Oracle Cloud user requested to create or reset password from malicous IP

This rule is part of a beta feature. To learn more, contact Support.
oracle-cloud-infrastructure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detect when an API request to reset the password was made by a user.

Strategy

Monitor Oracle cloud logs to detect the API call CreateOrResetMyPasswordRequest. An attacker can compromise the user’s email address to reset the user’s password.

Triage and response

  1. Determine if the request to reset the user password should have been made.
  2. If not, investigate the action performed by {{@usr.name}} for indicators of account compromise, and rotate credentials if necessary.
PREVIEWING: domalessi/docs-10584