Dropzone AI | AI SOC Analyst

Suspicious

INV-4

Feb 06, 202511:51AM (PDT)

7 months ago

High Severity IAM Policy Change Detected in GCP

THREAT

Cloud Infrastructure

Persistence

Alert Summary

An alert from GCP's Event Threat Detection service was triggered due to a high-severity threat involving an anomalous IAM grant, specifically the addition of the roles/owner to bucky.bennett@thisisarealcompany.com. The grant was executed by emily.eaton@thisisarealcompany.com from a US-based IP address, using the Cloud Resource Manager API. The incident was logged in the Cloud Audit Logs under the ID sw1gmnd2vmw and occurred on July 26, 2024, at 18:51:33 UTC, affecting the organization with ID 1085577742955.

Source:GCP

Top Findings

bucky.bennett@thisisarealcompany.com experienced login challenges and failures.

bucky.bennett@thisisarealcompany.com holds the job title "Accountant".

bucky.bennett@thisisarealcompany.com is an admin in Google Workspace.

emily.eaton@thisisarealcompany.com is a member of gcp-admins@thisisarealcompany.com.

Conclusion

No documented request or indication of authorized need was found for assigning roles/owner to bucky.bennett@thisisarealcompany.com. Although emily.eaton@thisisarealcompany.com is a recognized user and the IP address 54.167.54.205 is from the US, there is no record of normal usage or approvals for such privileged actions, making this activity potentially suspicious.

Pending Interview

Recipient

emily.eaton@thisisarealcompany.com

Can you confirm if you assigned the IAM role 'roles/owner' to bucky.bennett@thisisarealcompany.com on July 26, 2024? Additionally, do you recognize the IP address from which this action was taken, located in the US?

Associated Entities

Usernamebucky.bennett@thisisarealcompany.com

Usernameemily.eaton@thisisarealcompany.com