PH_RULE_OracleOci_UserSMTPCredCreated
Enabled
Oracle OCI User SMTP Credential was created. Admin users can create keys, tokens, and credentials for other users, and some users are allowed to create these themselves. So the user and target user id may not always refer to the same account.
7
Security
Resource Development
Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.
https://attack.mitre.org/tactics/TA0042T1585.002
Establish Accounts: Email Accounts
Before compromising a victim, adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct Phishing for Information or Phishing. Adversaries may also take steps to cultivate a persona around the email account, such as through use of Social Media Accounts, to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure. To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.
https://attack.mitre.org/techniques/T1585/002Network
Oracle OCI via OCI_Streaming_SDK
Correlation
Confirm that the user intentionally created an SMTP credential for the given user account
If the following pattern or patterns match an ingested event within the given time window in seconds, trigger an incident.
120 secondsIf the following defined pattern/s occur within a 120 second time window.
smtp_cred_createThis is the named definition of the event query, this is important if multiple subpatterns are defined to distinguish them.
This is the query logic that matches incoming events
eventType = "Oracle-OCI-identitycontrolplane-createsmtpcredential"This defines how matching events are aggregated, only events with the same matching attribute values are grouped into one unique incident ID
srcIpAddr,user,targetUserIdThis is most typically a numerical constraint that defines when the rule should trigger an incident
COUNT(*) >= 1This section defines which fields in matching raw events should be mapped to the incident attributes in the resulting incident.
The available raw event attributes to map are limited to the group by attributes and the aggregate event constraint fields for each subpattern
user=smtp_cred_create.user,
targetUserId=smtp_cred_create.targetUserId,
srcIpAddr=smtp_cred_create.srcIpAddr