Unusual GCP Event for a User

Last updated 14 days ago on 2025-11-21

Created 2 months ago on 2025-10-06

About

A machine learning job detected an GCP Audit event that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the event action. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.

Tags

Domain: CloudData Source: GCPData Source: GCP Audit LogsData Source: Google Cloud PlatformRule Type: MLRule Type: Machine Learning

Severity

low

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

↳ Remote Services (T1021)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Exfiltration (TA0010)(opens in a new tab or window)

↳ Exfiltration Over C2 Channel (T1041)(opens in a new tab or window)

False Positive Examples

New or unusual user event activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Machine Learning
Integration Pack: Prebuilt Security Detection Rules
Related Integrations: gcp(opens in a new tab or window)
Query

Install detection rules in Elastic Security

Detect Unusual GCP Event for a User in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).