Syensqo IS - Customer Support

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Kee, Benard

Saved on

compared with

New Version Current

changes.mady.by.user ONG, Hoong Chiang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Explanation:

GCP SCC detect new geographical location which try to access the target GCP resource.

For this example:

xx@xxx.com is usually accessing from "US". It is detected that this principal email is now accessing from FR.


Resolution:

Verify if the reported principal email is indeed coming for the reported location.

Advice them on the following:

  • Always use Sovlay VPN when travelling.
  • Make sure they are using Looker Studio to access resources in the reported project.
    • If they are using Looker Studio, please get the user to change the connection using GSA.
      See this page for more information.
  • If they confirmed they are not the one and they are not using Data/Looker Studio, reset their password.

If is not, it could mean that hacker is trying to access to this resource. 

Yes / NoAction
Yes, it is a valid accessUpdate the JIRA ticket to be false positive.
No, it is not a valid access

The principal email could be compromised.

Ask reported users to change their passwords.

Update the JIRA ticket to be "Informed user".



If the reported principal email belongs to a Google Service Account (GSA), please refer to the following: 

Prod / Non-ProdAction
If GSA name starts with "sa-looker-", this is service account created to be used by Looker Studio Dashboard.Update the JIRA ticket to be false positive.
Reason is the GSA is used for Looker Studio Dashboard.
Non-ProdUpdate the JIRA ticket to be false positive.
Reason is the environment is non-production.
Developers are using GSA for individual testing.
Prod, within Solvay's IP

Update the JIRA ticket to be false positive.
Reason is the Solvay's application is using this GSA to access production data.

Prod, NOT within Solvay's IP

Inform the application owner about the access to production with GSA done by individuals.

This might be a case that someone outside of Solvay connecting to Production data.

Recommendation: Application Owner to investigate and rotate the GSA key for this service account to avoid further potential compromised to production data.






Pattern:

Code Block
{
	"anomalousLocation": {
		"anomalousLocation": "FR",
		"callerIp": "xx.xx.xx.xx",
		"principalEmail": "xx@xxx.com",
		"notSeenInLast": "2592000s",
		"typicalGeolocations": [{
				"country": {
					"identifier": "US"
				}
			}
		]
	}
}

Resolution:

Verify if the reported principal email is indeed coming for the reported location.

If is not, it could mean that hacker is trying to access to this resource. 

Yes / NoActionYes, it is a valid accessUpdate the JIRA ticket to be false positive.No, it is not a valid access

The principal email could be compromised.

Revoke the permission from GCP IAM and escalate to the *security team.


More Information:

Problem when you use your own account for solution such as Data Studio:

Embedded Google Drive File
docid1cg8GR8EtqPPpqcVbN5T1uCu2-rbfT0P49wh_C-ESWFE