Oracle Cloud user failed login followed by success

This rule is part of a beta feature. To learn more, contact Support.
oracle-cloud-infrastructure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect potentially successful bruteforce attempt.

Strategy

This rule monitors logs from OCI to detect successful bruteforce attempts. A signal is generated after 5 or more failed attempts for a specific user are followed by a successful login for the same user.

Triage and response

  1. Review the logs associated with this signal. Determine if the user {{ @usr.name }} is expected to authenticate from the IP address {{ @network.client.ip }}.
  2. Review audit logs for suspicious actions taken by the user after authenticating.
  3. Rotate credentials for the affected account.