adjust logic to behave the same as VPN/relay checks

panther-labs · Sep 23, 2024 · cf5987e · cf5987e
1 parent fc7d98c
commit cf5987e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 7 deletions.
diff --git a/rules/standard_rules/impossible_travel_login.py b/rules/standard_rules/impossible_travel_login.py
@@ -33,11 +33,13 @@ def rule(event):
     global CACHE_KEY
     global IS_VPN
     global IS_PRIVATE_RELAY
-
+    global IS_SATELLITE_NETWORK
+
     EVENT_CITY_TRACKING = {}
     CACHE_KEY = ""
     IS_VPN = False
     IS_PRIVATE_RELAY = False
+    IS_SATELLITE_NETWORK = False
 
     # Only evaluate successful logins
     if event.udm("event_type") != event_type.SUCCESSFUL_LOGIN:
@@ -59,7 +61,7 @@ def rule(event):
     # stuff everything from ipinfo_location into the new_login_stats
     # new_login_stats is the value that we will cache for this key
     ipinfo_location = deep_get(src_ip_enrichments, "ipinfo_location")
-    if ipinfo_location is None or is_satellite_network(src_ip_enrichments):
+    if ipinfo_location is None:
         return False
     new_login_stats.update(ipinfo_location)
 
@@ -89,11 +91,15 @@ def rule(event):
                 deep_get(ipinfo_privacy, "service", default="") != "",
             ]
         )
-    if IS_VPN or IS_PRIVATE_RELAY:
+    # Some satellite networks used during plane travel don't always 
+    #   register properly as VPN's, so we have a separate check here.
+    IS_SATELLITE_NETWORK = is_satellite_network(src_ip_enrichments)
+    if IS_VPN or IS_PRIVATE_RELAY or IS_SATELLITE_NETWORK:
         new_login_stats.update(
             {
                 "is_vpn": f"{IS_VPN}",
                 "is_apple_priv_relay": f"{IS_PRIVATE_RELAY}",
+                "is_satellite_network": f"{IS_SATELLITE_NETWORK}",
                 "service_name": f"{deep_get(ipinfo_privacy, 'service', default='<NO_SERVICE>')}",
                 "NOTE": "APPLE PRIVATE RELAY AND VPN LOGINS ARE NOT CACHED FOR COMPARISON",
             }
@@ -109,7 +115,7 @@ def rule(event):
     # If we haven't seen this user login in the past 1 day,
     # store this login for future use and don't alert
     if not last_login:
-        if not (IS_PRIVATE_RELAY or IS_VPN):
+        if not (IS_PRIVATE_RELAY or IS_VPN or IS_SATELLITE_NETWORK):
             put_string_set(
                 key=CACHE_KEY,
                 val=[dumps(new_login_stats)],
@@ -190,7 +196,7 @@ def alert_context(event):
 
 
 def severity(_):
-    if IS_VPN or IS_PRIVATE_RELAY:
+    if any((IS_VPN, IS_PRIVATE_RELAY, IS_SATELLITE_NETWORK)):
         return "INFO"
     # time = distance/speed
     distance = deep_get(EVENT_CITY_TRACKING, "distance", default=None)

diff --git a/rules/standard_rules/impossible_travel_login.yml b/rules/standard_rules/impossible_travel_login.yml
@@ -826,7 +826,7 @@ Tests:
         "version": "0",
       }
   - Name: Okta sign-in with history and impossible travel, no VPN, Intelsat ASN
-    ExpectedResult: false
+    ExpectedResult: true
     Mocks:
       - objectName: put_string_set
         returnValue: ""
@@ -913,7 +913,7 @@ Tests:
                     "relay": false,
                     "service": "",
                     "tor": false,
-                    "vpn": true,
+                    "vpn": false,
                   },
               },
           },