Detection Library
highstableOCICloudT1530
OCI Object Storage Mass Download, Data Exfiltration
Detects bulk GetObject requests against OCI Object Storage buckets, indicating potential data exfiltration via the OCI API or console.
Updated Dec 10, 2024 · Detection Engineering Team
ociobject-storageexfiltrationcloudaudit-log
Problem Statement
OCI Object Storage is a common target for data exfiltration. Adversaries with compromised credentials can quietly download large datasets via the API with no alerting unless download volume is monitored.
Sample Logs
{"eventTime":"2024-12-10T02:15:00Z","eventName":"GetObject","requestAction":"GET","principalId":"ocid1.user.oc1..aaaaaaaa7xyz","principalName":"data-analyst@corp.com","compartmentId":"ocid1.compartment.oc1..aaaa1234","resourceId":"sensitive-bucket/hr/salaries_2024.csv","sourceIPAddress":"203.0.113.42","responseStatus":"200","bytesSent":524288}{"eventTime":"2024-12-10T02:15:04Z","eventName":"GetObject","requestAction":"GET","principalId":"ocid1.user.oc1..aaaaaaaa7xyz","principalName":"data-analyst@corp.com","compartmentId":"ocid1.compartment.oc1..aaaa1234","resourceId":"sensitive-bucket/finance/q4_report.xlsx","sourceIPAddress":"203.0.113.42","responseStatus":"200","bytesSent":1048576}{"eventTime":"2024-12-10T02:15:08Z","eventName":"GetObject","requestAction":"GET","principalId":"ocid1.user.oc1..aaaaaaaa7xyz","principalName":"data-analyst@corp.com","compartmentId":"ocid1.compartment.oc1..aaaa1234","resourceId":"sensitive-bucket/pii/customer_export_full.json","sourceIPAddress":"203.0.113.42","responseStatus":"200","bytesSent":10485760}Required Fields
eventName
requestAction
principalId
principalName
compartmentId
resourceId
sourceIPAddress
responseStatus
bytesSent
eventTime
False Positives
- ·Authorized bulk backup jobs using service principals
- ·Data engineering pipelines performing large dataset reads
- ·Disaster recovery jobs during maintenance windows
Tuning Guidance
Whitelist known automation service accounts (OCIDs) and restrict the rule to human user principals. Add a bytesSent threshold to focus on large-volume transfers. Correlate with off-hours access for higher fidelity.