Skip to main content

New GCP User

This alert occurs when Lacework detects a user has accessed GCP for the first time.

Why this Alert is Important

If a user has never accessed GCP before and suddenly starts accessing resources, it could indicate a compromised account. Attackers may use compromised accounts to gain unauthorized access to sensitive data or resources, so early detection can help prevent security breaches.

Investigation

If you suspect a malicious user has logged into GCP, you can investigate the login activity by following these steps:

  1. Check the GCP Audit Logs for any suspicious login activity. Specifically, you can look for login events outside of regular business hours or from an unusual location.
  2. Review the user's IAM (Identity and Access Management) permissions to see if they have access to resources they should not have access to. If the user's permissions were recently changed, this could indicate malicious activity.
  3. Review any recent changes to your GCP environment, such as changes to resources or configurations. This can help you identify any unauthorized changes the malicious user may have made.
  4. Keep monitoring for any additional suspicious activity from the user or any other users who may have been compromised. This can help you identify the scope of the breach and take appropriate action to prevent further damage.

Resolution

After identifying an unauthorized user login, Lacework recommends acting immediately to resolve the issue and mitigate the threat to your environment. Here are some suggested steps:

  1. Immediately disable the user's access to GCP resources.
  2. Reset the passwords for all affected accounts to prevent further unauthorized access. This includes the user's account and any other accounts that may have been compromised due to the breach.
  3. Conduct a thorough investigation to determine the scope of the breach, the cause of the unauthorized access, and whether any data or resources were compromised.
  4. Review your security policies and procedures to identify any weaknesses that may have contributed to the breach. Implement additional security controls, such as multi-factor authentication, to reduce the risk of future breaches.