Rules Contributing to Suspicious OCI Logging Activity Alert

This topic covers a feature that is not available for all customers yet. See Early Access Program Features and Topics Under Development.
The following rules are used to identify suspicious logging activity in OCI. Any one or more of these will trigger the Suspicious OCI Logging Activity Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
OCI Log Group Deletion |
Identifies the deletion of a specified OCI LogGroup. When a log group is deleted, all the archived log entries associated with the log group are also permanently deleted. More details
![]() Rule IDQuery{'selection': {'eventName': 'deleteloggroup'}, 'condition': 'selection'} Log SourceStellar Cyber OCI configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0005, T1562.001, TA0040, T1485 References
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
OCI Log Object Deletion |
Identifies the deletion of an OCI log object, which permanently deletes all associated archived log entries. More details
![]() Rule IDQuery{'selection': {'eventName': 'deletelog'}, 'condition': 'selection'} Log SourceStellar Cyber OCI configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0005, T1562.001, TA0040, T1485 References
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
OCI Log Object Updated |
Identifies an update to an existing OCI log object with configuration that specifies the delivery of log files. More details
![]() Rule IDQuery{'selection': {'eventName': 'updatelog'}, 'condition': 'selection'} Log SourceStellar Cyber OCI configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresTA0009, T1530, TA0040, T1565.001 References
N/A
Severity25 Suppression Logic Based On
Additional Information
|