As a person on GCNotify support,
I want to get informed when users have multiple successful and simultaneous logins,
so that I can detect shared inboxes better and earlier
and potential compromised accounts.
WHY are we building?
To better detect shared inboxes and compromised accounts.
WHAT are we building?
An alarm or another mean to raise suspicious activities of simultaneous logins, which can occur in a short span of time and/or from different locations altogether.
VALUE created by our solution
Closer monitoring of a potential security threat.
Acceptance Criteria
[ ] An alarm or notification is sent to the ops lead/IC and support on suspicious login activities around a potential shared or compromised account.
QA Steps
[ ] Test it with support on use cases (suspicious login activities) that should trigger the notification.
Additional Info
This task might not work as-is, and if it does not, what more would we need to make it work? Reiterate if that's the case.
It might require some finetuning as well in terms of the threshold to raise an alarm, or the way we raise a notification. Raising an CloudWatch alarm might be too noisy and invasive in the #notification-ops channel for example. Maybe we prefer this some other ways?
Description
As a person on GCNotify support, I want to get informed when users have multiple successful and simultaneous logins, so that I can detect shared inboxes better and earlier and potential compromised accounts.
WHY are we building?
To better detect shared inboxes and compromised accounts.
WHAT are we building?
An alarm or another mean to raise suspicious activities of simultaneous logins, which can occur in a short span of time and/or from different locations altogether.
VALUE created by our solution
Closer monitoring of a potential security threat.
Acceptance Criteria
QA Steps
Additional Info
This task might not work as-is, and if it does not, what more would we need to make it work? Reiterate if that's the case.
It might require some finetuning as well in terms of the threshold to raise an alarm, or the way we raise a notification. Raising an CloudWatch alarm might be too noisy and invasive in the #notification-ops channel for example. Maybe we prefer this some other ways?
Related incident
https://docs.google.com/document/d/1_3Egk7ljIF5lH4z9RXLxElHn14G9LfuZ7z-hHwCsHZI/edit