User activity detected from outside authorized countries

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect user activity from a country that isn’t part of an allowlist.

This may be caused by a malicious actor using a compromised account, or a user violating policy.

Strategy

Review IPs from traces tagged with a user. If the country linked to this IP isn’t part of the allowlist, trigger the signal.

To update the allowlist with your authorized countries, clone and update the rule. This rule shouldn’t be enabled at the same time as the denylist variant.

Require the trace to be flagged, either by a user event or by an In-App WAF attack.

A Medium signal is generated if any trace is found.

Triage and response

  1. Investigate the IP activity and validate that it is legitimate.
  2. If the account was compromised, reset the password and log out the attacker.
  3. Consider blocking the account until situation is remediated/user is back in an authorized country.