":
{
"hosting": false,
"proxy": false,
"relay": false,
"service": "",
"tor": false,
"vpn": false,
},
},
},
"p_log_type": "Okta.SystemLog",
"p_source_label": "Okta Logs",
"p_parse_time": "2023-05-26 20:22:51.888",
"published": "2023-05-26 20:18:51.888",
"request": { "ipChain": [] },
"securityContext": {},
"severity": "INFO",
"target": [],
"transaction": {},
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0",
}
Detection logic
Condition
event_type eq "successful_login"
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
event_type | eq |
|
Output fields
Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.
| Field |
|---|
actor_user |
p_source_label |