diff --git a/queries/cisco_duo_atypical_travel_impossible_travel.yml b/queries/cisco_duo_atypical_travel_impossible_travel.yml
new file mode 100644
index 0000000..592078c
--- /dev/null
+++ b/queries/cisco_duo_atypical_travel_impossible_travel.yml
@@ -0,0 +1,44 @@
+# --- Query Metadata ---
+# Human-readable name for the query. Will be displayed as the title.
+name: Cisco Duo - Atypical Travel (Impossible Travel)
+
+# MITRE ATT&CK technique IDs
+mitre_ids:
+  - T1078
+
+# Description of what the query does and its purpose.
+description: |
+  Cisco Duo Impossible Travel detects simultaneous logins from geographically distant locations, indicating potential credential compromise or unauthorized account usage leveraging valid credentials.
+
+# The author or team that created the query.
+author: Kundan Kumar
+
+# The required log sources to run this query successfully in Next-Gen SIEM.
+log_sources:
+  - Other
+
+# Tags for filtering and categorization.
+tags:
+  - Detection
+
+# --- Query Content ---
+# The actual CrowdStrike Query Language (CQL) code.
+# Using the YAML block scalar `|` allows for multi-line strings.
+cql: |
+  #Vendor = cisco
+  | #event.module = "duo"
+  | event.action = "authentication"
+  | groupBy([user.name],function=[count(field=source.geo.country_name, distinct=true, as=country_count),collect(fields=source.geo.country_name),min(@timestamp, as=start_time),max(@timestamp, as=end_time)])
+  | country_count > 1
+  | time_diff_hr := (end_time - start_time) / 3600000
+  | time_diff_hr <= 1
+  | start_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=start_time, timezone=UTC)
+  | end_time_fmt := formatTime("%Y-%m-%d %H:%M:%S", field=end_time, timezone=UTC)
+  | drop([start_time, end_time])
+  | sort([user.name])
+
+# Explanation of the query.
+# Using the YAML block scalar `|` allows for multi-line strings.
+# Uses markdown for formatting on the webpage.
+explanation: |
+  Cisco Duo Impossible Travel detects simultaneous logins from geographically distant locations, indicating potential credential compromise or unauthorized account usage leveraging valid credentials.