Possible enumeration activity from anomalous number of access denied errors

This rule is part of a beta feature. To learn more, contact Support.
oracle-cloud-infrastructure

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1580-cloud-infrastructure-discovery

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a user is generating an anomalous number of failed Read API calls in OCI.

Strategy

Monitor OCI logs to identify when a user ({{@usr.name}}) generates an anomalous number of failed API calls. This could be indicative of an attacker attempting to enumerate their permissions and available resources.

Triage and response

  1. Investigate the API calls associated with {{@usr.name}} in the time frame of the signal.
    • Use the Cloud SIEM - User Investigation dashboard to assess user activity.
  2. Contact the user to see if they intended to make these API calls.
  3. If the user did not make the API calls:
    • Rotate the credentials.
    • Investigate to see what API calls might have been made that were successful throughout the rest of the environment.
  4. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.
PREVIEWING: esther/docs-11020-sheets-update