highproductionOCICloudT1078.004

OCI Console Login from New Country or Tor Exit Node

Detects OCI console sign-in events originating from a country not previously seen for the user, or from known Tor exit node IP ranges.

Updated Dec 10, 2024 · Detection Engineering Team

ocilogin-anomalygeotorcloudinitial-access

Problem Statement

Console login anomalies are a primary indicator of account takeover in cloud environments. OCI console access from Tor or unexpected countries warrants immediate investigation.

Sample Logs

{"eventTime":"2024-12-10T03:10:00Z","eventName":"InteractiveLogin","principalId":"ocid1.user.oc1..aaaauser001","principalName":"finance-lead@corp.com","sourceIPAddress":"185.220.101.47","userAgent":"Mozilla/5.0","responseStatus":"200","compartmentId":"ocid1.tenancy.oc1..roottenancy","additionalDetails":{"country":"Unknown","city":"Tor Exit Node"}}

{"eventTime":"2024-12-10T03:10:02Z","eventName":"InteractiveLogin","principalId":"ocid1.user.oc1..aaaauser001","principalName":"finance-lead@corp.com","sourceIPAddress":"185.220.101.47","responseStatus":"401","additionalDetails":{"country":"Unknown"}}

Required Fields

eventName

principalId

principalName

sourceIPAddress

responseStatus

additionalDetails.country

eventTime

False Positives

·Employees using VPNs that exit in unexpected countries
·Travelers accessing OCI from foreign locations
·Privacy-conscious users routing through Tor for non-malicious reasons

Tuning Guidance

Build a per-user country baseline over 30 days. Alert only on first-time countries, not just foreign countries. Maintain a Tor exit node IP list and refresh weekly. Combine with failed login counts for higher fidelity.