Check Point Harmony Email & Collaboration impossible travel detected

This rule is part of a beta feature. To learn more, contact Support.
checkpoint-harmony-email-and-collaboration

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects geo-suspicious activity flagged by Check Point, where a user performs actions from two geographically distant locations within an improbable time frame. This behavior may indicate credential theft, session hijacking, or unauthorized account access.

Strategy

This is a threshold-based rule that alerts when Check Point generates a Superman anomaly event, which is the same as an impossible travel detection. The event indicates that the user’s activity cannot logically originate from both observed locations within the given timeframe.

Triage and Response

  1. Review the user email address {{@usr.email}} and analyze the locations of the flagged events.
  2. Determine if the user has a history of similar anomalies or if they are using a known VPN or remote access service.
  3. If unauthorized access is suspected, force a logout from all active sessions, reset the user’s credentials, and enable multi-factor authentication (MFA) if not already enforced.
  4. Monitor for additional suspicious activity and restrict access if necessary to prevent further unauthorized use.