GCP User Logged In From New Source
This alert occurs when Lacework detects a user has logged in from a new source for the first time.
Why this Alert is Important
A user logging in from a new source may indicate that their account has been compromised or that someone is attempting to gain unauthorized access.
Investigation
You can perform the following steps to confirm if the access is legitimate:
- Review your GCP logs to check for any login events from the user account. Look for new source IP addresses that may indicate potential unauthorized access.
- Review the authentication logs of your identity provider or Single Sign-On (SSO) provider to check for any unexpected login events or anomalies. If you have implemented Multi-Factor Authentication (MFA), verify if the user account has used MFA for authentication.
- Review other logs, such as network activity logs or audit logs, to check for any unusual or malicious activity associated with the user account. For example, check for any new or unusual API calls, data access or modification, or any other activity that is not typical for the user.
- Review the access permissions for the user account in question and ensure that the permissions are appropriate and limited to only what is required for the user's job function. Check if any new or unnecessary permissions may have been granted to the user.
- Reach out to the user to verify if they have recently accessed GCP from a new source.
Resolution
To prevent unauthorized access to your GCP environment from a bad source, implement the following:
- Configure IP allowlisting to allow access only from specific IP addresses or IP address ranges. This ensures that only authorized users can access your GCP resources.
- Enable multi-factor authentication (MFA) for your GCP account. This adds an extra layer of security to your account, making it more difficult for an attacker to gain access even if they have your login credentials.
- Use a virtual private network (VPN) to connect to your GCP resources. A VPN creates a secure, encrypted connection between your device and your GCP resources, which helps protect against unauthorized access.
- Implement strong password policies.
- Regularly monitor and review access logs for your GCP resources to detect unauthorized access attempts.