mediumexperimentalLinuxOCIT1566

Linux Agent Opening Browser To OCI Console Or Identity Pages

Detects AI agent processes launching browsers with URLs pointing to OCI console, identity, or authentication pages, which may indicate the agent is attempting to perform unauthorized actions via the OCI web console.

Updated Jan 10, 2025 · OCI AI Security Team

agentic-aitrust-exploitationoci-consolebrowser-automationlinuxociowasp-asi09

Problem Statement

Navigating to OCI console identity pages via browser automation allows an agent to perform IAM operations (create users, grant roles, modify federation) through the web UI rather than the API, potentially bypassing API-level access controls and audit logging.

Sample Logs

{"timestamp":"2025-01-10T14:45:00Z","computer_name":"oci-desktop-06","user":"agent_svc","image":"/usr/bin/google-chrome","command_line":"google-chrome https://cloud.oracle.com/identity/users","parent_image":"/usr/bin/python3"}

Required Fields

image

command_line

parent_image

user

computer_name

False Positives

·Web automation agents that legitimately interact with the OCI console as part of approved UI testing workflows

Tuning Guidance

Alert specifically on console URLs involving identity, IAM, and federation pages as these represent the highest-risk actions. Suppress known UI test service accounts.