Skip to main content

New GCP Region

This alert occurs when Lacework detects user activity in a Google Cloud region that is new and has not been seen before.

Why this alert is important

Attackers may attempt to conceal their activity by operating in an unused cloud region. This alert signals potential malicious activity in such regions, indicating an attempt to evade detection.

Why this might be just fine

The user might have selected the new cloud region either intentionally for a team or project or by mistake.

Investigation

Use the steps below to investigate this alert:

  1. Identify the user who has accessed the new Google Cloud region.
    • Refer to the Who section in the Alert Details for the user's principal email.
    • Click the email address to view all activities performed by this user.
  2. Identify the origin of the
    caller IP
    Refers to the IP address from which a request or communication is initiated.
    and understand its distinctions from other IP addresses.
    • Refer to the What section to locate the caller IP.
    • Perform a reverse IP lookup on the caller IP to verify its origin. Check if it is associated with a Google ASN (Autonomous System Number).
  3. Identify the service and API methods that have been called by this user.
    • Check the Method tab in the What section.
    • Click the username in the Alert Description to view all activities that were performed.
  4. Verify if your company or business unit has authorized the use of this region.

Resolution

After identifying an unauthorized new Google Cloud region, Lacework recommends acting immediately to resolve the issue and mitigate the threat to your environment. Here are some suggested steps:

  1. Isolate the affected resources immediately to prevent any further unauthorized access or modification.
  2. Investigate the source of the threat to identify any vulnerabilities or weaknesses that may have been exploited.
  3. Remove the new region from your environment immediately to prevent further unauthorized access. This may involve deleting any resources that were created in the new region.
  4. Review access controls to ensure that only authorized users and services have access to your Google Cloud environment and that access controls are properly configured.
  5. Implement security measures to prevent similar incidents in the future, such as increasing monitoring and alerting, implementing multi-factor authentication, and improving security policies and procedures.