OBS Alarms
UserFirstAccess
A specific user accessed an OBS bucket for the first time.
Severity: low
Data source: OBS logs
A user who has never accessed the bucket before accessed it.
Suggestions
If the user is not authorized, credentials may have been disclosed or OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.
IPFirstAccess
A specific IP address was used for the first time to access an OBS bucket.
Severity: low
Data source: OBS logs
An IP address that has never accessed the bucket before accessed it.
Suggestions
If the IP address is not authorized, credentials may have been disclosed or OBS permission is not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket, or enable OBS URL validation with the Referer added to the blacklist.
ClientFirstAccess
A new client was used to access an OBS bucket.
Severity: low
Data source: OBS logs
A client that has never accessed the bucket before accessed it.
Suggestions
If the login client is not commonly used, remediate the access policy of the compromised OBS bucket or enable OBS URL validation with the Referer added to the blacklist.
UserFirstCrossDomainAccess
An OBS instance is being accessed for the first time by a user who does not belong to your account.
Severity: low
Data source: OBS logs
A user who does not belong to your account accessed the bucket. The user client has never accessed the bucket before.
Suggestions
If the user is not authorized, credentials may have been disclosed or OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.
UserAccessFrequencyAbnormal
A user accessed a specific OBS bucket frequently.
Severity: low
Data source: OBS logs
Access frequency of a user that belongs to your account to the bucket is abnormal.
Suggestions
If this activity is unexpected, your OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.
IPAccessFrequencyAbnormal
An IP address was used to access a specific OBS bucket frequently.
Severity: low
Data source: OBS logs
The access frequency of this IP address to the bucket is abnormal.
Suggestions
If this activity is unexpected, your OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.
UserDownloadAbnormal
Abnormal download behavior is detected.
Severity: low
Data source: OBS logs
The download volume from the bucket is abnormal.
Suggestions
If this activity is unexpected, the user credential may have been disclosed or the OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.
UserIPDownloadAbnormal
An IP address is detected in a user's abnormal download behavior.
Severity: low
Data source: OBS logs
The download volume from the bucket through the specific IP address is abnormal.
Suggestions
If this activity is unexpected, user credentials may have been disclosed or OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.
UnauthorizedAccess
Unauthorized access is detected.
Severity: low
Data source: OBS logs
Multiple unauthorized API calls on the bucket occurred during a specific period.
Suggestions
If the activity is authorized, add the permission to the access policy for the user. If the activity is unauthorized, enable OBS URL validation with the Referer added to the blacklist.
UserHourLevelAccessAbnormal
Abnormal hourly access is detected.
Severity: low
Data source: OBS logs
API calling frequency of the bucket is abnormal in the same period of every day.
Suggestions
If this activity is unexpected, remediate the access policy of the compromised OBS bucket.
IPSwitchAbnormal
Abnormal IP address switch is detected.
Severity: low
Data source: OBS logs
The bucket is accessed by multiple IP addresses during a specific period. The number of IP addresses used is inconsistent with the number in your historical behavior.
Suggestions
If this activity is unexpected, your OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket, or enable OBS URL validation with the Referer added to the blacklist.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
