Filter out Intelsat satellite network plane wifi from Impossible Travel

Intelsat provides in-flight wifi for a number of airlines (American, Alaska, etc) but like any ASN provides geographic information for a fixed spot on the globe. This leads to false positives when persons using in-flight wifi have login activity shortly before or after a login from in-flight.
panther-labs · Sep 18, 2024 · fc7d98c · fc7d98c
1 parent a39d69c
commit fc7d98c
Show file tree

Hide file tree

Showing 2 changed files with 116 additions and 1 deletion.
diff --git a/rules/standard_rules/impossible_travel_login.py b/rules/standard_rules/impossible_travel_login.py
@@ -9,6 +9,8 @@
 
 # pylint: disable=global-variable-undefined
 
+SATELLITE_NETWORK_ASNS = ["AS22351"]
+
 
 def gen_key(event):
     """
@@ -57,7 +59,7 @@ def rule(event):
     # stuff everything from ipinfo_location into the new_login_stats
     # new_login_stats is the value that we will cache for this key
     ipinfo_location = deep_get(src_ip_enrichments, "ipinfo_location")
-    if ipinfo_location is None:
+    if ipinfo_location is None or is_satellite_network(src_ip_enrichments):
         return False
     new_login_stats.update(ipinfo_location)
 
@@ -152,6 +154,15 @@ def rule(event):
     return speed > 900  # Boeing 747 cruising speed
 
 
+def is_satellite_network(src_ip_enrichments):
+    # Satellite networks have a GeoIP to a physical location, but transit around the globe
+    # In-flight plane wifi like Intelsat provides leads to false positives
+    ipinfo_asn = deep_get(src_ip_enrichments, "ipinfo_asn")
+    if deep_get(ipinfo_asn, "asn", default="") in SATELLITE_NETWORK_ASNS:
+        return True
+    return False
+
+
 def title(event):
     #
     log_source = deep_get(event, "p_source_label", default="<NO_SOURCE_LABEL>")

diff --git a/rules/standard_rules/impossible_travel_login.yml b/rules/standard_rules/impossible_travel_login.yml
@@ -825,3 +825,107 @@ Tests:
         "uuid": "79999999-ffff-eeee-bbbb-222222222222",
         "version": "0",
       }
+  - Name: Okta sign-in with history and impossible travel, no VPN, Intelsat ASN
+    ExpectedResult: false
+    Mocks:
+      - objectName: put_string_set
+        returnValue: ""
+      - objectName: get_string_set
+        returnValue: >-
+          [
+           {
+            "p_event_time": "2023-05-26 18:14:51",
+            "city": "Los Angeles",
+            "country": "US",
+            "lat": "4.05223",
+            "lng": "-118.24368",
+            "postal_code": "90009",
+            "region": "California",
+            "region_code": "CA",
+            "timezone": "America/Los_Angeles"
+           }
+          ]
+    Log:
+      {
+        "actor":
+          {
+            "alternateId": "[email protected]",
+            "displayName": "Homer Simpson",
+            "id": "00uwuwuwuwuwuwuwuwuw",
+            "type": "User",
+          },
+        "authenticationContext":
+          { "authenticationStep": 0, "externalSessionId": "idx1234" },
+        "client":
+          {
+            "device": "Computer",
+            "ipAddress": "164.86.38.26",
+            "userAgent":
+              {
+                "browser": "CHROME",
+                "os": "Mac OS X",
+                "rawUserAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36",
+              },
+            "zone": "null",
+          },
+        "debugContext": { "debugData": {} },
+        "device": {},
+        "displayMessage": "User login to Okta",
+        "eventType": "user.session.start",
+        "legacyEventType": "core.user_auth.login_success",
+        "outcome": { "result": "SUCCESS" },
+        "p_event_time": "2023-05-26 20:18:51",
+        "p_enrichment":
+          {
+            "ipinfo_asn":
+              {
+                "client.ipAddress":
+                  {
+                    "asn": "AS22351",
+                    "domain": "intelsat.com",
+                    "name": "INTELSAT GLOBAL SERVICE CORPORATION",
+                    "p_match": "164.86.38.26",
+                    "route": "164.86.38.0/23",
+                    "type": "isp",
+                  },
+              },
+            "ipinfo_location":
+              {
+                "client.ipAddress":
+                  {
+                    "city": "Tysons Corner",
+                    "country": "US",
+                    "lat": "38.953",
+                    "lng": "-77.2295",
+                    "p_match": "164.86.38.26",
+                    "postal_code": "22102",
+                    "region": "Virginia",
+                    "region_code": "VA",
+                    "timezone": "America/America/New_York",
+                  },
+              },
+            "ipinfo_privacy":
+              {
+                "client.ipAddress":
+                  {
+                    "hosting": false,
+                    "proxy": false,
+                    "relay": false,
+                    "service": "",
+                    "tor": false,
+                    "vpn": true,
+                  },
+              },
+          },
+        "p_log_type": "Okta.SystemLog",
+        "p_source_label": "Okta Logs",
+        "p_parse_time": "2023-05-26 20:22:51.888",
+        "published": "2023-05-26 20:18:51.888",
+        "request": { "ipChain": [] },
+        "securityContext": {},
+        "severity": "INFO",
+        "target": [],
+        "transaction": {},
+        "uuid": "79999999-ffff-eeee-bbbb-222222222222",
+        "version": "0",
+      }