Stay organized with collections
Save and categorize content based on your preferences.
This document describes a threat finding type in Security Command Center. Threat findings are generated by
threat detectors when they detect
a potential threat in your cloud resources. For a full list of available threat findings, see Threat findings index.
Overview
This finding isn't available for project-level activations.
An IAM user or service account is accessing Google Cloud
AI services from an anomalous location, based on the geolocation of the
requesting IP address.
How to respond
To respond to this finding, do the following:
Step 1: Review finding details
Open a Persistence: New Geography for AI Service finding, as directed in
Reviewing finding details earlier on this
page. The details panel for the finding opens to the Summary tab.
On the Summary tab, review the information in the following sections:
What was detected, especially the following fields:
Principal email: the potentially compromised user account.
AI resources: the potentially impacted AI resources, such as the Vertex AI
resources and the AI model.
Affected resource, especially the following fields:
Project full name: the project that contains the potentially
compromised user account.
Related links, especially the following fields:
Cloud Logging URI: link to Logging entries.
MITRE ATT&CK method: link to the MITRE ATT&CK documentation.
Related findings: links to any related findings.
In the detail view of the finding, click the JSON tab.
In the JSON, note the following sourceProperties fields:
affectedResources:
gcpResourceName: the affected resource
evidence:
sourceLogId:
projectId: the ID of the project that contains the finding.
properties:
anomalousLocation:
anomalousLocation: the estimated current location of the user.
callerIp: the external IP address.
notSeenInLast: the time period used to establish a baseline for
normal behavior.
typicalGeolocations: the locations where the user usually accesses
Google Cloud resources.
To develop a response plan, combine your investigation results with MITRE
research.
Step 5: Implement your response
The following response plan might be appropriate for this finding, but might also impact operations.
Carefully evaluate the information you gather in your investigation to determine the best way to
resolve findings.
Contact the owner of the project with the compromised account.
Review the anomalousLocation, typicalGeolocations, and notSeenInLast
fields to verify whether the access is abnormal and if the account has been
compromised.
Delete project resources created by unauthorized accounts, like unfamiliar
Compute Engine instances, snapshots, service accounts, and
IAM users.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Persistence: New Geography for AI Service\n\n| Premium and Enterprise [service tiers](/security-command-center/docs/service-tiers)\n\nThis document describes a threat finding type in Security Command Center. Threat findings are generated by\n[threat detectors](/security-command-center/docs/concepts-security-sources#threats) when they detect\na potential threat in your cloud resources. For a full list of available threat findings, see [Threat findings index](/security-command-center/docs/threat-findings-index).\n\nOverview\n--------\n\nThis finding isn't available for project-level activations.\n\nAn IAM user or service account is accessing Google Cloud\nAI services from an anomalous location, based on the geolocation of the\nrequesting IP address.\n\nHow to respond\n--------------\n\nTo respond to this finding, do the following:\n\n### Step 1: Review finding details\n\n1. Open a `Persistence: New Geography for AI Service` finding, as directed in\n [Reviewing finding details](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) earlier on this\n page. The details panel for the finding opens to the **Summary** tab.\n\n2. On the **Summary** tab, review the information in the following sections:\n\n- **What was detected** , especially the following fields:\n - **Principal email**: the potentially compromised user account.\n - AI resources: the potentially impacted AI resources, such as the Vertex AI resources and the AI model.\n- **Affected resource** , especially the following fields:\n - **Project full name**: the project that contains the potentially compromised user account.\n- **Related links** , especially the following fields:\n - **Cloud Logging URI**: link to Logging entries.\n - **MITRE ATT\\&CK method**: link to the MITRE ATT\\&CK documentation.\n - **Related findings**: links to any related findings.\n\n1. In the detail view of the finding, click the **JSON** tab.\n2. In the JSON, note the following `sourceProperties` fields:\n\n - `affectedResources`:\n - `gcpResourceName`: the affected resource\n - `evidence`:\n - `sourceLogId`:\n - `projectId`: the ID of the project that contains the finding.\n - `properties`:\n - `anomalousLocation`:\n - `anomalousLocation`: the estimated current location of the user.\n - `callerIp`: the external IP address.\n - `notSeenInLast`: the time period used to establish a baseline for normal behavior.\n - `typicalGeolocations`: the locations where the user usually accesses Google Cloud resources.\n - `aiModel`:\n - `name`: the affected AI [`Model`](/vertex-ai/generative-ai/docs/reference/rest/v1/projects.locations.models)\n - `vertexAi`:\n - `datasets`: the affected Vertex AI datasets\n - `pipelines`: the affected Vertex AI training pipelines\n\n### Step 2: Review project and account permissions\n\n1. In the Google Cloud console, go to the **IAM** page.\n\n \u003cbr /\u003e\n\n [Go to IAM](https://console.cloud.google.com/iam-admin/iam)\n\n \u003cbr /\u003e\n\n2. If necessary, select the project listed in the `projectID` field in the\n finding JSON.\n\n3. On the page that appears, in the **Filter** box, enter the account name\n listed in **Principal email** and check granted roles.\n\n### Step 3: Check logs\n\n1. On the **Summary tab** of the finding details panel, click the **Cloud Logging URI** link to open the **Logs Explorer**.\n2. If necessary, select your project.\n3. On the page that loads, check logs for activity from new or updated IAM resources using the following filters:\n - `protoPayload.methodName=\"SetIamPolicy\"`\n - `protoPayload.methodName=\"google.iam.admin.v1.UpdateRole\"`\n - `protoPayload.methodName=\"google.iam.admin.v1.CreateRole\"`\n - `protoPayload.authenticationInfo.principalEmail=\"`\u003cvar class=\"edit\" translate=\"no\"\u003eprincipalEmail\u003c/var\u003e`\"`\n\n### Step 4: Research attack and response methods\n\n1. Review the MITRE ATT\\&CK framework entry for this finding type: [Valid Accounts: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/).\n2. To develop a response plan, combine your investigation results with MITRE research.\n\n### Step 5: Implement your response\n\n\nThe following response plan might be appropriate for this finding, but might also impact operations.\nCarefully evaluate the information you gather in your investigation to determine the best way to\nresolve findings.\n\n- Contact the owner of the project with the compromised account.\n- Review the `anomalousLocation`, `typicalGeolocations`, and `notSeenInLast` fields to verify whether the access is abnormal and if the account has been compromised.\n- Delete project resources created by unauthorized accounts, like unfamiliar Compute Engine instances, snapshots, service accounts, and IAM users.\n- To restrict the creation of new resources to specific regions, see [Restricting resource locations](/resource-manager/docs/organization-policy/defining-locations).\n- To identify and fix overly permissive roles, use [IAM\n Recommender](/iam/docs/recommender-overview).\n\nWhat's next\n-----------\n\n- Learn [how to work with threat\n findings in Security Command Center](/security-command-center/docs/how-to-investigate-threats).\n- Refer to the [Threat findings index](/security-command-center/docs/threat-findings-index).\n- Learn how to [review a\n finding](/security-command-center/docs/how-to-investigate-threats#reviewing_findings) through the Google Cloud console.\n- Learn about the [services that\n generate threat findings](/security-command-center/docs/concepts-security-sources#threats)."]]
