Unusual GCP Event for a User
A machine learning job detected an GCP Audit event that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the event action. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2025/10/06"
3integration = ["gcp"]
4maturity = "production"
5min_stack_comments = "New job added"
6min_stack_version = "9.4.0"
7updated_date = "2026/04/01"
8
9[rule]
10anomaly_threshold = 75
11author = ["Elastic"]
12description = """
13A machine learning job detected an GCP Audit event that, while not inherently suspicious or abnormal, is being made by a
14user context that does not normally use the event action. This can be the result of compromised credentials or keys as
15someone uses a valid account to persist, move laterally, or exfiltrate data.
16"""
17false_positives = [
18 """
19 New or unusual user event activity can be due to manual troubleshooting or reconfiguration; changes in cloud
20 automation scripts or workflows; adoption of new services; or changes in the way services are used.
21 """,
22]
23from = "now-2h"
24interval = "15m"
25license = "Elastic License v2"
26machine_learning_job_id = "gcp_audit_rare_method_for_a_user_email_ea"
27name = "Unusual GCP Event for a User"
28setup = """## Setup
29
30This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP.
31
32### Anomaly Detection Setup
33
34Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
35
36### GCP Audit logs Integration Setup
37The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
38
39#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
40- Go to the Kibana home page and click “Add integrations”.
41- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
42- Click “Add Google Cloud Platform (GCP) Audit logs".
43- Configure the integration.
44- Click “Save and Continue”.
45- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
46"""
47references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
48risk_score = 21
49rule_id = "2e08f34c-691c-497e-87de-5d794a1b2a53"
50severity = "low"
51tags = [
52 "Domain: Cloud",
53 "Data Source: GCP",
54 "Data Source: GCP Audit Logs",
55 "Data Source: Google Cloud Platform",
56 "Rule Type: ML",
57 "Rule Type: Machine Learning",
58 "Resources: Investigation Guide",
59]
60type = "machine_learning"
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64
65[[rule.threat.technique]]
66id = "T1078"
67name = "Valid Accounts"
68reference = "https://attack.mitre.org/techniques/T1078/"
69
70[[rule.threat.technique.subtechnique]]
71id = "T1078.004"
72name = "Cloud Accounts"
73reference = "https://attack.mitre.org/techniques/T1078/004/"
74
75[rule.threat.tactic]
76id = "TA0001"
77name = "Initial Access"
78reference = "https://attack.mitre.org/tactics/TA0001/"
79
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82
83[[rule.threat.technique]]
84id = "T1021"
85name = "Remote Services"
86reference = "https://attack.mitre.org/techniques/T1021/"
87
88[[rule.threat.technique.subtechnique]]
89id = "T1021.007"
90name = "Cloud Services"
91reference = "https://attack.mitre.org/techniques/T1021/007/"
92
93[rule.threat.tactic]
94id = "TA0008"
95name = "Lateral Movement"
96reference = "https://attack.mitre.org/tactics/TA0008/"
97
98[[rule.threat]]
99framework = "MITRE ATT&CK"
100
101[[rule.threat.technique]]
102id = "T1078"
103name = "Valid Accounts"
104reference = "https://attack.mitre.org/techniques/T1078/"
105
106[[rule.threat.technique.subtechnique]]
107id = "T1078.004"
108name = "Cloud Accounts"
109reference = "https://attack.mitre.org/techniques/T1078/004/"
110
111[rule.threat.tactic]
112id = "TA0003"
113name = "Persistence"
114reference = "https://attack.mitre.org/tactics/TA0003/"
115
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118
119[[rule.threat.technique]]
120id = "T1041"
121name = "Exfiltration Over C2 Channel"
122reference = "https://attack.mitre.org/techniques/T1041/"
123
124[rule.threat.tactic]
125id = "TA0010"
126name = "Exfiltration"
127reference = "https://attack.mitre.org/tactics/TA0010/"
128
129[[rule.threat]]
130framework = "MITRE ATT&CK"
131
132[[rule.threat.technique]]
133id = "T1078"
134name = "Valid Accounts"
135reference = "https://attack.mitre.org/techniques/T1078/"
136
137[[rule.threat.technique.subtechnique]]
138id = "T1078.004"
139name = "Cloud Accounts"
140reference = "https://attack.mitre.org/techniques/T1078/004/"
141
142[rule.threat.tactic]
143id = "TA0005"
144name = "Defense Evasion"
145reference = "https://attack.mitre.org/tactics/TA0005/"
References
-
These anomaly detection jobs automatically detect file system and network anomalies on your hosts. They appear in the Anomaly Detection interface of the...
Read More
Related rules
- Rare GCP Audit Failure Event Code
- Spike in GCP Audit Failed Messages
- Unusual City For a GCP Event
- Unusual Country For a GCP Event
- Rare Azure Activity Logs Event Failures