12/14/2024, 3:15:00 AM
IAM policy changes spiked to 34% of all audit events between 02:00–03:15 UTC. Baseline is under 0.4%. The principal responsible is a service account normally used for read-only storage operations.
This IP address originated 28 API calls in a 4-minute window. It has never appeared in your audit logs before. The IP is associated with a known Tor exit node.
This service account performed 6 different method types tonight — it normally only calls storage.objects.get. The deviation suggests either compromised credentials or a misconfigured deployment pipeline.
Permission denial errors represent 41% of API responses in the query window, versus a 2.1% baseline. This volume suggests an automated enumeration attempt against IAM-restricted resources.
API calls from a staging project against production resources appeared in the audit trail. This cross-environment access pattern has not been observed in the past 30 days.
Secret Manager was accessed 19 times in this window. Typical daily usage is 2–3 reads during deploy cycles. The access pattern does not correlate with any known deployment.
A generic Python HTTP client user agent was used for 8 API calls. Most legitimate GCP SDK calls use the official google-cloud-python client. Low severity but worth correlating with other signals.