Skip to main content

Potentially Compromised Google Cloud Identity

This alert occurs when Lacework detects evidence suggesting a potential compromise or breach of security for resources or data within your Google Cloud environment. This encompasses unauthorized access, data leaks, exploitation of vulnerabilities, or other malicious activities.

Why this alert is important

Your Google Cloud environment serves as the host for sensitive data, including user information, financial records, proprietary business data, and more. Detecting compromises is vital to thwarting unauthorized access and the theft of this valuable information.

Why this might be just fine

There are possible scenarios that could result in false positives, including:

  • Changes in configurations, permissions, or access rights
  • Automated updates or patches
  • Network issues, glitches, or fluctuations in traffic

Investigation

Use the recommendations below to investigate this alert:

  • Examine supporting evidence: Click the Events tab to review potentially suspicious activities that occurred at the time of the alert. These activities may include login attempts from unfamiliar locations, unusual user behavior, or the utilization of sensitive APIs.
  • Inspect IP addresses of suspicious logins: Refer to the What section in the Alert Details to locate the IP address. If an IP address is outside of your organization's network or is otherwise unknown, the IP address should be blocked.
  • Analyze methods used by the identities in question:
    • Click the identity name mentioned in the What section. This action filters the Audit Logs dossier to show only the activities associated with the user in question, enabling a focused analysis of the user's actions within the account.
    • If there is further evidence of suspicious activity indicating tactics such as discovery, enumeration, defense evasion, or exfiltration, it is crucial to initiate immediate remediation measures.

Resolution

Implement the following steps to remediate compromised credentials in your Google Cloud environment:

  • Block any IP addresses confirmed as malicious during the investigation phase.
  • Disable any identities that have been confirmed as compromised during the investigation phase.