Skip to main content

New Google Cloud Service Accessed in Region

This alert occurs when Lacework detects a principal, which can be either a user or a service account, has accessed a Google Cloud service within a specific Google Cloud region for the first time. Notably, this Google Cloud region has never been utilized to access this particular Google Cloud service before.

Why this alert is important

This scenario might indicate that an attacker is engaged in actions such as discovery or enumeration, attempting to assess their level of access, or exploit a service for malicious intent. For instance, they could be deploying a compute instance with a GPU specifically for cryptocurrency mining.

Why this might be just fine

Many organizations often try out new cloud services to explore and develop innovative ideas.

Investigation

Use the steps below to investigate this alert:

  1. Identify if this service is also used in other regions:
    • Click the service name in the Alert Description to view all activities for that service.
    • Expand the time window to get a wider view and thoroughly analyze the service.
  2. Identify the user who has accessed the service:
    • Refer to the Who section for the user's principal email.
    • Refer to the What section in the Alert Details to locate the caller IP.
    • Check for any other unusual signs linked to this region, service, or user.
  3. Identify any additional operations performed by this user.
    • Click the identity name mentioned in the What section. This action filters the Audit Logs dossier to show only the activities associated with the user in question, enabling a focused analysis of the user's actions within the account.
    • If there is further evidence of suspicious activity indicating tactics such as discovery, enumeration, defense evasion, or exfiltration, it is crucial to initiate immediate remediation measures.

Resolution

After identifying that there has been unauthorized access to your Google Cloud account, there are several steps you should take to resolve the issue:

  1. Disable the user or service account.
  2. Reset passwords.
  3. Review the access logs to determine the extent of the unauthorized access and any actions that were taken while the account was compromised.
  4. If any unauthorized access or changes were made, remove or undo them immediately.
  5. Implement additional security measures, such as multi-factor authentication, to prevent similar incidents from happening in the future.