Possible enumeration activity from anomalous number of access denied errors

Docs > Datadog Security > OOTB Rules > Possible enumeration activity from anomalous number of access denied errors

This rule is part of a beta feature. To learn more, contact Support.

Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1580-cloud-infrastructure-discovery

Set up the oracle-cloud-infrastructure integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect when a user is generating an anomalous number of failed Read API calls in OCI.

Strategy

Monitor OCI logs to identify when a user ({{@usr.name}}) generates an anomalous number of failed API calls. This could be indicative of an attacker attempting to enumerate their permissions and available resources.

Triage and response

Investigate the API calls associated with {{@usr.name}} in the time frame of the signal.
- Use the Cloud SIEM - User Investigation dashboard to assess user activity.
Contact the user to see if they intended to make these API calls.
If the user did not make the API calls:
- Rotate the credentials.
- Investigate to see what API calls might have been made that were successful throughout the rest of the environment.
If the root cause is not a misconfiguration, investigate any other signals around the same time of the signal by looking at the Host Investigation dashboard.