security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1ce072a4e58238d94deae33ff8de25458ac129d5
sigma-rules/rules/integrations/gcp/ml_gcp_error_message_spike.toml
T
Gus Carlock 03ce151b82 Add rules for Azure Activity Logs/GCP Audit ML jobs (#5191) 
* rules for Azure/GCP jobs

* Add GCP Audit Logs tag

* add `min_stack_version`

* add `min_stack_comments`

* Add mitre tactics

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: susan <shuhsuan.chang@elastic.co>
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>
2025-11-26 13:15:23 -05:00

96 lines
3.4 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2025/10/06"
integration = ["gcp"]
maturity = "production"
min_stack_comments = "New job added"
min_stack_version = "9.3.0"
updated_date = "2025/11/21"
[rule]
anomaly_threshold = 50
author = ["Elastic"]
description = """
A machine learning job detected a significant spike in the rate of a particular failure in the GCP Audit messages. Spikes
in failed messages may accompany attempts at privilege escalation, lateral movement, or discovery.
"""
false_positives = [
"""
Spikes in failures can also be due to bugs in cloud automation scripts or workflows; changes to cloud
automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM
privileges.
""",
]
from = "now-60m"
interval = "15m"
license = "Elastic License v2"
machine_learning_job_id = "gcp_audit_high_distinct_count_error_message"
name = "Spike in GCP Audit Failed Messages"
setup = """## Setup
This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP Audit.
### Anomaly Detection Setup
Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
### GCP Audit logs Integration Setup
The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
- Go to the Kibana home page and click “Add integrations”.
- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
- Click “Add Google Cloud Platform (GCP) Audit logs".
- Configure the integration.
- Click Save and Continue.
- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
"""
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
risk_score = 21
rule_id = "a4b740e4-be17-4048-9aa4-1e6f42b455b1"
severity = "low"
tags = [
"Domain: Cloud",
"Data Source: GCP",
"Data Source: GCP Audit Logs",
"Data Source: Google Cloud Platform",
"Rule Type: ML",
"Rule Type: Machine Learning",
"Resources: Investigation Guide",
]
type = "machine_learning"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat.technique]]
id = "T1526"
name = "Cloud Service Discovery"
reference = "https://attack.mitre.org/techniques/T1526/"
[[rule.threat.technique]]
id = "T1580"
name = "Cloud Infrastructure Discovery"
reference = "https://attack.mitre.org/techniques/T1580/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0004"
name = "Privilege Escalation"
reference = "https://attack.mitre.org/tactics/TA0004/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
Reference in New Issue View Git Blame Copy Permalink