cscli scenarios install crowdsecurity/impossible-travel-userGeneric implementation of impossible travel to detect users logging in from two different locations in a short period of time. If you wish write a parser to fall into this generic bucket you must set the following attributes on the meta object:
log_type: auth_successsource_ip: the IP addressuser: the user that logged inservice: the service the user logged in to EG sshIt is important to set the service attribute as this is how the buckets are separated. If you do not set the service attribute, all the events for the same user will fall into the same bucket not matter if it was a different service which could lead to false positives.
1## Generic bucket to handle impossible travel for authentication with username scope2type: conditional3name: crowdsecurity/impossible-travel-user4description: "impossible travel user"5filter: "evt.Meta.log_type == 'auth_success' && evt.Meta.user not in ['', nil]"6groupby: "evt.Meta.service + evt.Meta.user"7# To make it generic we concatenate the service name and the user8capacity: -19condition: |10 len(queue.Queue) >= 211 and Distance(queue.Queue[-1].Enriched.Latitude, queue.Queue[-1].Enriched.Longitude,12 queue.Queue[-2].Enriched.Latitude, queue.Queue[-2].Enriched.Longitude) > 100013leakspeed: 3h14scope:15 type: username16 expression: evt.Meta.user17labels:18 remediation: false19 classification:20 - attack.T107821 behavior: "auth:successful"22 label: "Impossible travel"23 spoofable: 024 service: authentication25 confidence: 3