Oracle Cloud user failed login followed by success

This rule is part of a beta feature. To learn more, contact Support.
oracle-cloud-infrastructure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Goal

Detect potentially successful bruteforce attempt.

Strategy

This rule monitors logs from OCI to detect successful bruteforce attempts. A signal is generated after 5 or more failed attempts for a specific user are followed by a successful login for the same user.

Triage and response

  1. Review the logs associated with this signal. Determine if the user {{ @usr.name }} is expected to authenticate from the IP address {{ @network.client.ip }}.
  2. Review audit logs for suspicious actions taken by the user after authenticating.
  3. Rotate credentials for the affected account.