Skip to main content

GCP Service Accessed In Region

This alert occurs when Lacework detects a user has accessed a service for the first time within a geolocation.

Why this Alert is Important

A user accessing a service from a geolocation that is not typical for them or their organization could indicate that their account has been compromised.

Investigation

To investigate potential compromised credentials, follow these steps:

  1. Collect information about the user, the service, the geolocation, and the access time. Look for any unusual or suspicious activity, such as multiple failed login attempts or unusual access patterns.
  2. Confirm that the user accessing the service is authorized. Check the user's credentials, permissions, and any relevant access controls. If necessary, contact the user to verify their identity and ensure they authorized the access.
  3. Verify that the service being accessed is legitimate and authorized. Check the service's configuration, access controls, and logs to ensure that it is configured correctly and that access is being logged appropriately.
  4. Verify that the geolocation of the user is accurate and expected. Use IP address geolocation tools or other location verification techniques to confirm the user's location.
  5. If any suspicious activity is found, investigate further to determine the cause and extent of the incident. If necessary, involve security personnel or incident response teams to assist with the investigation. Check other logs and services for signs of compromise or unauthorized access.

Resolution

After identifying that there has been unauthorized access to your GCP account, there are several steps you should take to resolve the issue:

  1. Disable the user or service account.
  2. Reset passwords.
  3. Review the access logs to determine the extent of the unauthorized access and any actions that were taken while the account was compromised.
  4. If any unauthorized access or changes were made, remove or undo them immediately.
  5. Implement additional security measures, such as multi-factor authentication, to prevent similar incidents from happening in the future.