Possible enumeration activity from anomalous number of access denied errors

This rule is part of a beta feature. To learn more, contact Support.
oracle-cloud-infrastructure

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1580-cloud-infrastructure-discovery

Goal

Detect when a user is generating an anomalous number of failed Read API calls in OCI.

Strategy

Monitor OCI logs to identify when a user ({{@usr.name}}) generates an anomalous number of failed API calls. This could be indicative of an attacker attempting to enumerate their permissions and available resources.

Triage and response

  1. Investigate the API calls associated with {{@usr.name}} in the time frame of the signal.
    • Use the Cloud SIEM - User Investigation dashboard to assess user activity.
  2. Contact the user to see if they intended to make these API calls.
  3. If the user did not make the API calls:
    • Rotate the credentials.
    • Investigate to see what API calls might have been made that were successful throughout the rest of the environment.
  4. If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.
PREVIEWING: esther/docs-11020-sheets-update