Rare GCP Audit Failure Event Code

Last updated 14 days ago on 2025-11-21

Created 2 months ago on 2025-10-06

About

A machine learning job detected an unusual failure in a GCP Audit message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.

Tags

Domain: CloudData Source: GCPData Source: GCP Audit LogsData Source: Google Cloud PlatformRule Type: MLRule Type: Machine Learning

Severity

low

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Cloud Service Discovery (T1526)(opens in a new tab or window)

↳ Cloud Infrastructure Discovery (T1580)(opens in a new tab or window)

Privilege Escalation (TA0004)(opens in a new tab or window)

Defense Evasion (TA0005)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

Persistence (TA0003)(opens in a new tab or window)

Collection (TA0009)(opens in a new tab or window)

False Positive Examples

Rare and unusual failures may indicate an impending service failure state. Rare and unusual user failure activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to IAM privileges.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Machine Learning
Integration Pack: Prebuilt Security Detection Rules
Related Integrations: gcp(opens in a new tab or window)
Query

Install detection rules in Elastic Security

Detect Rare GCP Audit Failure Event Code in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).