GCP Unauthorized User Activity
Security Monitoring is now available Security Monitoring is now available
<  Back to rules search

GCP Unauthorized User Activity

Classification:

compliance

Set up the gcp integration.

Overview

Goal

Detect when unauthorized activity by a user is detected in GCP

Strategy

Monitor GCP logs and detect when the error message of PERMISSION_DENIED is returned for a user account.

Triage & Response

  1. Determine the user who made the unauthorized calls.
  2. Determine if there is a misconfiguration in IAM permissions or whether an attacker has compromised the user account.