Unusual Country For a GCP Event

Last updated 14 days ago on 2025-11-21

Created 2 months ago on 2025-10-06

About

A machine learning job detected GCP Audit event activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (country) that is unusual for the event action. This can be the result of compromised credentials or keys being used by a threat actor in a different geography than the authorized user(s).

Tags

Domain: CloudData Source: GCPData Source: GCP Audit LogsData Source: Google Cloud PlatformRule Type: MLRule Type: Machine Learning

Severity

low

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

False Positive Examples

New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased adoption of work from home policies; or users who travel frequently.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Machine Learning
Integration Pack: Prebuilt Security Detection Rules
Related Integrations: gcp(opens in a new tab or window)
Query

Install detection rules in Elastic Security

Detect Unusual Country For a GCP Event in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).