Skip to main content

New GCP User

This alert occurs when Lacework detects a principal, which can be either a user or a service account, has accessed your Google Cloud environment for the first time. This interaction can take place via the Google Cloud API or the cloud console, and the details are recorded in the Audit Logs.

Why this alert is important

In the world of cloud computing, identities are like keys that decide who gets to access what. Sometimes, bad actors can sneak in by creating fake accounts to stay hidden. Alongside vigilant monitoring of newly established user accounts, this anomaly detection policy also identifies the first instance of activity within a freshly created account.

Why this might be just fine

As your organization continues to hire and onboard new personnel, creating new users will be a regular occurrence. It is normal to expect this alert to be triggered when new individuals join the organization and utilize Google Cloud to fulfill their job responsibilities.

Investigation

Use the steps below to investigate this alert:

  1. Review the Alert Details to gather basic information about the alert.
    • Why: Verify if the user in question is authorized to have access to the project.
    • When: Determine if the activity occurred during regular business hours and if it aligns with the user's typical location and working hours.
    • Who: Take note of the principal email and check if multi-factor authentication (MFA) was enabled for this user.
    • What: Assess whether the user is accessing services and APIs that are typically associated with their role.
    • Where: Identify the Google Cloud regions the user is accessing and be cautious of unusual region usage as it may be an attempt to evade detection. Verify if the IP address used for the requests aligns with the expected country and city from which the user would normally access.
  2. Identify any additional operations performed by the new user.
    • Click the identity name mentioned in the What section. This action filters the Audit Logs dossier to show only the activities associated with the user in question, enabling a focused analysis of the user's actions within the account during the past few hours.
    • If there is further evidence of suspicious activity indicating tactics such as discovery, enumeration, defense evasion, or exfiltration, it is crucial to initiate immediate remediation measures.

Resolution

After identifying an unauthorized user login, Lacework recommends acting immediately to resolve the issue and mitigate the threat to your environment. Here are some suggested steps:

  1. Immediately disable the user's access to Google Cloud resources.
  2. Reset the passwords for all affected accounts to prevent further unauthorized access. This includes the user's account and any other accounts that may have been compromised due to the breach.
  3. Conduct a thorough investigation to determine the scope of the breach, the cause of the unauthorized access, and whether any data or resources were compromised.
  4. Review your security policies and procedures to identify any weaknesses that may have contributed to the breach. Implement additional security controls, such as multi-factor authentication, to reduce the risk of future breaches.