Updated on 2022-12-01 GMT+08:00

OBS Alarms

UserFirstAccess

A specific user accessed an OBS bucket for the first time.

Severity: low

Data source: OBS logs

A user who has never accessed the bucket before accessed it.

Suggestions

If the user is not authorized, credentials may have been disclosed or OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.

IPFirstAccess

A specific IP address was used for the first time to access an OBS bucket.

Severity: low

Data source: OBS logs

An IP address that has never accessed the bucket before accessed it.

Suggestions

If the IP address is not authorized, credentials may have been disclosed or OBS permission is not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket, or enable OBS URL validation with the Referer added to the blacklist.

ClientFirstAccess

A new client was used to access an OBS bucket.

Severity: low

Data source: OBS logs

A client that has never accessed the bucket before accessed it.

Suggestions

If the login client is not commonly used, remediate the access policy of the compromised OBS bucket or enable OBS URL validation with the Referer added to the blacklist.

UserFirstCrossDomainAccess

An OBS instance is being accessed for the first time by a user who does not belong to your account.

Severity: low

Data source: OBS logs

A user who does not belong to your account accessed the bucket. The user client has never accessed the bucket before.

Suggestions

If the user is not authorized, credentials may have been disclosed or OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.

UserAccessFrequencyAbnormal

A user accessed a specific OBS bucket frequently.

Severity: low

Data source: OBS logs

Access frequency of a user that belongs to your account to the bucket is abnormal.

Suggestions

If this activity is unexpected, your OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.

IPAccessFrequencyAbnormal

An IP address was used to access a specific OBS bucket frequently.

Severity: low

Data source: OBS logs

The access frequency of this IP address to the bucket is abnormal.

Suggestions

If this activity is unexpected, your OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.

UserDownloadAbnormal

Abnormal download behavior is detected.

Severity: low

Data source: OBS logs

The download volume from the bucket is abnormal.

Suggestions

If this activity is unexpected, the user credential may have been disclosed or the OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.

UserIPDownloadAbnormal

An IP address is detected in a user's abnormal download behavior.

Severity: low

Data source: OBS logs

The download volume from the bucket through the specific IP address is abnormal.

Suggestions

If this activity is unexpected, user credentials may have been disclosed or OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket.

UnauthorizedAccess

Unauthorized access is detected.

Severity: low

Data source: OBS logs

Multiple unauthorized API calls on the bucket occurred during a specific period.

Suggestions

If the activity is authorized, add the permission to the access policy for the user. If the activity is unauthorized, enable OBS URL validation with the Referer added to the blacklist.

UserHourLevelAccessAbnormal

Abnormal hourly access is detected.

Severity: low

Data source: OBS logs

API calling frequency of the bucket is abnormal in the same period of every day.

Suggestions

If this activity is unexpected, remediate the access policy of the compromised OBS bucket.

IPSwitchAbnormal

Abnormal IP address switch is detected.

Severity: low

Data source: OBS logs

The bucket is accessed by multiple IP addresses during a specific period. The number of IP addresses used is inconsistent with the number in your historical behavior.

Suggestions

If this activity is unexpected, your OBS permissions are not restrictive enough. In this case, remediate the access policy of the compromised OBS bucket, or enable OBS URL validation with the Referer added to the blacklist.