Skip to content

Commit

Permalink
Filter out Intelsat satellite network plane wifi from Impossible Trav…
Browse files Browse the repository at this point in the history 
…el (#1358)

Co-authored-by: Ben Airey <[email protected]>
Co-authored-by: Ariel Ropek <[email protected]>
Co-authored-by: Ariel <[email protected]>
  • Loading branch information
@geoffg-sentry @ben-githubs @arielkr256
4 people authored Sep 30, 2024
1 parent 91662f6 commit e36ab75
Show file tree
Hide file tree
Showing 2 changed files with 119 additions and 4 deletions.
19 changes: 15 additions & 4 deletions rules/standard_rules/impossible_travel_login.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@

# pylint: disable=global-variable-undefined

SATELLITE_NETWORK_ASNS = ["AS22351"]


def gen_key(event):
"""
Expand All @@ -26,16 +28,18 @@ def gen_key(event):

def rule(event):
# too-many-return-statements due to error checking
# pylint: disable=global-statement,too-many-return-statements,too-complex
# pylint: disable=global-statement,too-many-return-statements,too-complex,too-many-statements
global EVENT_CITY_TRACKING
global CACHE_KEY
global IS_VPN
global IS_PRIVATE_RELAY
global IS_SATELLITE_NETWORK

EVENT_CITY_TRACKING = {}
CACHE_KEY = ""
IS_VPN = False
IS_PRIVATE_RELAY = False
IS_SATELLITE_NETWORK = False

# Only evaluate successful logins
if event.udm("event_type") != event_type.SUCCESSFUL_LOGIN:
Expand Down Expand Up @@ -87,11 +91,18 @@ def rule(event):
deep_get(ipinfo_privacy, "service", default="") != "",
]
)
if IS_VPN or IS_PRIVATE_RELAY:
# Some satellite networks used during plane travel don't always
# register properly as VPN's, so we have a separate check here.
IS_SATELLITE_NETWORK = (
deep_get(src_ip_enrichments, "ipinfo_asn", "asn", default="") in SATELLITE_NETWORK_ASNS
)

if any((IS_VPN, IS_PRIVATE_RELAY, IS_SATELLITE_NETWORK)):
new_login_stats.update(
{
"is_vpn": f"{IS_VPN}",
"is_apple_priv_relay": f"{IS_PRIVATE_RELAY}",
"is_satellite_network": f"{IS_SATELLITE_NETWORK}",
"service_name": f"{deep_get(ipinfo_privacy, 'service', default='<NO_SERVICE>')}",
"NOTE": "APPLE PRIVATE RELAY AND VPN LOGINS ARE NOT CACHED FOR COMPARISON",
}
Expand All @@ -107,7 +118,7 @@ def rule(event):
# If we haven't seen this user login in the past 1 day,
# store this login for future use and don't alert
if not last_login:
if not (IS_PRIVATE_RELAY or IS_VPN):
if not any((IS_VPN, IS_PRIVATE_RELAY, IS_SATELLITE_NETWORK)):
put_string_set(
key=CACHE_KEY,
val=[dumps(new_login_stats)],
Expand Down Expand Up @@ -179,7 +190,7 @@ def alert_context(event):


def severity(_):
if IS_VPN or IS_PRIVATE_RELAY:
if any((IS_VPN, IS_PRIVATE_RELAY, IS_SATELLITE_NETWORK)):
return "INFO"
# time = distance/speed
distance = deep_get(EVENT_CITY_TRACKING, "distance", default=None)
Expand Down
104 changes: 104 additions & 0 deletions rules/standard_rules/impossible_travel_login.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -825,3 +825,107 @@ Tests:
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0",
}
- Name: Okta sign-in with history and impossible travel, no VPN, Intelsat ASN
ExpectedResult: true
Mocks:
- objectName: put_string_set
returnValue: ""
- objectName: get_string_set
returnValue: >-
[
{
"p_event_time": "2023-05-26 18:14:51",
"city": "Los Angeles",
"country": "US",
"lat": "4.05223",
"lng": "-118.24368",
"postal_code": "90009",
"region": "California",
"region_code": "CA",
"timezone": "America/Los_Angeles"
}
]
Log:
{
"actor":
{
"alternateId": "[email protected]",
"displayName": "Homer Simpson",
"id": "00uwuwuwuwuwuwuwuwuw",
"type": "User",
},
"authenticationContext":
{ "authenticationStep": 0, "externalSessionId": "idx1234" },
"client":
{
"device": "Computer",
"ipAddress": "164.86.38.26",
"userAgent":
{
"browser": "CHROME",
"os": "Mac OS X",
"rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
},
"zone": "null",
},
"debugContext": { "debugData": {} },
"device": {},
"displayMessage": "User login to Okta",
"eventType": "user.session.start",
"legacyEventType": "core.user_auth.login_success",
"outcome": { "result": "SUCCESS" },
"p_event_time": "2023-05-26 20:18:51",
"p_enrichment":
{
"ipinfo_asn":
{
"client.ipAddress":
{
"asn": "AS22351",
"domain": "intelsat.com",
"name": "INTELSAT GLOBAL SERVICE CORPORATION",
"p_match": "164.86.38.26",
"route": "164.86.38.0/23",
"type": "isp",
},
},
"ipinfo_location":
{
"client.ipAddress":
{
"city": "Tysons Corner",
"country": "US",
"lat": "38.953",
"lng": "-77.2295",
"p_match": "164.86.38.26",
"postal_code": "22102",
"region": "Virginia",
"region_code": "VA",
"timezone": "America/America/New_York",
},
},
"ipinfo_privacy":
{
"client.ipAddress":
{
"hosting": false,
"proxy": false,
"relay": false,
"service": "",
"tor": false,
"vpn": false,
},
},
},
"p_log_type": "Okta.SystemLog",
"p_source_label": "Okta Logs",
"p_parse_time": "2023-05-26 20:22:51.888",
"published": "2023-05-26 20:18:51.888",
"request": { "ipChain": [] },
"securityContext": {},
"severity": "INFO",
"target": [],
"transaction": {},
"uuid": "79999999-ffff-eeee-bbbb-222222222222",
"version": "0",
}

0 comments on commit e36ab75

Please sign in to comment.