mediumexperimentalOCICloudT1078.004T1021

OCI Cross-Compartment Resource Access Anomaly

Detects a principal accessing resources in compartments outside their normal operational scope, indicating potential lateral movement or policy misconfiguration exploitation.

Updated Dec 10, 2024 · Detection Engineering Team

ocicompartmentlateral-movementcloudanomaly

Problem Statement

In OCI, compartments are the primary isolation boundary. A user unexpectedly accessing compartments outside their normal scope may indicate privilege escalation, credential compromise, or policy misconfiguration exploitation.

Sample Logs

{"eventTime":"2024-12-10T09:30:00Z","eventName":"GetInstance","principalId":"ocid1.user.oc1..aaaadev111","principalName":"backend-dev@corp.com","compartmentId":"ocid1.compartment.oc1..prod-finance","resourceId":"ocid1.instance.oc1.ap-sydney-1.prod-payroll-server","sourceIPAddress":"10.10.2.50","responseStatus":"200"}

{"eventTime":"2024-12-10T09:31:15Z","eventName":"ListBuckets","principalId":"ocid1.user.oc1..aaaadev111","principalName":"backend-dev@corp.com","compartmentId":"ocid1.compartment.oc1..prod-hr","resourceId":null,"sourceIPAddress":"10.10.2.50","responseStatus":"200"}

Required Fields

principalId

principalName

compartmentId

eventName

responseStatus

eventTime

sourceIPAddress

False Positives

·Cross-team projects requiring temporary access to multiple compartments
·Platform engineers with broad operational access
·New employees being onboarded across environments

Tuning Guidance

Requires minimum 14 days of baseline data per principal. Exclude service accounts with defined broad access. Use dynamic groups to maintain known-good access patterns. Tune Z-score threshold (2.5–3.0) based on environment noise.