Oracle Cloud user failed login followed by success

This rule is part of a beta feature. To learn more, contact Support.
oracle-cloud-infrastructure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect potentially successful bruteforce attempt.

Strategy

This rule monitors logs from OCI to detect successful bruteforce attempts. A signal is generated after 5 or more failed attempts for a specific user are followed by a successful login for the same user.

Triage and response

  1. Review the logs associated with this signal. Determine if the user {{ @usr.name }} is expected to authenticate from the IP address {{ @network.client.ip }}.
  2. Review audit logs for suspicious actions taken by the user after authenticating.
  3. Rotate credentials for the affected account.