Spike in GCP Audit Failed Messages

Last updated 14 days ago on 2025-11-21

Created 2 months ago on 2025-10-06

About

A machine learning job detected a significant spike in the rate of a particular failure in the GCP Audit messages. Spikes in failed messages may accompany attempts at privilege escalation, lateral movement, or discovery.

Tags

Domain: CloudData Source: GCPData Source: GCP Audit LogsData Source: Google Cloud PlatformRule Type: MLRule Type: Machine Learning

Severity

low

Risk Score

MITRE ATT&CK™

Discovery (TA0007)(opens in a new tab or window)

↳ Cloud Service Discovery (T1526)(opens in a new tab or window)

↳ Cloud Infrastructure Discovery (T1580)(opens in a new tab or window)

Privilege Escalation (TA0004)(opens in a new tab or window)

Lateral Movement (TA0008)(opens in a new tab or window)

False Positive Examples

Spikes in failures can also be due to bugs in cloud automation scripts or workflows; changes to cloud automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM privileges.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Machine Learning
Integration Pack: Prebuilt Security Detection Rules
Related Integrations: gcp(opens in a new tab or window)
Query

Install detection rules in Elastic Security

Detect Spike in GCP Audit Failed Messages in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).