Check Point Harmony Email & Collaboration impossible travel detected

This rule is part of a beta feature. To learn more, contact Support.
checkpoint-harmony-email-and-collaboration

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください

Goal

Detects geo-suspicious activity flagged by Check Point, where a user performs actions from two geographically distant locations within an improbable time frame. This behavior may indicate credential theft, session hijacking, or unauthorized account access.

Strategy

This is a threshold-based rule that alerts when Check Point generates a Superman anomaly event, which is the same as an impossible travel detection. The event indicates that the user’s activity cannot logically originate from both observed locations within the given timeframe.

Triage and Response

  1. Review the user email address {{@usr.email}} and analyze the locations of the flagged events.
  2. Determine if the user has a history of similar anomalies or if they are using a known VPN or remote access service.
  3. If unauthorized access is suspected, force a logout from all active sessions, reset the user’s credentials, and enable multi-factor authentication (MFA) if not already enforced.
  4. Monitor for additional suspicious activity and restrict access if necessary to prevent further unauthorized use.