Unusually high API usage by any user identity on any given day in the last 7 days,
where unusual is defined as daily_count > avg(daily_count) + 3 * stddev(daily_count)
,
and daily_count is the number of actions per principal on a given day.
Aggregate averages and standard deviations are computed for each day looking back at the preceding daily counts.
Default lookback window is the last 90 days.
Category: Cloud Workload Usage
Use Cases: Detect, Audit
Data Sources: Audit Logs
BigQuery | Log Analytics | Google SecOps |
---|---|---|
SQL | SQL | Contribute rule |
No event generation steps provided. Contribute emulation test to this use case.
No log samples provided. Contribute log samples to this use case.