When logging in to an OCI tenancy, I noticed something interesting – there was a message bar at the top of the console reporting “Unusual traffic detected.” It turns out that there were a couple of instances in a compartment that were showing signs of potential compromise. Here’s the alert that we received when we clicked on the banner:
It included in the detail the region, instance name, and OCID of the offending resources, as well as the type of activity – in this case, the instances were showing traffic patterns that matched brute-force SSH attacks. This information made it very easy to investigate and remediate. As it turns out, someone had created an instance with a wide open security list in a compartment set to be destroyed. We were able to jump on it quickly and terminate the offending instances.
The warning was a good reminder to keep an eye on your security lists and public instances. All told, this is a very good feature to see in the real world.