Monitoring critical security signals is crucial, as these events can often indicate potential account compromises, privilege escalations, or configuration changes that may impact the security posture of a cloud environment. Effective monitoring allows for faster investigations, enhanced governance, and improved incident response.
Below is a list of risk detection types commonly associated with identity, access, and service management activities in cloud environments. These detections assist security and operations teams in understanding suspicious behavior, identifying high-risk changes, and tracking accountability across projects and resources.
| Risk Detection Type | Description with Security Implication |
|---|---|
| Anonymous IP Address | Identifies login attempts from known anonymizing proxy networks like “Tor” exit nodes. This activity may indicate efforts to conceal the attacker’s identity and should be examined for suspicious access patterns. Reference https://docs.cloud.google.com/security-command-center/docs/concepts-event-threat-detection-overview#what-is |
| Unfamiliar Sign-in Properties | Flags sign-in events that deviate from a user’s normal behavior baseline, such as sign-ins from new locations, devices, or browser fingerprints, which may indicate credential misuse or account takeover. Reference https://docs.cloud.google.com/logging/docs/audit#types |
| Sensitive Service Enablement | Identifies the activation of high-impact APIs (such as Compute or BigQuery) that may expand the project’s attack surface and introduce additional operational or billing risks if enabled unexpectedly. Reference https://docs.cloud.google.com/service-usage/docs/enabled-service#calling |
| Service Account Key Creation | Monitors the creation of new service account keys, a technique often used by attackers to programmatically access resources outside of standard console controls. Reference https://docs.cloud.google.com/service-usage/docs/enabled-service#calling |
| Resource Path Mapping | Identifies the specific project and resource hierarchy where changes occur, helping teams quickly determine where the activity took place and assess its scope and impact. Reference https://docs.cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#resource-hierarchy-detail |
| Administrative Identity Tracking | Identifies the individual responsible for a change, ensuring accountability and assisting in audit investigations by clearly demonstrating who executed specific actions. Reference https://docs.cloud.google.com/iam/docs/overview#access-overview |
| Service-Specific Risk | Highlights modifications to core services like service usage APIs, which function as gateways to other cloud capabilities. These adjustments may indicate structural changes affecting project functionality and security exposure. Reference https://docs.cloud.google.com/service-usage/docs/enable-disable#before |
