Oracle Cloud Audit¶
About¶
Describes the Oracle Cloud Infrastructure Audit service, which automatically records calls to all supported Oracle Cloud Infrastructure public application programming interface (API) endpoints as log events.
Oracle offers a comprehensive and fully integrated stack of cloud applications and platform services.
Product Details¶
Vendor URL: Oracle | Integrated Cloud Applications and Platform Services
Product Type: Endpoint Detection and Response
Product Tier: Tier III
Integration Method: Hybrid (API / Bucket)
Integration URL: Overview of Audit - Oracle Help Center
Cyderes Integration URL: Oracle Cloud Infrastructure Object Storage
Log Guide: Audit Logs - Oracle Help Center
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 85%
Data Label: ORACLE_CLOUD_AUDIT
UDM Fields (list of all UDM fields leveraged in the Parser):
Log File Field | UDM Field |
---|---|
action | security_result.action |
action | metadata.product_event_type |
appclass | target.resource.type |
appname | target.resource.resource_subtype |
ClientIP | principal.ip |
contenttype | security_result.detection_fields |
data.action | network.http.method |
data.identity.principalId | principal.user.product_object_id |
data.identity.principalName | additional.fields |
data.identity.userAgent | network.http.user_agent |
data.protocolName | network.ip_protocol |
data.request.action | network.http.method |
data.request.status | network.http.response_code |
datacenter | additional.fields |
department | principal.user.department |
devicehostname | principal.hostname |
deviceowner | about.user.userid |
dlpdict | security_result.detection_fields |
dlpdicthitcount | security_result.detection_fields |
dlpengine | security_result.rule_name |
event_id | metadata.product_log_id |
fileclass | security_result.detection_fields |
filename | target.file.names |
filetype | target.file.mime_type |
host | security_result.about.hostname |
hostname | target.hostname |
location | additional.fields |
malwarecat | security_result.detection_fields |
malwareclass | security_result.detection_fields |
malwaremd5 | target.file.md5 |
oracle.tenantid | principal.asset.product_object_id |
originalConnection.destinationIp | target.ip |
originalConnection.destinationPort | target.port |
pagerisk | security_result.severity |
pagerisk | security_result.severity_details |
product | metadata.product_name |
protocol | network.application_protocol |
r-ip | target.ip |
reason | metadata.description |
refererURL | network.http.referral_url |
requestmethod | network.http.method |
requestsize | network.sent_bytes |
responsesize | network.received_bytes |
riskscore | security_result.about.investigation.severity_score |
rulelabel | security_result.detection_fields |
ruletype | security_result.detection_fields |
serverip | target.ip |
source | principal.hostname |
srvcertchainvalpass | security_result.detection_fields |
srvocspresult | security_result.detection_fields |
ssldecrypted | security_result.detection_fields |
status | network.http.response_code |
threatcategory | security_result.detection_fields |
threatcategory | security_result.category_details |
threatclass | security_result.detection_fields |
threatname | security_result.threat_name |
top1mil | security_result.category_details |
trafficredirectmethod | additional.fields |
url | target.url |
urlcat | security_result.category_details |
urlcategory | security_result.category_details |
urlcategory + threatname | security_result.summary |
urlclass | security_result.detection_fields |
urlport | target.port |
urlsupercategory | security_result.detection_fields |
user | principal.user.email_addresses |
user | principal.user.userid |
useragent | network.http.user_agent |
Product Event Types¶
Event | UDM Event Classification |
---|---|
data.destinationAddress != "" and data.sourceAddress != " | NETWORK_CONNECTION |
originalConnection.destinationIp != "" | NETWORK_CONNECTION |
z_error.url_fix == "true" | GENERIC_EVENT |
All others | NETWORK_HTTP |
if message =~ "Health Check" | STATUS_HEARTBEAT |
no_targethost | GENERIC_EVENT |
Log Sample¶
{"data":{"additionalDetails":{"ClusterId":"abcd1.cluster.ab1.abc.aaaaaaaagzqie57g7ai6ylhkoitlaj55er4lfw3rprtipf66lcevl4g23dxa"},"availabilityDomain":"AD_X","compartmentId":"abcd1.compartment.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234","compartmentName":"sample-project","definedTags":null,"eventGroupingId":null,"eventName":"GetNodePool","freeformTags":null,"identity":{"authType":"instance","callerId":null,"callerName":null,"consoleSessionId":null,"credentials":"ABC","ipAddress":"10.1.1.1,10.10.10.1","principalId":"abcd1.instance.ab1.abc.12345abcde","principalName":null,"tenantId":"abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234","userAgent":"Oracle-GoSDK/55.1.0 (linux/amd64; go/go1.19.1 X:sampledata)"},"message":"GetNodePool succeeded","request":{"action":"GET","headers":{"Accept":["*/*"],"Accept-Encoding":["gzip"],"Connection":["keep-alive"],"Content-Type":["application/json"],"Date":["Fri, 11 May 2023 20:26:00 GMT"],"Opc-Client-Info":["Oracle-GoSDK/55.1.0"],"Opc-Request-Id":["1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab"],"User-Agent":["Oracle-GoSDK/55.1.0 (linux/amd64; go/go1.19.1 X:sampledata)"],"X-Forwarded-For":["10.1.1.1,10.10.10.1"],"X-OCI-LB-NetworkMetadata":["{\"originalConnection\":{\"sourceIp\":\"10.1.1.1\",\"sourcePort\":80,\"destinationIp\":\"10.10.20.2\",\"destinationPort\":443,\"protocol\":\"https\"},\"paResourceConnection\":{\"sourceIp\":\"10.10.10.1\",\"sourcePort\":80,\"destinationIp\":\"10.10.20.2\",\"destinationPort\":443},\"paResource\":{\"ocid\":\"\",\"123cid\":\"abcd1.vcn.ab1.abc.1234abcd1234abcd1234abcd1234\"}}"],"X-OCI-LB-PrivateAccessMetadata":["ABC123"],"X-Real-IP":["10.1.1.1"],"X-Real-Port":["41544"],"oci-original-host":["containerengine.us-ashburn-1.oci.oraclecloud.com"],"oci-original-url":["https://sample.com"],"oci-skip-authorization-for-splat":["true"],"oci-splat-audit-verify":["true"],"oci-splat-service-operation-id":["oke.GetNodePool"],"opc-principal":["{\"tenantId\":\"abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\",\"subjectId\":\"abcd1.instance.ab1.abc.12345abcde\",\"claims\":[{\"key\":\"opc-instance\",\"value\":\"abcd1.instance.ab1.abc.12345abcde\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_host\",\"value\":\"containerengine.us-ashburn-1.oci.oraclecloud.com\",\"issuer\":\"h\"},{\"key\":\"fprint\",\"value\":\"A1:B2:C3:D4\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"authorization\",\"value\":\"Signature version=\\\"1\\\",headers=\\\"date (request-target) host\\\",keyId=\\\"AAA\\\",algorithm=\\\"rsa-sha256\\\",signature=\\\"*****\\\"\",\"issuer\":\"h\"},{\"key\":\"h_(request-target)\",\"value\":\"get /20202020/nodePools/abcd1.nodepool.ab1.abc.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\",\"issuer\":\"h\"},{\"key\":\"ptype\",\"value\":\"instance\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-tenant\",\"value\":\"abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_date\",\"value\":\"Fri, 19 May 2023 20:26:12 GMT\",\"issuer\":\"h\"},{\"key\":\"opc-certtype\",\"value\":\"instance\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-compartment\",\"value\":\"abcd1.compartment.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ttype\",\"value\":\"x509\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-tag\",\"value\":\"V3,abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234,ABCDABCDABCDABCD,ABCDABCDABCDABCD\",\"issuer\":\"authService.oracle.com\"}]}"]},"id":"1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab","parameters":{},"path":"/20202020/nodePools/abcd1.nodepool.ab1.abc.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"},"resourceId":"abcd1.nodepool.ab1.abc.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234","response":{"headers":{"Content-Length":["1234"],"Content-Type":["application/json"],"Date":["Fri, 19 May 2023 20:26:12 GMT"],"ETag":["1234ab1234ab1234ab1234ab1234ab"],"opc-request-id":["1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab"]},"message":null,"payload":null,"responseTime":"2023-05-19T20:26:12.762Z","status":"200"},"stateChange":{"current":null,"previous":null}},"dataschema":"2.0","id":"1234abcd-1234-12ab-1234-123456abcdef","oracle":{"compartmentid":"abcd1.compartment.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234","ingestedtime":"2023-05-19T20:26:22.345Z","loggroupid":"_Audit","tenantid":"abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"},"source":"sample-1-office","specversion":"1.0","time":"2023-05-19T20:26:12.744Z","type":"com.oraclecloud.ClustersAPI.GetNodePool"}
Sample Parsing¶
extensions.auth.auth_details = "instance"
metadata.description = "GetNodePool succeeded"
metadata.event_type = "NETWORK_CONNECTION"
metadata.log_type = "ORACLE_CLOUD_AUDIT"
metadata.product_event_type = "GetNodePool"
metadata.product_name = "Oracle Cloud Audit"
metadata.product_version = "1.0"
metadata.vendor_name = "Oracale"
network.http.method = "GET"
network.http.user_agent = "Oracle-GoSDK/55.1.0 (linux/amd64; go/go1.19.1 X:sampledata)"
principal.asset.product_object_id = "abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
principal.cloud.availability_zone = "AD_X"
principal.cloud.project.name = "sample-project"
principal.cloud.project.product_object_id = "abcd1.compartment.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
principal.hostname = "sample-1-office"
principal.ip = "10.1.1.1"
principal.namespace = "Sample_SPACE"
principal.nat_ip = "10.10.10.1"
principal.user.product_object_id = "abcd1.instance.ab1.abc.12345abcde"
target.ip = "10.10.20.2"
target.namespace = "Sample_SPACE"
target.port = 443