Add documentation for Azure Activity Logs and GCP Audit prebuilt ML jobs (#3242)

jmcarlock · susan-shu-c · nastasha-solomon · web-flow · commit 36fcab368d3d · 2025-12-08T09:19:40.000-06:00
Related context * elastic/kibana#236849 --------- Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Nastasha Solomon <nastasha.solomon@elastic.co>
diff --git a/reference/machine-learning/ootb-ml-jobs-siem.md b/reference/machine-learning/ootb-ml-jobs-siem.md
@@ -37,6 +37,26 @@ By default, when you create these job in the {{security-app}}, it uses a {{data-
 | suspicious_login_activity | Detect unusually high number of authentication attempts. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/suspicious_login_activity.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_auth/ml/datafeed_suspicious_login_activity.json)| [System](https://www.elastic.co/docs/reference/integrations/system), [{{elastic-defend}}](https://www.elastic.co/docs/reference/integrations/endpoint), [Auditd Manager](https://www.elastic.co/docs/reference/integrations/auditd_manager)                                                          | windows, linux |
 
 
+## Security: Azure Activity Logs [security-azure-activitylogs]
+
+```yaml {applies_to}
+stack: ga 9.3
+serverless: ga
+```
+
+Detect suspicious activity recorded in your Azure Activity Logs.
+
+In the {{ml-app}} app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/manifest.json). In the {{security-app}}, it looks in the {{data-source}} specified in the [`securitySolution:defaultIndex` advanced setting](kibana://reference/advanced-settings.md#securitysolution-defaultindex) for data that matches the query.
+
+| Name | Description | Job (JSON) | Datafeed | Supported Integrations                                                                                                                                                                                                                                                                                      |
+| --- | --- | --- | --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| azure_activitylogs_high_distinct_count_event_action_on_failure | Looks for a spike in the rate of an error message, which might indicate an impending service failure or potentially be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_high_distinct_count_event_action_on_failure.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_high_distinct_count_event_action_on_failure.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_on_failure | Looks for unusual Azure activity event actions on failure. Rare and unusual errors might simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_on_failure.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_on_failure.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_city | Looks for Azure activity event actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (city) that is unexpected. This can be the result of compromised credentials or keys.| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_city.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_country | Looks for Azure activity event actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (country) that is unexpected. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_country.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+| azure_activitylogs_rare_event_action_for_a_username | Looks for Azure activity event actions that, while not inherently suspicious or atypical, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/azure_activitylogs_rare_event_action_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_azure_activitylogs/ml/datafeed_azure_activitylogs_rare_event_action_for_a_username.json)| [Azure Activity Logs](https://www.elastic.co/docs/reference/integrations/azure/activitylogs) |
+
+
 ## Security: CloudTrail [security-cloudtrail-jobs]
 
 Detect suspicious activity recorded in your CloudTrail logs.
@@ -49,7 +69,27 @@ In the {{ml-app}} app, these configurations are available only when data exists
 | rare_error_code | Looks for unusual errors. Rare and unusual errors may simply indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_error_code.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_error_code.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) |
 | rare_method_for_a_city | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (city) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_city.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) |
 | rare_method_for_a_country | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a geolocation (country) that is unusual. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_country.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) |
-| rare_method_for_a_username | Looks for AWS API calls that, while not inherently suspicious or abnormal, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail)                                                           |
+| rare_method_for_a_username | Looks for AWS API calls that, while not inherently suspicious or atypical, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/rare_method_for_a_username.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_cloudtrail/ml/datafeed_rare_method_for_a_username.json)| [AWS](https://www.elastic.co/docs/reference/integrations/aws/cloudtrail) |
+
+
+## Security: GCP Audit logs [security-gcp-audit]
+
+```yaml {applies_to}
+stack: ga 9.3
+serverless: ga
+```
+
+Detect suspicious activity recorded in your GCP Audit logs.
+
+In the {{ml-app}} app, these configurations are available only when data exists that matches the query specified in the [manifest file](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/manifest.json). In the {{security-app}}, it looks in the {{data-source}} specified in the [`securitySolution:defaultIndex` advanced setting](kibana://reference/advanced-settings.md#securitysolution-defaultindex) for data that matches the query.
+
+| Name | Description | Job (JSON) | Datafeed | Supported Integrations                                                                                                                                                                                                                                                                                      |
+| --- | --- | --- | --- |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| gcp_audit_high_distinct_count_error_message | Looks for a spike in the rate of an action where the event outcome is a failure. Spikes might indicate an impending service failure but could also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_high_distinct_count_error_message.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_high_distinct_count_error_message.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
+| gcp_audit_rare_error_code | Looks for unusual errors. Rare and unusual errors might indicate an impending service failure but they can also be byproducts of attempted or successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection activity by a threat actor. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_error_code.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_error_code.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
+| gcp_audit_rare_method_for_a_city | Looks for GCP actions that, while not inherently suspicious or atypical, are sourcing from a geolocation (city) that is unexpected. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_city.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_city.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
+| gcp_audit_rare_method_for_a_country | Looks for GCP actions calls that, while not inherently suspicious or aytpical, are sourcing from a geolocation (country) that is unexpected. This can be the result of compromised credentials or keys. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_country.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_country.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
+| gcp_audit_rare_method_for_a_client_user_email | Looks for GCP actions that, while not inherently suspicious or atypical, are sourcing from a user context that does not normally call the method. This can be the result of compromised credentials or keys as someone uses a valid account to persist, move laterally, or exfil data. | [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/gcp_audit_rare_method_for_a_client_user_email.json)| [code](https://github.com/elastic/kibana/blob/main/x-pack/platform/plugins/shared/ml/server/models/data_recognizer/modules/security_gcp_audit/ml/datafeed_gcp_audit_rare_method_for_a_client_user_email.json)| [GCP Audit](https://www.elastic.co/docs/reference/integrations/gcp/audit) |
 
 
 ## Security: Host [security-host-jobs]
