Suspicious activity

Create public access security rule from malicious IP address

Risk Level

Imminent Compromised (2)



Orca detected a create or modify security group rule operation from a malicious IP address. The operation was called from a malicious IP address - {MaliciousIp.MaliciousIp}, which might indicate of an exfiltration or a persistence attempt. An attacker with permissions to create or modify security groups can expose sensitive assets to the internet in order the maintain his access or leak information.
  • Recommended Mitigation

    It is recommended to review the permissions which were used to make this api call and verify if the change in the security group is necessary.