* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Product Features](https://www2.paloaltonetworks.com/blog/security-operations/category/product-features/)
* Demystifying Impossible T...

# Demystifying Impossible Traveler Detection

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdemystifying-impossible-traveler-detection%2F)  
[](https://twitter.com/share?text=Demystifying+Impossible+Traveler+Detection&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdemystifying-impossible-traveler-detection%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdemystifying-impossible-traveler-detection%2F&title=Demystifying+Impossible+Traveler+Detection&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/demystifying-impossible-traveler-detection/&ts=markdown)  
\[\](mailto:?subject=Demystifying Impossible Traveler Detection)  
Link copied  
By [Yaniv Assor](https://www.paloaltonetworks.com/blog/author/yaniv-assor/?ts=markdown "Posts by Yaniv Assor")  
Feb 12, 2025  
8 minutes  
[Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown)  
[Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Anomaly Detection](https://www.paloaltonetworks.com/blog/tag/anomaly-detection/?ts=markdown)  
[Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown)  
[Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown)  
[False Positives Network Security](https://www.paloaltonetworks.com/blog/tag/false-positives-network-security/?ts=markdown)  
[Impossible Traveler Detection](https://www.paloaltonetworks.com/blog/tag/impossible-traveler-detection/?ts=markdown)  
[ITDR](https://www.paloaltonetworks.com/blog/tag/itdr/?ts=markdown)  
[Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown)  
[UEBA](https://www.paloaltonetworks.com/blog/tag/ueba/?ts=markdown)  
[zero trust security](https://www.paloaltonetworks.com/blog/tag/zero-trust-security/?ts=markdown)

As organizations shift to cloud-based environments, security concerns grow, especially around protecting user accounts and sensitive data. The "Impossible Traveler" detection method, a key feature of [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr), is vital for spotting login attempts from distant locations in a short time. This blog explores the core detection opportunities, advanced techniques, and challenges in Impossible Traveler Detection.

## What is Impossible Traveler Detection?

Imagine this: Richu, a financial analyst based in New York, logs into their company's secure portal at 9:00 AM. Just 45 minutes later, a login attempt is detected from Tokyo using Alex's credentials. Unless Alex has access to a teleportation device, it's physically impossible for them to have traveled across the globe in such a short time. This discrepancy raises a red flag: an *Impossible Traveler alert.*

Impossible Traveler Detection is designed to identify these anomalies---situations where a user appears to log in from two geographically distant locations within an unrealistically short time. By analyzing the time, geography, and login patterns, the system detects potentially compromised accounts and helps security teams respond swiftly.

In today's increasingly complex network environments, where remote work and global operations are the norm, this capability is more essential than ever. In another example, Jamie, a sales executive, frequently logs in from different countries due to work travel. The system should learn Jamie's behavior while flagging unexpected or unusual patterns---like a simultaneous login from a region they have never visited.
![Figure 1. Impossible Traveler Cortex Identity alert description](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/02/word-image-334220-1.jpeg)
Figure 1. Impossible Traveler Cortex Identity alert description

## Basic Detection Logic using XQL

A simple XQL query can identify cases where users log in from multiple countries within a single session by detecting two logon attempts from the same user within a one-hour window. While this approach provides a basic mechanism for flagging Impossible Traveler scenarios, its limited refinement can generate anywhere from hundreds to thousands of alerts daily, depending on the environment's size and activity levels. The *Impossible Traveler - SSO* XQL query can be found alongside a wide range of additional use cases in the [XQL Query Library](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Documentation/Datasets-and-presets). An example of this XQL query is provided in the [Appendix](#post-334220-_ktxgk8yuwhvm).

To refine detection accuracy and filter out alert fatigue, let's dive into the real-world challenges of VPNs, border geolocation, and evolving user travel patterns.

## **Navigating Complex Networks: Unraveling False Positives Beyond Geography**

In today's interconnected world, the widespread use of VPNs and the constant need for continuous connectivity present real challenges to accurate geolocation. Let's explore how these challenges manifest in practice:

### VPN Failover, Routing, and Geolocation Challenges

In real life, VPN gateways often change due to load balancing, redundancy, or failover setups for optimal performance, presenting risks for false positives in behavioral detection. These changes can instantly alter a user's IP address, making valid logins appear from different locations---such as shifting from Canada one moment to the U.S. the next. In this example, the system might mistakenly flag a valid login as an "Impossible Traveler" alert simply due to the nature of VPN configurations.

### Border Geolocation and Its Impact

IP addresses near borders can be particularly problematic. Due to the overlapping and fluid nature of IP address allocation, an IP might map to Canada on one day and to the neighboring U.S. on another. This scenario can result in a valid login being flagged as suspicious.

**Alert Key Factors and Features**

Understanding the factors that impact whether an alert is triggered is vital for reducing false positives and improving alert fidelity. This section will explore key features such as identifying rare login locations, analyzing user travel patterns, and contextualizing origin IPs.
![Figure 2. Impossible Traveler authentication features](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/02/alt-text-tbdd.png)
Figure 2. Impossible Traveler authentication features

### Rare vs. Common Countries

To improve the accuracy of impossible traveler alerts, it's crucial to determine whether any country observed in a session is unusual for both the user and the organization. The system maintains dynamic profiles based on typical login patterns and thresholds. For example, if a user who normally logs in from North America suddenly appears in a rare location such as Madagascar, where the organization has no presence, the system flags this anomaly as suspicious and increases the alert's severity.

### Dynamic Learning Through User Travel Profiles

To enhance detection accuracy and reduce false positives, it is crucial to consider each user's travel profile. By building dynamic travel profiles, the system learns and recognizes consistent login patterns. For example, a frequent traveler like Jamie---a salesperson who regularly logs in from multiple international locations. The detector understands that his logins from several countries within a short timeframe are part of his regular behavior. This dynamic approach not only improves the fidelity of the alerts by differentiating between legitimate and suspicious activities but also minimizes false positives that might otherwise be triggered by an atypical login pattern.

### Contextualizing Origin IP, Managed IPs, and Device Context

To reduce false positives in impossible traveler detection, exclude connections from managed devices. This includes office NAT IPs or employee host IPs verified by trusted sources like endpoint detection and response (EDR) systems. By confirming the IP is linked to a corporate device, organizations can better identify legitimate activity, ensuring valid logins are not mistakenly flagged as suspicious and improving detection accuracy.

### Analyzing Authentication Methods: Interactive vs. Non-Interactive Logins

Yet another important factor that determines whether an alert will fire is the type of login used for a session. Different types of logins, such as when a user manually logs onto his/her account, known as 'interactive logins', versus automated system processes or applications, known as 'non-interactive logins', may involve different risk levels. Interactive logins are increasingly used by attackers this makes them more relevant when classifying behavior as suspicious in impossible traveler alerts, since they are more likely to be associated with potential security threats.

## Impossible Traveler Alert Scenarios Explained

The table below illustrates scenarios highlighting features discussed in this blog, such as observed countries, rare locations, and user travel profiles. Each row represents a user scenario affecting alert triggers or severity. Note: This is a high-level, simplified example of the detector's logic.
![Figure 3. Features of Impossible Traveler alert scenarios](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/02/word-image-334220-3.png)
Figure 3. Features of Impossible Traveler alert scenarios

## **Beyond Detection: Investigation Actions for Better Alert Triage**

When investigating impossible traveler alerts, enriching the detection process with additional context is crucial for reducing false positives and improving overall security. By applying best practices, such as leveraging device context and analyzing prior authentication attempts, organizations can better distinguish between legitimate user behavior and potential threats.

**1. Maintaining Corporate VPN IP Lists** To improve detection accuracy, maintain a list of known IP ranges for your corporate VPN solution. By identifying logins from trusted IPs, you can reduce alert severity and filter out legitimate activity, ensuring only true threats trigger high-severity alerts.

**2. Device Context and Fingerprinting** Understanding device context is essential for reducing false positives and identifying suspicious behavior. Device fingerprinting compares the device used for login against the user's profile, improving the precision of identifying legitimate or suspicious logins.

**3. Analyzing Prior Authentication Attempts** Reviewing previous login attempts, especially during impossible traveler alerts, can reveal attack techniques like MFA fatigue or brute-force attacks. Monitoring failed sign-in attempts versus average attempts can help detect these suspicious activities early.

**4. Resource Access Post-Authentication** Logging the resources accessed after authentication can highlight unusual behavior. If a user accesses resources they haven't used in a long time, alongside triggering impossible traveler criteria, it can signal a higher level of threat and warrant further investigation

## Final Thoughts

As cloud adoption accelerates, detecting unauthorized access becomes increasingly critical. Impossible Traveler Detection plays a vital role in identifying anomalous logins, but factors like VPN usage, dynamic IP allocation, and global workforce mobility introduce complexities that can lead to excessive false positives. To enhance detection accuracy, Cortex XDR refines alerting mechanisms by incorporating behavioral analytics, contextual device data, and adaptive risk-based assessments. The ultimate goal is to strike a balance between security and operational efficiency---effectively identifying real threats without burdening SOC analysts with excessive alert volume.

For Impossible Traveler Cortex XDR reference check out [**Impossible Traveler alert reference**](https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Impossible-traveler-SSO?tocId=fGWsRbJRvH_MAE59JaS3Iw)

## Appendix

An XQL query detects successful logins from different countries by the same user within a one-hour timeframe.

preset = authentication\_story

|alter hour = extract\_time(\_time, "Hour")

| alter day = extract\_time(\_time, "DAYOFYEAR")

| filter action\_country != "" and action\_country != "-" AND auth\_outcome = "SUCCESS" AND action\_country != null

| comp values(action\_country) as countries by auth\_identity

| alter count\_distinct\_action\_country = array\_length(countries)

| filter count\_distinct\_action\_country \> 1



*** ** * ** ***

## Related Blogs

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SCCM: Enterprise Backbone or Attack Vector? Part 2](https://www2.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector-part-2/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SCCM: Enterprise Backbone or Attack Vector?](https://www2.paloaltonetworks.com/blog/security-operations/sccm-enterprise-backbone-or-attack-vector/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Boosting Identity Security with Cortex XDR/XSIAM Honey Users](https://www2.paloaltonetworks.com/blog/security-operations/boosting-identity-security-with-cortex-xdr-honey-users/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### SmartGrouping - Precision AI™-Driven Investigation](https://www2.paloaltonetworks.com/blog/security-operations/smartgrouping-precision-ai-driven-investigation/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)

[#### Hunt and Investigate Removable Drive Threats with Cortex XDR](https://www2.paloaltonetworks.com/blog/security-operations/hunt-and-investigate-removable-drive-threats-with-cortex-xdr/)

### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Demystifying Container Security](https://www2.paloaltonetworks.com/blog/2021/10/demystifying-container-security/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language