This document describes a threat finding type in Security Command Center. Threat findings are generated by threat detectors when they detect a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Finding description
This finding isn't available for project-level activations.
An IAM user or service account is accessing Google Cloud AI services from an anomalous location, based on the geolocation of the requesting IP address.
Step 1: Review finding details
Open a
Persistence: New Geography for AI Servicefinding, as directed in Reviewing finding details earlier on this page. The details panel for the finding opens to the Summary tab.On the Summary tab, review the information in the following sections:
- What was detected, especially the following fields:
- Principal email: the potentially compromised user account.
- AI resources: the potentially impacted AI resources, such as the Vertex AI resources and the AI model.
- Affected resource, especially the following fields:
- Project full name: the project that contains the potentially compromised user account.
- Related links, especially the following fields:
- Cloud Logging URI: link to Logging entries.
- MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
- Related findings: links to any related findings.
- In the detail view of the finding, click the JSON tab.
In the JSON, note the following
sourcePropertiesfields:affectedResources:gcpResourceName: the affected resource
evidence:sourceLogId:projectId: the ID of the project that contains the finding.
properties:anomalousLocation:anomalousLocation: the estimated current location of the user.callerIp: the external IP address.notSeenInLast: the time period used to establish a baseline for normal behavior.typicalGeolocations: the locations where the user usually accesses Google Cloud resources.
aiModel:name: the affected AIModel
vertexAi:datasets: the affected Vertex AI datasetspipelines: the affected Vertex AI training pipelines
Step 2: Review project and account permissions
In the Google Cloud console, go to the IAM page.
If necessary, select the project listed in the
projectIDfield in the finding JSON.On the page that appears, in the Filter box, enter the account name listed in Principal email and check granted roles.
Step 3: Check logs
- On the Summary tab of the finding details panel, click the Cloud Logging URI link to open the Logs Explorer.
- If necessary, select your project.
- On the page that loads, check logs for activity from new or updated
IAM resources using the following filters:
protoPayload.methodName="SetIamPolicy"protoPayload.methodName="google.iam.admin.v1.UpdateRole"protoPayload.methodName="google.iam.admin.v1.CreateRole"protoPayload.authenticationInfo.principalEmail="principalEmail"
Step 4: Research attack and response methods
- Review the MITRE ATT&CK framework entry for this finding type: Valid Accounts: Cloud Accounts.
- To develop a response plan, combine your investigation results with MITRE research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations. Carefully evaluate the information you gather in your investigation to determine the best way to resolve findings.
- Contact the owner of the project with the compromised account.
- Review the
anomalousLocation,typicalGeolocations, andnotSeenInLastfields to verify whether the access is abnormal and if the account has been compromised. - Delete project resources created by unauthorized accounts, like unfamiliar Compute Engine instances, snapshots, service accounts, and IAM users.
- To restrict the creation of new resources to specific regions, see Restricting resource locations.
- To identify and fix overly permissive roles, use IAM Recommender.
What's next
- Learn how to work with threat findings in Security Command Center.
- Refer to the Threat findings index.
- Learn how to review a finding through the Google Cloud console.
- Learn about the services that generate threat findings.