Unusual City For a GCP Event

 1[metadata]
 2creation_date = "2025/10/06"
 3integration = ["gcp"]
 4maturity = "production"
 5min_stack_comments = "New job added"
 6min_stack_version = "9.3.0"
 7updated_date = "2025/11/21"
 8
 9[rule]
10anomaly_threshold = 50
11author = ["Elastic"]
12description = """
13A machine learning job detected GCP Audit event activity that, while not inherently suspicious or abnormal, is sourcing from
14a geolocation (city) that is unusual for the event action. This can be the result of compromised credentials or keys being
15used by a threat actor in a different geography than the authorized user(s).
16"""
17false_positives = [
18    """
19    New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration;
20    changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased
21    adoption of work from home policies; or users who travel frequently.
22    """,
23]
24from = "now-2h"
25interval = "15m"
26license = "Elastic License v2"
27machine_learning_job_id = "gcp_audit_rare_method_for_a_city"
28name = "Unusual City For a GCP Event"
29setup = """## Setup
30
31This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP.
32
33### Anomaly Detection Setup
34
35Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
36
37### GCP Audit logs Integration Setup
38The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
39
40#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
41- Go to the Kibana home page and click “Add integrations”.
42- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
43- Click “Add Google Cloud Platform (GCP) Audit logs".
44- Configure the integration.
45- Click “Save and Continue”.
46- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
47"""
48references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
49risk_score = 21
50rule_id = "f20d1782-e783-4ed0-a0c4-946899a98a7c"
51severity = "low"
52tags = [
53    "Domain: Cloud",
54    "Data Source: GCP",
55    "Data Source: GCP Audit Logs",
56    "Data Source: Google Cloud Platform",
57    "Rule Type: ML",
58    "Rule Type: Machine Learning",
59    "Resources: Investigation Guide",
60]
61type = "machine_learning"
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65
66[rule.threat.tactic]
67id = "TA0001"
68name = "Initial Access"
69reference = "https://attack.mitre.org/tactics/TA0001/"
70
71[[rule.threat.technique]]
72id = "T1078"
73name = "Valid Accounts"
74reference = "https://attack.mitre.org/techniques/T1078/"
75
76[[rule.threat.technique.subtechnique]]
77id = "T1078.004"
78name = "Cloud Accounts"
79reference = "https://attack.mitre.org/techniques/T1078/004/"