From 0f835349b29eec7aabfd3b3f4973235a4febcb08 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Mon, 6 Oct 2025 15:35:59 -0500 Subject: [PATCH 1/4] rules for Azure/GCP jobs --- .../azure/ml_azure_event_failures.toml | 57 ++++++++++++++++++ .../azure/ml_azure_rare_event_failures.toml | 57 ++++++++++++++++++ .../azure/ml_azure_rare_method_by_city.toml | 58 ++++++++++++++++++ .../ml_azure_rare_method_by_country.toml | 57 ++++++++++++++++++ .../azure/ml_azure_rare_method_by_user.toml | 57 ++++++++++++++++++ .../gcp/ml_gcp_error_message_spike.toml | 58 ++++++++++++++++++ .../gcp/ml_gcp_rare_error_code.toml | 58 ++++++++++++++++++ .../gcp/ml_gcp_rare_method_by_city.toml | 59 +++++++++++++++++++ .../gcp/ml_gcp_rare_method_by_country.toml | 59 +++++++++++++++++++ .../gcp/ml_gcp_rare_method_by_user.toml | 58 ++++++++++++++++++ 10 files changed, 578 insertions(+) create mode 100644 rules/integrations/azure/ml_azure_event_failures.toml create mode 100644 rules/integrations/azure/ml_azure_rare_event_failures.toml create mode 100644 rules/integrations/azure/ml_azure_rare_method_by_city.toml create mode 100644 rules/integrations/azure/ml_azure_rare_method_by_country.toml create mode 100644 rules/integrations/azure/ml_azure_rare_method_by_user.toml create mode 100644 rules/integrations/gcp/ml_gcp_error_message_spike.toml create mode 100644 rules/integrations/gcp/ml_gcp_rare_error_code.toml create mode 100644 rules/integrations/gcp/ml_gcp_rare_method_by_city.toml create mode 100644 rules/integrations/gcp/ml_gcp_rare_method_by_country.toml create mode 100644 rules/integrations/gcp/ml_gcp_rare_method_by_user.toml diff --git a/rules/integrations/azure/ml_azure_event_failures.toml b/rules/integrations/azure/ml_azure_event_failures.toml new file mode 100644 index 00000000000..1bfedfd27cb --- /dev/null +++ b/rules/integrations/azure/ml_azure_event_failures.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["azure"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected a significant spike in the rate of a particular failure in the Azure Activity Logs messages. Spikes +in failed messages may accompany attempts at privilege escalation, lateral movement, or discovery. +""" +false_positives = [ + """ + Spikes in failures can also be due to bugs in cloud automation scripts or workflows; changes to cloud + automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM + privileges. + """, +] +from = "now-60m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "azure_activitylogs_high_distinct_count_event_action_on_failure" +name = "Spike in Azure Activity Logs Failed Messages" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Azure Activity Logs Integration Setup +The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it. +- Click “Add Azure Activity Logs”. +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "1eb74889-18c5-4f78-8010-d8aceb7a9ef4" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Rule Type: ML", + "Rule Type: Machine Learning", +] +type = "machine_learning" + diff --git a/rules/integrations/azure/ml_azure_rare_event_failures.toml b/rules/integrations/azure/ml_azure_rare_event_failures.toml new file mode 100644 index 00000000000..b5d55b57624 --- /dev/null +++ b/rules/integrations/azure/ml_azure_rare_event_failures.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["azure"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected an unusual failure in an Azure Activity Logs message. These can be byproducts of attempted or +successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. +""" +false_positives = [ + """ + Rare and unusual failures may indicate an impending service failure state. Rare and unusual user failure activity can + also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud + automation scripts or workflows, or changes to IAM privileges. + """, +] +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "azure_activitylogs_rare_event_action_on_failure" +name = "Rare Azure Activity Logs Event Failures" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Azure Activity Logs Integration Setup +The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it. +- Click “Add Azure Activity Logs”. +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "c17ffbf9-595a-4c0b-a126-aacedb6dd179" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Rule Type: ML", + "Rule Type: Machine Learning", +] +type = "machine_learning" + diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml new file mode 100644 index 00000000000..db058d18913 --- /dev/null +++ b/rules/integrations/azure/ml_azure_rare_method_by_city.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["azure"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from +a geolocation (city) that is unusual for the event action. This can be the result of compromised credentials or keys being +used by a threat actor in a different geography than the authorized user(s). +""" +false_positives = [ + """ + New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration; + changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased + adoption of work from home policies; or users who travel frequently. + """, +] +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_city" +name = "Unusual City for an Azure Activity Logs Event" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Azure Activity Logs Integration Setup +The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it. +- Click “Add Azure Activity Logs”. +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "ce08cdb8-e6cb-46bb-a7cc-16d17547323f" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Rule Type: ML", + "Rule Type: Machine Learning", +] +type = "machine_learning" + diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml new file mode 100644 index 00000000000..c6c4b66ea42 --- /dev/null +++ b/rules/integrations/azure/ml_azure_rare_method_by_country.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["azure"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from +a geolocation (country) that is unusual for the event action. This can be the result of compromised credentials or keys being +used by a threat actor in a different geography than the authorized user(s). +""" +false_positives = [ + """ + New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration; + changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased + adoption of work from home policies; or users who travel frequently. + """, +] +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_country" +name = "Unusual Country for an Azure Activity Logs Event" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Azure Activity Logs Integration Setup +The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it. +- Click “Add Azure Activity Logs”. +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "76de17b9-af25-49a0-9378-02888b6bb3a2" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Rule Type: ML", + "Rule Type: Machine Learning", +] +type = "machine_learning" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml new file mode 100644 index 00000000000..180211cbb6d --- /dev/null +++ b/rules/integrations/azure/ml_azure_rare_method_by_user.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["azure"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from +user context that does not normally use the event action. This can be the result of compromised credentials or keys as +someone uses a valid account to persist, move laterally, or exfiltrate data. +""" +false_positives = [ + """ + New or unusual user event activity can be due to manual troubleshooting or reconfiguration; changes in cloud + automation scripts or workflows; adoption of new services; or changes in the way services are used. + """, +] +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_username" +name = "Unusual Azure Activity Logs Event for a User" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### Azure Activity Logs Integration Setup +The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it. +- Click “Add Azure Activity Logs”. +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "81892f44-4946-4b27-95d3-1d8929b114a7" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Azure Activity Logs", + "Rule Type: ML", + "Rule Type: Machine Learning", +] +type = "machine_learning" + diff --git a/rules/integrations/gcp/ml_gcp_error_message_spike.toml b/rules/integrations/gcp/ml_gcp_error_message_spike.toml new file mode 100644 index 00000000000..b83d1617ec5 --- /dev/null +++ b/rules/integrations/gcp/ml_gcp_error_message_spike.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["gcp"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected a significant spike in the rate of a particular failure in the GCP Audit messages. Spikes +in failed messages may accompany attempts at privilege escalation, lateral movement, or discovery. +""" +false_positives = [ + """ + Spikes in failures can also be due to bugs in cloud automation scripts or workflows; changes to cloud + automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM + privileges. + """, +] +from = "now-60m" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "gcp_audit_high_distinct_count_error_message" +name = "Spike in GCP Audit Failed Messages" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP Audit. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### GCP Audit logs Integration Setup +The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it. +- Click “Add Google Cloud Platform (GCP) Audit logs". +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "a4b740e4-be17-4048-9aa4-1e6f42b455b1" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] +type = "machine_learning" + diff --git a/rules/integrations/gcp/ml_gcp_rare_error_code.toml b/rules/integrations/gcp/ml_gcp_rare_error_code.toml new file mode 100644 index 00000000000..5d550a35f6d --- /dev/null +++ b/rules/integrations/gcp/ml_gcp_rare_error_code.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["gcp"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected an unusual failure in a GCP Audit message. These can be byproducts of attempted or +successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection. +""" +false_positives = [ + """ + Rare and unusual failures may indicate an impending service failure state. Rare and unusual user failure activity can + also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud + automation scripts or workflows, or changes to IAM privileges. + """, +] +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "gcp_audit_rare_error_code" +name = "Rare GCP Audit Failure Event Code" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### GCP Audit logs Integration Setup +The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it. +- Click “Add Google Cloud Platform (GCP) Audit logs". +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "5378a829-30c2-435a-a0f2-e3d794bd6f80" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] +type = "machine_learning" + diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml new file mode 100644 index 00000000000..7f05ee62a5a --- /dev/null +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["gcp"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected GCP Audit event activity that, while not inherently suspicious or abnormal, is sourcing from +a geolocation (city) that is unusual for the event action. This can be the result of compromised credentials or keys being +used by a threat actor in a different geography than the authorized user(s). +""" +false_positives = [ + """ + New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration; + changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased + adoption of work from home policies; or users who travel frequently. + """, +] +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "gcp_audit_rare_method_for_a_city" +name = "Unusual City For a GCP Event" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### GCP Audit logs Integration Setup +The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it. +- Click “Add Google Cloud Platform (GCP) Audit logs". +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "f20d1782-e783-4ed0-a0c4-946899a98a7c" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] +type = "machine_learning" + diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml new file mode 100644 index 00000000000..e65b6336502 --- /dev/null +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -0,0 +1,59 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["gcp"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 50 +author = ["Elastic"] +description = """ +A machine learning job detected GCP Audit event activity that, while not inherently suspicious or abnormal, is sourcing from +a geolocation (country) that is unusual for the event action. This can be the result of compromised credentials or keys being +used by a threat actor in a different geography than the authorized user(s). +""" +false_positives = [ + """ + New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration; + changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased + adoption of work from home policies; or users who travel frequently. + """, +] +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "gcp_audit_rare_method_for_a_country" +name = "Unusual Country For a GCP Event" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### GCP Audit logs Integration Setup +The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it. +- Click “Add Google Cloud Platform (GCP) Audit logs". +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "dcbd07f8-bd6e-4bb4-ac5d-cec1927ea88f" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] +type = "machine_learning" + diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml new file mode 100644 index 00000000000..b04fd627c55 --- /dev/null +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2025/10/06" +integration = ["gcp"] +maturity = "production" +updated_date = "2025/10/06" + +[rule] +anomaly_threshold = 75 +author = ["Elastic"] +description = """ +A machine learning job detected an GCP Audit event that, while not inherently suspicious or abnormal, is being made by a +user context that does not normally use the event action. This can be the result of compromised credentials or keys as +someone uses a valid account to persist, move laterally, or exfiltrate data. +""" +false_positives = [ + """ + New or unusual user event activity can be due to manual troubleshooting or reconfiguration; changes in cloud + automation scripts or workflows; adoption of new services; or changes in the way services are used. + """, +] +from = "now-2h" +interval = "15m" +license = "Elastic License v2" +machine_learning_job_id = "gcp_audit_rare_method_for_a_client_user_email" +name = "Unusual GCP Event for a User" +setup = """## Setup + +This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP. + +### Anomaly Detection Setup + +Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html). + +### GCP Audit logs Integration Setup +The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent. + +#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system: +- Go to the Kibana home page and click “Add integrations”. +- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it. +- Click “Add Google Cloud Platform (GCP) Audit logs". +- Configure the integration. +- Click “Save and Continue”. +- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp). +""" +references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"] +risk_score = 21 +rule_id = "2e08f34c-691c-497e-87de-5d794a1b2a53" +severity = "low" +tags = [ + "Domain: Cloud", + "Data Source: GCP", + "Data Source: Google Cloud Platform", + "Rule Type: ML", + "Rule Type: Machine Learning", + "Resources: Investigation Guide", +] +type = "machine_learning" + From bfe939329a89894fd150b2b40237298935e6ba16 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Wed, 8 Oct 2025 09:53:23 -0500 Subject: [PATCH 2/4] Add GCP Audit Logs tag --- rules/integrations/gcp/ml_gcp_error_message_spike.toml | 1 + rules/integrations/gcp/ml_gcp_rare_error_code.toml | 1 + rules/integrations/gcp/ml_gcp_rare_method_by_city.toml | 1 + rules/integrations/gcp/ml_gcp_rare_method_by_country.toml | 1 + rules/integrations/gcp/ml_gcp_rare_method_by_user.toml | 1 + 5 files changed, 5 insertions(+) diff --git a/rules/integrations/gcp/ml_gcp_error_message_spike.toml b/rules/integrations/gcp/ml_gcp_error_message_spike.toml index b83d1617ec5..94747fc6ada 100644 --- a/rules/integrations/gcp/ml_gcp_error_message_spike.toml +++ b/rules/integrations/gcp/ml_gcp_error_message_spike.toml @@ -49,6 +49,7 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: GCP", + "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", diff --git a/rules/integrations/gcp/ml_gcp_rare_error_code.toml b/rules/integrations/gcp/ml_gcp_rare_error_code.toml index 5d550a35f6d..d1d8597d95e 100644 --- a/rules/integrations/gcp/ml_gcp_rare_error_code.toml +++ b/rules/integrations/gcp/ml_gcp_rare_error_code.toml @@ -49,6 +49,7 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: GCP", + "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml index 7f05ee62a5a..917af886a08 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -50,6 +50,7 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: GCP", + "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml index e65b6336502..18eb05af962 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -50,6 +50,7 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: GCP", + "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml index b04fd627c55..acc38e0ef15 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -49,6 +49,7 @@ severity = "low" tags = [ "Domain: Cloud", "Data Source: GCP", + "Data Source: GCP Audit Logs", "Data Source: Google Cloud Platform", "Rule Type: ML", "Rule Type: Machine Learning", From 9cab72008bb9f00da31a0f6afedff0f902d6ea58 Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 9 Oct 2025 09:33:36 -0500 Subject: [PATCH 3/4] add `min_stack_version` --- rules/integrations/azure/ml_azure_event_failures.toml | 1 + rules/integrations/azure/ml_azure_rare_event_failures.toml | 1 + rules/integrations/azure/ml_azure_rare_method_by_city.toml | 1 + rules/integrations/azure/ml_azure_rare_method_by_country.toml | 1 + rules/integrations/azure/ml_azure_rare_method_by_user.toml | 1 + rules/integrations/gcp/ml_gcp_error_message_spike.toml | 1 + rules/integrations/gcp/ml_gcp_rare_error_code.toml | 1 + rules/integrations/gcp/ml_gcp_rare_method_by_city.toml | 1 + rules/integrations/gcp/ml_gcp_rare_method_by_country.toml | 1 + rules/integrations/gcp/ml_gcp_rare_method_by_user.toml | 1 + 10 files changed, 10 insertions(+) diff --git a/rules/integrations/azure/ml_azure_event_failures.toml b/rules/integrations/azure/ml_azure_event_failures.toml index 1bfedfd27cb..a808e293a1d 100644 --- a/rules/integrations/azure/ml_azure_event_failures.toml +++ b/rules/integrations/azure/ml_azure_event_failures.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] diff --git a/rules/integrations/azure/ml_azure_rare_event_failures.toml b/rules/integrations/azure/ml_azure_rare_event_failures.toml index b5d55b57624..b10308a3058 100644 --- a/rules/integrations/azure/ml_azure_rare_event_failures.toml +++ b/rules/integrations/azure/ml_azure_rare_event_failures.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml index db058d18913..b1527787aa1 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_city.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_city.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml index c6c4b66ea42..1cc0f9ec5df 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_country.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_country.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml index 180211cbb6d..04a0308577b 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_user.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_user.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] diff --git a/rules/integrations/gcp/ml_gcp_error_message_spike.toml b/rules/integrations/gcp/ml_gcp_error_message_spike.toml index 94747fc6ada..3ecc39d2a42 100644 --- a/rules/integrations/gcp/ml_gcp_error_message_spike.toml +++ b/rules/integrations/gcp/ml_gcp_error_message_spike.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] diff --git a/rules/integrations/gcp/ml_gcp_rare_error_code.toml b/rules/integrations/gcp/ml_gcp_rare_error_code.toml index d1d8597d95e..12d934b33ee 100644 --- a/rules/integrations/gcp/ml_gcp_rare_error_code.toml +++ b/rules/integrations/gcp/ml_gcp_rare_error_code.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml index 917af886a08..334ccc53d51 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml index 18eb05af962..d35ecb60c6d 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml index acc38e0ef15..41e4e312659 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_version = "9.3.0" updated_date = "2025/10/06" [rule] From dd4491def3580fff66e2b3ed3afb7547883de69d Mon Sep 17 00:00:00 2001 From: Gus Carlock <10844131+jmcarlock@users.noreply.github.com> Date: Thu, 9 Oct 2025 13:13:17 -0500 Subject: [PATCH 4/4] add `min_stack_comments` --- rules/integrations/azure/ml_azure_event_failures.toml | 1 + rules/integrations/azure/ml_azure_rare_event_failures.toml | 1 + rules/integrations/azure/ml_azure_rare_method_by_city.toml | 1 + rules/integrations/azure/ml_azure_rare_method_by_country.toml | 1 + rules/integrations/azure/ml_azure_rare_method_by_user.toml | 1 + rules/integrations/gcp/ml_gcp_error_message_spike.toml | 1 + rules/integrations/gcp/ml_gcp_rare_error_code.toml | 1 + rules/integrations/gcp/ml_gcp_rare_method_by_city.toml | 1 + rules/integrations/gcp/ml_gcp_rare_method_by_country.toml | 1 + rules/integrations/gcp/ml_gcp_rare_method_by_user.toml | 1 + 10 files changed, 10 insertions(+) diff --git a/rules/integrations/azure/ml_azure_event_failures.toml b/rules/integrations/azure/ml_azure_event_failures.toml index a808e293a1d..54a63f006fb 100644 --- a/rules/integrations/azure/ml_azure_event_failures.toml +++ b/rules/integrations/azure/ml_azure_event_failures.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06" diff --git a/rules/integrations/azure/ml_azure_rare_event_failures.toml b/rules/integrations/azure/ml_azure_rare_event_failures.toml index b10308a3058..604f929dcb3 100644 --- a/rules/integrations/azure/ml_azure_rare_event_failures.toml +++ b/rules/integrations/azure/ml_azure_rare_event_failures.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml index b1527787aa1..3e22f348379 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_city.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_city.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml index 1cc0f9ec5df..70e1b3650dd 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_country.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_country.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06" diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml index 04a0308577b..f8bc6cd8fb8 100644 --- a/rules/integrations/azure/ml_azure_rare_method_by_user.toml +++ b/rules/integrations/azure/ml_azure_rare_method_by_user.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["azure"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06" diff --git a/rules/integrations/gcp/ml_gcp_error_message_spike.toml b/rules/integrations/gcp/ml_gcp_error_message_spike.toml index 3ecc39d2a42..91aac69a050 100644 --- a/rules/integrations/gcp/ml_gcp_error_message_spike.toml +++ b/rules/integrations/gcp/ml_gcp_error_message_spike.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06" diff --git a/rules/integrations/gcp/ml_gcp_rare_error_code.toml b/rules/integrations/gcp/ml_gcp_rare_error_code.toml index 12d934b33ee..6a652831d2b 100644 --- a/rules/integrations/gcp/ml_gcp_rare_error_code.toml +++ b/rules/integrations/gcp/ml_gcp_rare_error_code.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml index 334ccc53d51..c5ad310ecc7 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_city.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml index d35ecb60c6d..effc00f7bab 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_country.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06" diff --git a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml index 41e4e312659..1cc0855b740 100644 --- a/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml +++ b/rules/integrations/gcp/ml_gcp_rare_method_by_user.toml @@ -2,6 +2,7 @@ creation_date = "2025/10/06" integration = ["gcp"] maturity = "production" +min_stack_comments = "New job added" min_stack_version = "9.3.0" updated_date = "2025/10/06"