Introduction 

If the same user attempts a connection from two different locations and the distance between those connections can’t be covered using conventional means of travel, it’s considered to be an "impossible travel" scenario. 

This is best explained through the following example: 

A user logs into their Google Workspace account in New York City at 1:00 PM on a Friday. One hour later, the same user logged into their Google Workspace account from China

Simply put, impossible travel is just as the term suggests: impossible. Therefore, Field Effect MDR can use this data as a simple and effect indicator that a user account has been compromised.  

When Field Effect detects something that looks like impossible travel, an ARO will be generated, and an analyst will perform additional checks before releasing the ARO. 

The severity of the impossible travel ARO will also depend on the specific event occurring. If an analyst has a high degree of confidence that this is a likely compromise, the severity of the ARO will also be set higher.  Other factors such as the use of a VPN is also considered in the analysis.

If you have upcoming travel plans that are a-typical of your organization, you can use the Travel Exception form to inform us that the travel is expected, and not to alert on it. 

See Making Travel Exceptions from the MDR Portal to learn more.