GCP SCC detect new user agent that access to the GCP project.
*User Agent:
In computing, a user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-user interaction with Web content." A user agent is therefore a special kind of software agent. Some prominent examples of user agents are web browsers and email readers.
{
"anomalousSoftware": {
"anomalousSoftwareClassification": ["firebase-cli"],
"callerUserAgent": "FirebaseCLI/7.4.0,gzip(gfe)",
"principalEmail": "xx@xx.com",
"notSeenInLast": "2592000s",
"typicalUserAgents": ["gcloud"],
"rawUserAgent": "FirebaseCLI/7.4.0,gzip(gfe)",
"callerIp": "xx.xx.xx.xx"
}
} |
Verify if the reported user agent is valid and used by the principal email.
If is not, it could mean that hacker is trying to access to this resource.
| Yes / No | Action |
|---|---|
| Yes, it is a valid access | Update the JIRA ticket to be false positive. |
| No, it is not a valid access | The principal email could be compromised. Revoke the permission from GCP IAM and escalate to the *security team. |