Explanation:
GCP SCC detect new geographical location which try to access the target GCP resource.
For this example:
xx@xxx.com is usually accessing from "US". It is detected that this principal email is now accessing from FR.
Resolution:
Verify if the reported principal email is indeed coming for the reported location.
Advice them on the following:
- Always use Sovlay VPN when travelling.
- Make sure they are using Data/Looker Studio to access resources in the reported project.
- If they confirmed they are not the one and they are not using Data/Looker Studio, reset their password.
If is not, it could mean that hacker is trying to access to this resource.
| Yes / No | Action |
|---|---|
| Yes, it is a valid access | Update the JIRA ticket to be false positive. |
| No, it is not a valid access | The principal email could be compromised. Ask reported users to change their passwords. Update the JIRA ticket to be "Informed user". |
If the reported principal email belongs to a Google Service Account (GSA), please refer to the following:
| Prod / Non-Prod | Action |
|---|---|
| Non-Prod | Update the JIRA ticket to be false positive. Reason is the environment is non-production. Developers are using GSA for individual testing. |
| Prod, within Solvay's IP | Update the JIRA ticket to be false positive. |
| Prod, NOT within Solvay's IP | Inform the application owner about the access to production with GSA done by individuals. This might be a case that someone outside of Solvay connecting to Production data. Recommendation: Application Owner to investigate and rotate the GSA key for this service account to avoid further potential compromised to production data. |
Pattern:
{
"anomalousLocation": {
"anomalousLocation": "FR",
"callerIp": "xx.xx.xx.xx",
"principalEmail": "xx@xxx.com",
"notSeenInLast": "2592000s",
"typicalGeolocations": [{
"country": {
"identifier": "US"
}
}
]
}
}
More Information:
Problem when you use your own account for solution such as Data Studio:
Proposed Solution:
Looker Studio Users are advised to use Google Cloud Project Service account to bind with the Looker Studio Project as illustrated below:
| # | Description | Remarks |
|---|---|---|
| 1 | Edit the existing Data binding account. Go to Looker Studio → Data → Click Edit (as illustrated in the print screen on the right) |
|
| Click on the "Data credentials" |
| |
Choose the "Service Account Credentials" and fill in with the target service account. (Click Update button to update the config) |
|
| # | Description | Remarks |
|---|---|---|
| 2 | When "Add Data", click "Data credentials" to change the binding account to service account. |
|
Choose the "Service Account Credentials" and fill in with the target service account. (Click Update button to update the config) Tips You may not be able to see "Service Account Credentials" option when you first load the Looker Studio report. This "Service Account Credentials" will only appear after you added first Data to the report. After you "Edit" the data once, it will appear. |
| |
The best way to get IT support is to use the new
Service One Platform.