Impossible Travel
Detects logins from geographically distant locations within a short time window, indicating possible credential compromise. This workflow uses city-to-city and country-to-country logic, travel speed calculation, and suppression of false positives for VPNs and known travel.
Fluency's AI analyzes login events to detect impossible travel scenarios by calculating the physical distance and time between login locations. The system considers real-world travel constraints and suppresses alerts for legitimate scenarios like VPN usage or known travel patterns.
AI Analysis vs Splunk SPL-Based Detection
See how advanced AI-driven security analysis compares to traditional SPL-based detection in key areas of context, logic, and output quality.
| Feature / Capability | AI Analysis | Splunk SPL-Based Detection |
|---|---|---|
| IP to location logic | Accurate with human-readable locations (Barcelona → Opfikon) and real-world travel distance | Based on iplocation, sometimes inaccurate or outdated; no city-to-city distance context |
| Device context awareness | The AI recognize the second IP is from a known AVD endpoint, and distinguish cloud-hosted vs. personal device | SPL treats IPs as flat values; doesn’t infer context from device names unless explicitly encoded in a lookup |
| User role logic | Knows the user is a subcontractor marked ONLY REMOTE, making virtual desktop infrastructure login expected. | SPL cannot infer or evaluate user roles without joining external HR or identity data. |
| Session analysis | The AI considered whether logins belong to the same session or different contexts (VDI vs. local) | SPL can’t link session context unless it’s engineered manually (e.g., through token IDs, session IDs) |
| False positive suppression logic | Advises suppression based on trusted IP/device combinations, remote work patterns, and device type | Requires custom correlation searches, lookups, or external context ingestion |
| ML signal interpretation | Distinguishes why the alert triggered (ML_NEW_USER, ML_NEW_GEO_ISP) and de-risks based on identity validation | SPL will just flag those risks; human/AI interpretation must be layered on top |
| Analyst judgment | Emulates how a human SOC analyst would reason through intent, identity, and environment | SPL doesn’t support nuanced intent modeling without external logic or ML/UEBA tooling |
| Output quality | Clear, contextual, explainable narrative with defensive recommendations | SPL produces tabular alerts and risk scores; lacks explanation without additional dashboards or notes |