Explanation:
GCP SCC detect new geographical location which try to access the target GCP resource.
For this example:
xx@xxx.com is usually accessing from "US". It is detected that this principal email is now accessing from FR.
Resolution:
Verify if the reported principal email is indeed coming for the reported location.
Advice them on the following:
- Always use Sovlay VPN when travelling.
- Make sure they are using Data/Looker Studio to access resources in the reported project.
- If they confirmed they are not the one and they are not using Data/Looker Studio, reset their password.
If is not, it could mean that hacker is trying to access to this resource.
| Yes / No | Action |
|---|---|
| Yes, it is a valid access | Update the JIRA ticket to be false positive. |
| No, it is not a valid access | The principal email could be compromised. Ask reported users to change their passwords. |
Pattern:
{
"anomalousLocation": {
"anomalousLocation": "FR",
"callerIp": "xx.xx.xx.xx",
"principalEmail": "xx@xxx.com",
"notSeenInLast": "2592000s",
"typicalGeolocations": [{
"country": {
"identifier": "US"
}
}
]
}
} |
More Information:
Problem when you use your own account for solution such as Data Studio: