Skip to content

Oracle Cloud Audit

Oracle Cloud Audit

About

Describes the Oracle Cloud Infrastructure Audit service, which automatically records calls to all supported Oracle Cloud Infrastructure public application programming interface (API) endpoints as log events.

Oracle offers a comprehensive and fully integrated stack of cloud applications and platform services.

Product Details

Vendor URL: Oracle | Integrated Cloud Applications and Platform Services

Product Type: Endpoint Detection and Response

Product Tier: Tier III

Integration Method: Hybrid (API / Bucket)

Integration URL: Overview of Audit - Oracle Help Center

Cyderes Integration URL: Oracle Cloud Infrastructure Object Storage

Log Guide: Audit Logs - Oracle Help Center

Parser Details

Log Format: JSON

Expected Normalization Rate: 85%

Data Label: ORACLE_CLOUD_AUDIT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
action security_result.action
action metadata.product_event_type
appclass target.resource.type
appname target.resource.resource_subtype
ClientIP principal.ip
contenttype security_result.detection_fields
data.action network.http.method
data.identity.principalId principal.user.product_object_id
data.identity.principalName additional.fields
data.identity.userAgent network.http.user_agent
data.protocolName network.ip_protocol
data.request.action network.http.method
data.request.status network.http.response_code
datacenter additional.fields
department principal.user.department
devicehostname principal.hostname
deviceowner about.user.userid
dlpdict security_result.detection_fields
dlpdicthitcount security_result.detection_fields
dlpengine security_result.rule_name
event_id metadata.product_log_id
fileclass security_result.detection_fields
filename target.file.names
filetype target.file.mime_type
host security_result.about.hostname
hostname target.hostname
location additional.fields
malwarecat security_result.detection_fields
malwareclass security_result.detection_fields
malwaremd5 target.file.md5
oracle.tenantid principal.asset.product_object_id
originalConnection.destinationIp target.ip
originalConnection.destinationPort target.port
pagerisk security_result.severity
pagerisk security_result.severity_details
product metadata.product_name
protocol network.application_protocol
r-ip target.ip
reason metadata.description
refererURL network.http.referral_url
requestmethod network.http.method
requestsize network.sent_bytes
responsesize network.received_bytes
riskscore security_result.about.investigation.severity_score
rulelabel security_result.detection_fields
ruletype security_result.detection_fields
serverip target.ip
source principal.hostname
srvcertchainvalpass security_result.detection_fields
srvocspresult security_result.detection_fields
ssldecrypted security_result.detection_fields
status network.http.response_code
threatcategory security_result.detection_fields
threatcategory security_result.category_details
threatclass security_result.detection_fields
threatname security_result.threat_name
top1mil security_result.category_details
trafficredirectmethod additional.fields
url target.url
urlcat security_result.category_details
urlcategory security_result.category_details
urlcategory + threatname security_result.summary
urlclass security_result.detection_fields
urlport target.port
urlsupercategory security_result.detection_fields
user principal.user.email_addresses
user principal.user.userid
useragent network.http.user_agent

Product Event Types

Event UDM Event Classification
data.destinationAddress != "" and data.sourceAddress != " NETWORK_CONNECTION
originalConnection.destinationIp != "" NETWORK_CONNECTION
z_error.url_fix == "true" GENERIC_EVENT
All others NETWORK_HTTP
if message =~ "Health Check" STATUS_HEARTBEAT
no_targethost GENERIC_EVENT

Log Sample

{"data":{"additionalDetails":{"ClusterId":"abcd1.cluster.ab1.abc.aaaaaaaagzqie57g7ai6ylhkoitlaj55er4lfw3rprtipf66lcevl4g23dxa"},"availabilityDomain":"AD_X","compartmentId":"abcd1.compartment.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234","compartmentName":"sample-project","definedTags":null,"eventGroupingId":null,"eventName":"GetNodePool","freeformTags":null,"identity":{"authType":"instance","callerId":null,"callerName":null,"consoleSessionId":null,"credentials":"ABC","ipAddress":"10.1.1.1,10.10.10.1","principalId":"abcd1.instance.ab1.abc.12345abcde","principalName":null,"tenantId":"abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234","userAgent":"Oracle-GoSDK/55.1.0 (linux/amd64; go/go1.19.1 X:sampledata)"},"message":"GetNodePool succeeded","request":{"action":"GET","headers":{"Accept":["*/*"],"Accept-Encoding":["gzip"],"Connection":["keep-alive"],"Content-Type":["application/json"],"Date":["Fri, 11 May 2023 20:26:00 GMT"],"Opc-Client-Info":["Oracle-GoSDK/55.1.0"],"Opc-Request-Id":["1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab"],"User-Agent":["Oracle-GoSDK/55.1.0 (linux/amd64; go/go1.19.1 X:sampledata)"],"X-Forwarded-For":["10.1.1.1,10.10.10.1"],"X-OCI-LB-NetworkMetadata":["{\"originalConnection\":{\"sourceIp\":\"10.1.1.1\",\"sourcePort\":80,\"destinationIp\":\"10.10.20.2\",\"destinationPort\":443,\"protocol\":\"https\"},\"paResourceConnection\":{\"sourceIp\":\"10.10.10.1\",\"sourcePort\":80,\"destinationIp\":\"10.10.20.2\",\"destinationPort\":443},\"paResource\":{\"ocid\":\"\",\"123cid\":\"abcd1.vcn.ab1.abc.1234abcd1234abcd1234abcd1234\"}}"],"X-OCI-LB-PrivateAccessMetadata":["ABC123"],"X-Real-IP":["10.1.1.1"],"X-Real-Port":["41544"],"oci-original-host":["containerengine.us-ashburn-1.oci.oraclecloud.com"],"oci-original-url":["https://sample.com"],"oci-skip-authorization-for-splat":["true"],"oci-splat-audit-verify":["true"],"oci-splat-service-operation-id":["oke.GetNodePool"],"opc-principal":["{\"tenantId\":\"abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\",\"subjectId\":\"abcd1.instance.ab1.abc.12345abcde\",\"claims\":[{\"key\":\"opc-instance\",\"value\":\"abcd1.instance.ab1.abc.12345abcde\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_host\",\"value\":\"containerengine.us-ashburn-1.oci.oraclecloud.com\",\"issuer\":\"h\"},{\"key\":\"fprint\",\"value\":\"A1:B2:C3:D4\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"authorization\",\"value\":\"Signature version=\\\"1\\\",headers=\\\"date (request-target) host\\\",keyId=\\\"AAA\\\",algorithm=\\\"rsa-sha256\\\",signature=\\\"*****\\\"\",\"issuer\":\"h\"},{\"key\":\"h_(request-target)\",\"value\":\"get /20202020/nodePools/abcd1.nodepool.ab1.abc.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\",\"issuer\":\"h\"},{\"key\":\"ptype\",\"value\":\"instance\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-tenant\",\"value\":\"abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"h_date\",\"value\":\"Fri, 19 May 2023 20:26:12 GMT\",\"issuer\":\"h\"},{\"key\":\"opc-certtype\",\"value\":\"instance\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-compartment\",\"value\":\"abcd1.compartment.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"ttype\",\"value\":\"x509\",\"issuer\":\"authService.oracle.com\"},{\"key\":\"opc-tag\",\"value\":\"V3,abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234,ABCDABCDABCDABCD,ABCDABCDABCDABCD\",\"issuer\":\"authService.oracle.com\"}]}"]},"id":"1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab","parameters":{},"path":"/20202020/nodePools/abcd1.nodepool.ab1.abc.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"},"resourceId":"abcd1.nodepool.ab1.abc.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234","response":{"headers":{"Content-Length":["1234"],"Content-Type":["application/json"],"Date":["Fri, 19 May 2023 20:26:12 GMT"],"ETag":["1234ab1234ab1234ab1234ab1234ab"],"opc-request-id":["1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab/1234ab1234ab1234ab1234ab"]},"message":null,"payload":null,"responseTime":"2023-05-19T20:26:12.762Z","status":"200"},"stateChange":{"current":null,"previous":null}},"dataschema":"2.0","id":"1234abcd-1234-12ab-1234-123456abcdef","oracle":{"compartmentid":"abcd1.compartment.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234","ingestedtime":"2023-05-19T20:26:22.345Z","loggroupid":"_Audit","tenantid":"abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"},"source":"sample-1-office","specversion":"1.0","time":"2023-05-19T20:26:12.744Z","type":"com.oraclecloud.ClustersAPI.GetNodePool"}

Sample Parsing

extensions.auth.auth_details = "instance"
metadata.description = "GetNodePool succeeded"
metadata.event_type = "NETWORK_CONNECTION"
metadata.log_type = "ORACLE_CLOUD_AUDIT"
metadata.product_event_type = "GetNodePool"
metadata.product_name = "Oracle Cloud Audit"
metadata.product_version = "1.0"
metadata.vendor_name = "Oracale"
network.http.method = "GET"
network.http.user_agent = "Oracle-GoSDK/55.1.0 (linux/amd64; go/go1.19.1 X:sampledata)"
principal.asset.product_object_id = "abcd1.tenancy.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
principal.cloud.availability_zone = "AD_X"
principal.cloud.project.name = "sample-project"
principal.cloud.project.product_object_id = "abcd1.compartment.ab1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234"
principal.hostname = "sample-1-office"
principal.ip = "10.1.1.1"
principal.namespace = "Sample_SPACE"
principal.nat_ip = "10.10.10.1"
principal.user.product_object_id = "abcd1.instance.ab1.abc.12345abcde"
target.ip = "10.10.20.2"
target.namespace = "Sample_SPACE"
target.port = 443