rare and unusual failures may indicate an impending service failure state. rare and unusual user failure activity can also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud automation scripts or workflows, or changes to iam privileges.

t1526
t1580
gcp
azure
elastic

Techniques

T1526
T1580

Sample rules

Rare GCP Audit Failure Event Code

source: elastic
technicques:
- T1526
- T1580

Description

A machine learning job detected an unusual failure in a GCP Audit message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.

Detection logic

Rare Azure Activity Logs Event Failures

source: elastic
technicques:
- T1526
- T1580

Description

A machine learning job detected an unusual failure in an Azure Activity Logs message. These can be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.