Rare GCP Audit Failure Event Code
A machine learning job detected an unusual failure in a GCP Audit message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/10/06"
3integration = ["gcp"]
4maturity = "production"
5min_stack_comments = "New job added"
6min_stack_version = "9.3.0"
7updated_date = "2025/11/21"
8
9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected an unusual failure in a GCP Audit message. These can be byproducts of attempted or
14successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.
15"""
16false_positives = [
17 """
18 Rare and unusual failures may indicate an impending service failure state. Rare and unusual user failure activity can
19 also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud
20 automation scripts or workflows, or changes to IAM privileges.
21 """,
22]
23from = "now-2h"
24interval = "15m"
25license = "Elastic License v2"
26machine_learning_job_id = "gcp_audit_rare_error_code"
27name = "Rare GCP Audit Failure Event Code"
28setup = """## Setup
29
30This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP.
31
32### Anomaly Detection Setup
33
34Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
35
36### GCP Audit logs Integration Setup
37The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
38
39#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
40- Go to the Kibana home page and click “Add integrations”.
41- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
42- Click “Add Google Cloud Platform (GCP) Audit logs".
43- Configure the integration.
44- Click “Save and Continue”.
45- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
46"""
47references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
48risk_score = 21
49rule_id = "5378a829-30c2-435a-a0f2-e3d794bd6f80"
50severity = "low"
51tags = [
52 "Domain: Cloud",
53 "Data Source: GCP",
54 "Data Source: GCP Audit Logs",
55 "Data Source: Google Cloud Platform",
56 "Rule Type: ML",
57 "Rule Type: Machine Learning",
58 "Resources: Investigation Guide",
59]
60type = "machine_learning"
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64
65[rule.threat.tactic]
66id = "TA0007"
67name = "Discovery"
68reference = "https://attack.mitre.org/tactics/TA0007/"
69
70[[rule.threat.technique]]
71id = "T1526"
72name = "Cloud Service Discovery"
73reference = "https://attack.mitre.org/techniques/T1526/"
74
75[[rule.threat.technique]]
76id = "T1580"
77name = "Cloud Infrastructure Discovery"
78reference = "https://attack.mitre.org/techniques/T1580/"
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82
83[rule.threat.tactic]
84id = "TA0004"
85name = "Privilege Escalation"
86reference = "https://attack.mitre.org/tactics/TA0004/"
87
88[[rule.threat]]
89framework = "MITRE ATT&CK"
90
91[rule.threat.tactic]
92id = "TA0005"
93name = "Defense Evasion"
94reference = "https://attack.mitre.org/tactics/TA0005/"
95
96[[rule.threat]]
97framework = "MITRE ATT&CK"
98
99[rule.threat.tactic]
100id = "TA0008"
101name = "Lateral Movement"
102reference = "https://attack.mitre.org/tactics/TA0008/"
103
104[[rule.threat]]
105framework = "MITRE ATT&CK"
106
107[rule.threat.tactic]
108id = "TA0003"
109name = "Persistence"
110reference = "https://attack.mitre.org/tactics/TA0003/"
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114
115[rule.threat.tactic]
116id = "TA0009"
117name = "Collection"
118reference = "https://attack.mitre.org/tactics/TA0009/"
References
-
These anomaly detection jobs automatically detect file system and network anomalies on your hosts. They appear in the Anomaly Detection interface of the...
Read More
Related rules
- Spike in GCP Audit Failed Messages
- Unusual City For a GCP Event
- Unusual Country For a GCP Event
- Unusual GCP Event for a User
- GCP Firewall Rule Creation