This detection rule is designed to identify unusual events in Google Cloud Platform (GCP) based on audit logs. Specifically, it utilizes machine learning to analyze user actions and flag any event that is outside the norm for a given user context. When a valid user account performs actions that are atypical for that account, it may indicate compromised credentials or other malicious actions such as lateral movement, persistence, or data exfiltration. The detection rule utilizes an anomaly threshold of 75 and assesses user events over a rolling time frame (the last two hours in 15-minute intervals). Upon triggering, the rule can help security teams investigate the event more deeply using the referenced setup guides and frameworks, including those provided by MITRE ATT&CK. The implementation requires correct integration with GCP audit logs and associated machine learning jobs to function effectively, all while categorizing detected threats with a low severity and a risk score of 21.