Loading

Spike in GCP Audit Failed Messages

A machine learning job detected a significant spike in the rate of a particular failure in the GCP Audit messages. Spikes in failed messages may accompany attempts at privilege escalation, lateral movement, or discovery.

Rule type: machine_learning
Rule indices:

Rule Severity: low
Risk Score: 21
Runs every: 15m
Searches indices from: now-60m
Maximum alerts per execution: ?
References:

Tags:

  • Domain: Cloud
  • Data Source: GCP
  • Data Source: GCP Audit Logs
  • Data Source: Google Cloud Platform
  • Rule Type: ML
  • Rule Type: Machine Learning
  • Resources: Investigation Guide

Version: ?
Rule authors:

  • Elastic

Rule license: Elastic License v2

This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP Audit.

Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the helper guide.

The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.

  • Go to the Kibana home page and click “Add integrations”.
  • In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
  • Click “Add Google Cloud Platform (GCP) Audit logs".
  • Configure the integration.
  • Click “Save and Continue”.
  • For more details on the integration refer to the helper guide.

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK