Skip to content

Latest commit

 

History

History
28 lines (20 loc) · 1.08 KB

4.01.md

File metadata and controls

28 lines (20 loc) · 1.08 KB

4.01 - Unusually high API usage by any user identity

Unusually high API usage by any user identity on any given day in the last 7 days, where unusual is defined as daily_count > avg(daily_count) + 3 * stddev(daily_count), and daily_count is the number of actions per principal on a given day. Aggregate averages and standard deviations are computed for each day looking back at the preceding daily counts. Default lookback window is the last 90 days.

Category: Cloud Workload Usage
Use Cases: Detect, Audit
Data Sources: Audit Logs

Queries or Rules

BigQuery Log Analytics Google SecOps
SQL SQL Contribute rule

Event Generation

No event generation steps provided. Contribute emulation test to this use case.

Sample Event

No log samples provided. Contribute log samples to this use case.