Rules Contributing to Suspicious OCI Instance Image Export Alert

This topic covers a feature that is not available for all customers yet. See Early Access Program Features and Topics Under Development.
The following rules are used to identify suspicious instance image export activity in OCI. Any one or more of these will trigger the Suspicious OCI Instance Image Export Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
OCI Instance Image Export Failure |
Identifies a failed attempt to export an OCI instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. More details
![]() Rule IDQuery{'selection1': {'eventName': 'exportimage'}, 'selection2': {'status': [400, 401, 404, 409, 412]}, 'condition': 'selection1 and selection2'} Log SourceStellar Cyber OCI configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Severity25 Suppression Logic Based On
Additional Information
|