new or unusual user event activity can be due to manual troubleshooting or reconfiguration; changes in cloud automation scripts or workflows; adoption of new services; or changes in the way services are used.

t1021
t1041
t1078
gcp
azure
elastic

Techniques

T1021
T1041
T1078

Sample rules

Unusual GCP Event for a User

source: elastic
technicques:
- T1021
- T1041
- T1078

Description

A machine learning job detected an GCP Audit event that, while not inherently suspicious or abnormal, is being made by a user context that does not normally use the event action. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.

Detection logic

Unusual Azure Activity Logs Event for a User

source: elastic
technicques:
- T1021
- T1041
- T1078

Description

A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from user context that does not normally use the event action. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfiltrate data.