# The Impossible Traveler

{% embed url="<https://www.youtube.com/watch?v=1tu9Lxr1ZEI>" %}

Onum is optimal for more advanced use cases in behavioral analytics to collect, analyze, and interpret user behavior and gain insights into patterns, actions, or suspicious activity.

The impossible traveller use case is when user activity is detected from geographically distant locations within an unfeasible time frame.

We will use Onum to analyze user geolocations and calculate the speed between them in order to send an alert if any strange activity is detected.

<figure><img src="https://682750473-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlMswUMhL1LeEvusY1XNC%2Fuploads%2FZpImJP93pibjVSDGfP8n%2Fdark-medium%20(11).png?alt=media&#x26;token=15037bc2-8b60-44ea-a262-abac2a5a1899" alt=""><figcaption></figcaption></figure>

First, we parse the data coming from the Listener to glean the usernames and IPs of Cisco VPN log ins.

## Obtain Geolocations

In order to glean the exact geolocation of the log ins, we send the ***Public IPs*** to the MaxMind GeoIP database via the **HTTP request** action.

Now we have the log geolocations from the Cisco VPN Listener, we take the ***username*** field from the parser and use the **Redis** action to send a GET request to check if that user already exists in the database. This detects whether it is the first time this user has logged in from the VPN, or whether they have used the VPN before.&#x20;

If the user does not exist, there is no previous IP information to track against, therefore this data is considered **null** as far as this use case is concerned. We use the **filter** action to separate the **null** from the **not null** values. We need to store the new user values in the database for next time, so connect the ***null*** port to a **Redis** action that sends SET requests. Once stored, proceed to send it to the **null** action to be discarded this time around.

<figure><img src="https://682750473-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlMswUMhL1LeEvusY1XNC%2Fuploads%2FE9nEZfOkgAw7N8BgoUFg%2Fdark-small%20(1).png?alt=media&#x26;token=1ad93906-b94d-4d85-97b2-47ad10486395" alt=""><figcaption></figcaption></figure>

If the value is not null, in other words, data on this user exists, we can use it to further the analysis.

## Obtain coordinates&#x20;

Now we know a user has previously logged in, we need to find out where and when they logged in the previous times to compare them with the most recent log.&#x20;

We add a **Parser** action to obtain the **Timestamp** and **City** fields of the most recent geolocated public IP and another to grab the **Timestamp** and **City** from the **HTTP** Action providing the user data from Redis.

Now we can use the **City** fields to obtain the coordinates values, as later we will use the latitude to calculate the distance and time.

<figure><img src="https://682750473-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlMswUMhL1LeEvusY1XNC%2Fuploads%2FJSQIw5cDeyEoQyY7ieB5%2F2025-03-06_12-11-37.png?alt=media&#x26;token=71e76de9-2444-45a5-ba44-831d247cbfb2" alt=""><figcaption></figcaption></figure>

## Calculate distance and time

Now we have the lat/long coordinates and timestamps, we can calculate the distance and time elapsed between the last redis log and the most recent log.

### Time Difference

In the **Math Expression** action, we take the timestamp field of the log minus the Redis timestamp to calculate the difference in time.

<figure><img src="https://682750473-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlMswUMhL1LeEvusY1XNC%2Fuploads%2Fjk2Vr2RP0ne8ZloVG6Ek%2Fdark-large%20(21).png?alt=media&#x26;token=c52b9242-e90e-46bb-aa7b-858cda5c311b" alt=""><figcaption></figcaption></figure>

### Distance

In the same action, we use the ***latitude*** coordinates in the following mathematical expression to obtain the **Distance:**

<pre><code><strong>(((((${redisParsedCity.lat}- ${httpOutCity.lat}) * (3.1XXXXXXX / 180)) * 6371) ** 2) + ((((${redisParsedCity.lon} - (${httpOutCity.lon})) * (3.1XXXXXXXXXX / 180)) * 6371 * ((${httpOutCity.lat} + ${redisParsedCity.lat}) * (3.1XXXXXXXXX / 180) / 2) ** 0) ** 2)) ** 0.5
</strong></code></pre>

## Calculate the speed

Using the **Math Expression** action, we divide the **distance** field by (**diffTime** / 60 / 60).

$$
distance / ({diffTime}/60/60)
$$

<figure><img src="https://682750473-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlMswUMhL1LeEvusY1XNC%2Fuploads%2F28LEHAF7tZ2h5of5JkT0%2Fdark-large%20(22).png?alt=media&#x26;token=9aa1aaee-02eb-4d94-8cd3-ac6e17ffb43c" alt=""><figcaption></figcaption></figure>

As the speed values for all users, existing and new, is useful for further analysis, it is stored back in the **Redis** database using SET requests. Once stored, it can be discarded through the **null** action.

We connect the next actions to the same port to continue using the data.

## Check the speed and alert of anomalous activity

We can use the speed to track the movements of the user. If not enough time has passed in the time it takes to travel between the previous latitude and the most recent latitude, suspicious behavior is alerted.

The **Filter** action checks for speeds greater than what is considered to be suspicious (here it is 100 km/hr). If the speed matches this condition, it is sent to the **Message Builder** to compose a message that sends an alert to your destination sink (in this case, an an alert is sent to **Slack**).

<figure><img src="https://682750473-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlMswUMhL1LeEvusY1XNC%2Fuploads%2FyTJa8kd1MlqD3KPm7tz7%2F2025-03-06_12-17-39.png?alt=media&#x26;token=9552d4b5-45f4-4a91-b3fc-7097a1d1b89b" alt=""><figcaption></figcaption></figure>

You have successfully implemented an early warning system and improved the security of your network.

<figure><img src="https://682750473-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlMswUMhL1LeEvusY1XNC%2Fuploads%2FBQX1RucIYDjg0ZcAh2dN%2Fthumbnail.png?alt=media&#x26;token=d2480215-ad17-4784-b14d-18d1a667c00e" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
You can download this Pipeline from [Marketplace](https://app.gitbook.com/s/kxZeV4nlXcIAjMGZxzLI/marketplace/falcon-onum-marketplace) and import it directly in your Tenant.
{% endhint %}

<figure><picture><source srcset="https://682750473-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlMswUMhL1LeEvusY1XNC%2Fuploads%2FcO4KDCcLxGGTEkdWfoJC%2FScreenshot%202024-12-10%20at%2012.10.19%201.png?alt=media&#x26;token=8b0c8cdf-a8c5-4dbc-806c-b59505c29804" media="(prefers-color-scheme: dark)"><img src="https://682750473-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlMswUMhL1LeEvusY1XNC%2Fuploads%2Fsw0NSQqMNWk1ZKb5X1SP%2FScreenshot%202024-12-10%20at%2012.03.05%201.png?alt=media&#x26;token=0d165600-2e7e-4d68-8dbd-42f424954e4e" alt=""></picture><figcaption></figcaption></figure>