Hello Google Cloud Community,
I am a master’s student in cybersecurity currently working on my thesis within an organization. As part of my research, I am developing an automated response mechanism for security events detected in Google Cloud Security Command Center (SCC).
One of the key detections I need to handle is the “suspicious_login” finding. However, to design an effective automated response, I need a deeper understanding of how this detection works internally. I have not been able to find any official documentation explaining the internal mechanics of this finding. Specially I would like to know:
- What criteria or heuristics does SCC use to classify a login as suspicious?
- Does it rely on predefined risk signals (e.g., third-party apps login, unusual device fingerprints)?
Any official documentation, technical insights, or community experiences related to this would be greatly appreciated.
Thank you in advance for your help!
Best regards,
Adrian