Oracle Cloud user failed login followed by success

This rule is part of a beta feature. To learn more, contact Support.
oracle-cloud-infrastructure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect potentially successful bruteforce attempt.

Strategy

This rule monitors logs from OCI to detect successful bruteforce attempts. A signal is generated after 5 or more failed attempts for a specific user are followed by a successful login for the same user.

Triage and response

  1. Review the logs associated with this signal. Determine if the user {{ @usr.name }} is expected to authenticate from the IP address {{ @network.client.ip }}.
  2. Review audit logs for suspicious actions taken by the user after authenticating.
  3. Rotate credentials for the affected account.

Changelog

  • 25 September 2025 - Updated query successful login.