GCP SCC detect new geographical location which try to access the target GCP resource.
For this example:
xx@xxx.com is usually accessing from "US". It is detected that this principal email is now accessing from FR.
{
"anomalousLocation": {
"anomalousLocation": "FR",
"callerIp": "xx.xx.xx.xx",
"principalEmail": "xx@xxx.com",
"notSeenInLast": "2592000s",
"typicalGeolocations": [{
"country": {
"identifier": "US"
}
}
]
}
} |
Verify if the reported principal email is indeed coming for the reported location.
If is not, it could mean that hacker is trying to access to this resource.
| Yes / No | Action |
|---|---|
| Yes, it is a valid access | Update the JIRA ticket to be false positive. |
| No, it is not a valid access | The principal email could be compromised. Revoke the permission from GCP IAM and escalate to the *security team. |