cscli scenarios install crowdsecurity/impossible-travelGeneric implementation of impossible travel to detect users logging in from two different locations in a short period of time. If you wish write a parser to fall into this generic bucket you must set the following attributes on the meta object:
log_type: auth_successsource_ip: the IP addressuser: the user that logged inservice: the service the user logged in to EG sshIt is important to set the service attribute as this is how the buckets are separated. If you do not set the service attribute, all the events for the same user will fall into the same bucket not matter if it was a different service which could lead to false positives.
1## Generic bucket to handle impossible travel for authentication2type: conditional3name: crowdsecurity/impossible-travel4description: "Detect Impossible Travel"5filter: "evt.Meta.log_type == 'auth_success' && evt.Meta.user not in ['', nil]"6groupby: "evt.Meta.service + evt.Meta.user"7# To make it generic we concatenate the service name and the user8capacity: -19condition: |10 len(queue.Queue) >= 211 and Distance(queue.Queue[-1].Enriched.Latitude, queue.Queue[-1].Enriched.Longitude,12 queue.Queue[-2].Enriched.Latitude, queue.Queue[-2].Enriched.Longitude) > 100013leakspeed: 3h14labels:15 remediation: false16 classification:17 - attack.T107818 behavior: "auth:successful"19 label: "Impossible travel"20 spoofable: 021 service: authentication22 confidence: 3