New GCP Source
This alert occurs when Lacework detects a user or a service account has logged in from a new source.
Why this Alert is Important
If an unauthorized user or a malicious actor gains access to a user account or service account, they can use it to carry out malicious activities such as data exfiltration, modification, or destruction. By detecting a user or a service account logging in from a new source, you can identify potential security threats and take necessary actions to prevent them from causing damage to your GCP environment.
Investigation
If you suspect that a user or service account has logged in from a new source and that it might be malicious, here are some steps you can take to investigate:
- Review the audit logs for the user or service account to identify the source of the login attempt. The audit logs can provide information such as the IP address of the source, the time of the login attempt, and other relevant details.
- Compare the source of the login attempt to known good sources of login activity for the user or service account. Look for unusual IP addresses, geolocations, or unusual login times.
- Investigate the source of the login attempt to determine whether it is a known malicious actor or an unauthorized user. Check whether the source is associated with known security threats or has been flagged in threat intelligence feeds.
- Review the user activity of the user or service account to determine whether there have been any other suspicious activities or indications of compromise. Check for activities such as data exfiltration, sensitive data or resources changes, or other unusual activities.
Resolution
After identifying an unauthorized user or service account login, Lacework recommends acting immediately to resolve the issue and mitigate the threat to your environment. Here are some suggested steps:
- Immediately revoke the access of the user or service account that has been compromised.
- Change the passwords of the affected user or service account and any associated accounts or services. Use strong and unique passwords, and consider implementing multi-factor authentication to prevent future unauthorized logins.
- Investigate the extent of the compromise and whether any sensitive data or resources have been accessed or modified. Review the logs and activity history of the affected user or service account and any related resources.
- If you have determined that sensitive data or resources have been accessed or modified, take steps to remediate the damage. This may involve restoring backups, rolling back changes, or implementing additional security controls.
- Review your security measures to determine how the unauthorized login occurred and whether additional security controls are required. This may involve updating policies, configuring access controls, or implementing additional security monitoring.