highstableOCICloudT1530

OCI Object Storage Mass Download — Data Exfiltration

Detects bulk GetObject requests against OCI Object Storage buckets, indicating potential data exfiltration via the OCI API or console.

Updated Dec 10, 2024 · Detection Engineering Team

ociobject-storageexfiltrationcloudaudit-log

Problem Statement

OCI Object Storage is a common target for data exfiltration. Adversaries with compromised credentials can quietly download large datasets via the API with no alerting unless download volume is monitored.

Sample Logs

{"eventTime":"2024-12-10T02:15:00Z","eventName":"GetObject","requestAction":"GET","principalId":"ocid1.user.oc1..aaaaaaaa7xyz","principalName":"data-analyst@corp.com","compartmentId":"ocid1.compartment.oc1..aaaa1234","resourceId":"sensitive-bucket/hr/salaries_2024.csv","sourceIPAddress":"203.0.113.42","responseStatus":"200","bytesSent":524288}

{"eventTime":"2024-12-10T02:15:04Z","eventName":"GetObject","requestAction":"GET","principalId":"ocid1.user.oc1..aaaaaaaa7xyz","principalName":"data-analyst@corp.com","compartmentId":"ocid1.compartment.oc1..aaaa1234","resourceId":"sensitive-bucket/finance/q4_report.xlsx","sourceIPAddress":"203.0.113.42","responseStatus":"200","bytesSent":1048576}

{"eventTime":"2024-12-10T02:15:08Z","eventName":"GetObject","requestAction":"GET","principalId":"ocid1.user.oc1..aaaaaaaa7xyz","principalName":"data-analyst@corp.com","compartmentId":"ocid1.compartment.oc1..aaaa1234","resourceId":"sensitive-bucket/pii/customer_export_full.json","sourceIPAddress":"203.0.113.42","responseStatus":"200","bytesSent":10485760}

Required Fields

eventName

requestAction

principalId

principalName

compartmentId

resourceId

sourceIPAddress

responseStatus

bytesSent

eventTime

False Positives

·Authorized bulk backup jobs using service principals
·Data engineering pipelines performing large dataset reads
·Disaster recovery jobs during maintenance windows

Tuning Guidance

Whitelist known automation service accounts (OCIDs) and restrict the rule to human user principals. Add a bytesSent threshold to focus on large-volume transfers. Correlate with off-hours access for higher fidelity.