Check Point Harmony Email & Collaboration impossible travel detected

This rule is part of a beta feature. To learn more, contact Support.
checkpoint-harmony-email-and-collaboration

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 한국어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detects geo-suspicious activity flagged by Check Point, where a user performs actions from two geographically distant locations within an improbable time frame. This behavior may indicate credential theft, session hijacking, or unauthorized account access.

Strategy

This is a threshold-based rule that alerts when Check Point generates a Superman anomaly event, which is the same as an impossible travel detection. The event indicates that the user’s activity cannot logically originate from both observed locations within the given timeframe.

Triage and Response

  1. Review the user email address {{@usr.email}} and analyze the locations of the flagged events.
  2. Determine if the user has a history of similar anomalies or if they are using a known VPN or remote access service.
  3. If unauthorized access is suspected, force a logout from all active sessions, reset the user’s credentials, and enable multi-factor authentication (MFA) if not already enforced.
  4. Monitor for additional suspicious activity and restrict access if necessary to prevent further unauthorized use.