elastic · jmcarlock · Oct 6, 2025 · Oct 8, 2025 · Oct 9, 2025 · Oct 9, 2025
diff --git a/rules/integrations/azure/ml_azure_event_failures.toml b/rules/integrations/azure/ml_azure_event_failures.toml
@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["azure"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/10/06"
+
+[rule]
+anomaly_threshold = 50
+author = ["Elastic"]
+description = """
+A machine learning job detected a significant spike in the rate of a particular failure in the Azure Activity Logs messages. Spikes
+in failed messages may accompany attempts at privilege escalation, lateral movement, or discovery.
+"""
+false_positives = [
+    """
+    Spikes in failures can also be due to bugs in cloud automation scripts or workflows; changes to cloud
+    automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM
+    privileges.
+    """,
+]
+from = "now-60m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "azure_activitylogs_high_distinct_count_event_action_on_failure"
+name = "Spike in Azure Activity Logs Failed Messages"
+setup = """## Setup
+
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs.
+
+### Anomaly Detection Setup
+
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+
+### Azure Activity Logs Integration Setup
+The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent.
+
+#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it.
+- Click “Add Azure Activity Logs”.
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "1eb74889-18c5-4f78-8010-d8aceb7a9ef4"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+]
+type = "machine_learning"
+
diff --git a/rules/integrations/azure/ml_azure_rare_event_failures.toml b/rules/integrations/azure/ml_azure_rare_event_failures.toml
@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["azure"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/10/06"
+
+[rule]
+anomaly_threshold = 50
+author = ["Elastic"]
+description = """
+A machine learning job detected an unusual failure in an Azure Activity Logs message. These can be byproducts of attempted or
+successful persistence, privilege escalation, defense evasion, discovery, lateral movement, or collection.
+"""
+false_positives = [
+    """
+    Rare and unusual failures may indicate an impending service failure state. Rare and unusual user failure activity can
+    also be due to manual troubleshooting or reconfiguration attempts by insufficiently privileged users, bugs in cloud
+    automation scripts or workflows, or changes to IAM privileges.
+    """,
+]
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "azure_activitylogs_rare_event_action_on_failure"
+name = "Rare Azure Activity Logs Event Failures"
+setup = """## Setup
+
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs.
+
+### Anomaly Detection Setup
+
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+
+### Azure Activity Logs Integration Setup
+The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent.
+
+#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it.
+- Click “Add Azure Activity Logs”.
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "c17ffbf9-595a-4c0b-a126-aacedb6dd179"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+]
+type = "machine_learning"
+
diff --git a/rules/integrations/azure/ml_azure_rare_method_by_city.toml b/rules/integrations/azure/ml_azure_rare_method_by_city.toml
@@ -0,0 +1,60 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["azure"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/10/06"
+
+[rule]
+anomaly_threshold = 50
+author = ["Elastic"]
+description = """
+A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from
+a geolocation (city) that is unusual for the event action. This can be the result of compromised credentials or keys being
+used by a threat actor in a different geography than the authorized user(s).
+"""
+false_positives = [
+    """
+    New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration;
+    changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased
+    adoption of work from home policies; or users who travel frequently.
+    """,
+]
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_city"
+name = "Unusual City for an Azure Activity Logs Event"
+setup = """## Setup
+
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs.
+
+### Anomaly Detection Setup
+
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+
+### Azure Activity Logs Integration Setup
+The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent.
+
+#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it.
+- Click “Add Azure Activity Logs”.
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "ce08cdb8-e6cb-46bb-a7cc-16d17547323f"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+]
+type = "machine_learning"
+
diff --git a/rules/integrations/azure/ml_azure_rare_method_by_country.toml b/rules/integrations/azure/ml_azure_rare_method_by_country.toml
@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["azure"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/10/06"
+
+[rule]
+anomaly_threshold = 50
+author = ["Elastic"]
+description = """
+A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from
+a geolocation (country) that is unusual for the event action. This can be the result of compromised credentials or keys being
+used by a threat actor in a different geography than the authorized user(s).
+"""
+false_positives = [
+    """
+    New or unusual event and user geolocation activity can be due to manual troubleshooting or reconfiguration;
+    changes in cloud automation scripts or workflows; adoption of new services; expansion into new regions; increased
+    adoption of work from home policies; or users who travel frequently.
+    """,
+]
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_country"
+name = "Unusual Country for an Azure Activity Logs Event"
+setup = """## Setup
+
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs.
+
+### Anomaly Detection Setup
+
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+
+### Azure Activity Logs Integration Setup
+The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent.
+
+#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it.
+- Click “Add Azure Activity Logs”.
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "76de17b9-af25-49a0-9378-02888b6bb3a2"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+]
+type = "machine_learning"
diff --git a/rules/integrations/azure/ml_azure_rare_method_by_user.toml b/rules/integrations/azure/ml_azure_rare_method_by_user.toml
@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["azure"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/10/06"
+
+[rule]
+anomaly_threshold = 75
+author = ["Elastic"]
+description = """
+A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from
+user context that does not normally use the event action. This can be the result of compromised credentials or keys as
+someone uses a valid account to persist, move laterally, or exfiltrate data.
+"""
+false_positives = [
+    """
+    New or unusual user event activity can be due to manual troubleshooting or reconfiguration; changes in cloud
+    automation scripts or workflows; adoption of new services; or changes in the way services are used.
+    """,
+]
+from = "now-2h"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "azure_activitylogs_rare_event_action_for_a_username"
+name = "Unusual Azure Activity Logs Event for a User"
+setup = """## Setup
+
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from Azure Activity Logs.
+
+### Anomaly Detection Setup
+
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+
+### Azure Activity Logs Integration Setup
+The Azure Activity Logs integration allows you to collect logs and metrics from Azure with Elastic Agent.
+
+#### The following steps should be executed in order to add the Elastic Agent System integration "Azure Activity Logs" to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Azure Activity Logs” and select the integration to see more details about it.
+- Click “Add Azure Activity Logs”.
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/reference/integrations/azure/activitylogs).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "81892f44-4946-4b27-95d3-1d8929b114a7"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+]
+type = "machine_learning"
+
diff --git a/rules/integrations/gcp/ml_gcp_error_message_spike.toml b/rules/integrations/gcp/ml_gcp_error_message_spike.toml
@@ -0,0 +1,61 @@
+[metadata]
+creation_date = "2025/10/06"
+integration = ["gcp"]
+maturity = "production"
+min_stack_comments = "New job added"
+min_stack_version = "9.3.0"
+updated_date = "2025/10/06"
+
+[rule]
+anomaly_threshold = 50
+author = ["Elastic"]
+description = """
+A machine learning job detected a significant spike in the rate of a particular failure in the GCP Audit messages. Spikes
+in failed messages may accompany attempts at privilege escalation, lateral movement, or discovery.
+"""
+false_positives = [
+    """
+    Spikes in failures can also be due to bugs in cloud automation scripts or workflows; changes to cloud
+    automation scripts or workflows; adoption of new services; changes in the way services are used; or changes to IAM
+    privileges.
+    """,
+]
+from = "now-60m"
+interval = "15m"
+license = "Elastic License v2"
+machine_learning_job_id = "gcp_audit_high_distinct_count_error_message"
+name = "Spike in GCP Audit Failed Messages"
+setup = """## Setup
+
+This rule requires the installation of associated Machine Learning jobs, as well as data coming in from GCP Audit.
+
+### Anomaly Detection Setup
+
+Once the rule is enabled, the associated Machine Learning job will start automatically. You can view the Machine Learning job linked under the "Definition" panel of the detection rule. If the job does not start due to an error, the issue must be resolved for the job to commence successfully. For more details on setting up anomaly detection jobs, refer to the [helper guide](https://www.elastic.co/guide/en/kibana/current/xpack-ml-anomalies.html).
+
+### GCP Audit logs Integration Setup
+The Google Cloud Platform (GCP) Audit logs integration allows you to collect logs and metrics from Google Cloud Platform (GCP) with Elastic Agent.
+
+#### The following steps should be executed in order to add the Elastic Agent System "Google Cloud Platform (GCP) Audit logs" integration to your system:
+- Go to the Kibana home page and click “Add integrations”.
+- In the query bar, search for “Google Cloud Platform (GCP) Audit logs” and select the integration to see more details about it.
+- Click “Add Google Cloud Platform (GCP) Audit logs".
+- Configure the integration.
+- Click “Save and Continue”.
+- For more details on the integration refer to the [helper guide](https://www.elastic.co/docs/current/integrations/gcp).
+"""
+references = ["https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html"]
+risk_score = 21
+rule_id = "a4b740e4-be17-4048-9aa4-1e6f42b455b1"
+severity = "low"
+tags = [
+    "Domain: Cloud",
+    "Data Source: GCP",
+    "Data Source: GCP Audit Logs",
+    "Data Source: Google Cloud Platform",
+    "Rule Type: ML",
+    "Rule Type: Machine Learning",
+    "Resources: Investigation Guide",
+]
+type = "machine_learning"
+