GCP SCC detect new geographical location which try to access the target GCP resource.
For this example:
xx@xxx.com is usually accessing from "US". It is detected that this principal email is now accessing from FR.
Verify if the reported principal email is indeed coming for the reported location.
If is not, it could mean that hacker is trying to access to this resource.
| Yes / No | Action |
|---|---|
| Yes, it is a valid access | Update the JIRA ticket to be false positive. |
| No, it is not a valid access | The principal email could be compromised. Revoke the permission from GCP IAM and escalate to the *security team. |
{
"anomalousLocation": {
"anomalousLocation": "FR",
"callerIp": "xx.xx.xx.xx",
"principalEmail": "xx@xxx.com",
"notSeenInLast": "2592000s",
"typicalGeolocations": [{
"country": {
"identifier": "US"
}
}
]
}
} |