Oracle Database Audit Solution

Solution: OracleDatabaseAudit

OracleDatabaseAudit Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2021-11-05
Solution Folder	OracleDatabaseAudit
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (70%)
Pre-requisites	Syslog

The Oracle Database Audit solution provides the capability to ingest Oracle Database audit events into Microsoft Sentinel through the syslog. Refer to documentation for more information.

This solution is dependent on the Syslog solution containing the Syslog via AMA connector to collect the logs. The Syslog solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of Syslog via AMA Connector. Legacy connector uses the Log Analytics agent which were deprecated on Aug 31, 2024.. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 1 other solution(s):

Solution
Syslog

Data Connectors

This solution has 1 discovered data connector(s)⚠️ (not in Solution definition):

[Deprecated] Oracle Database Audit ⚠️

Connectors from dependency solutions:

Syslog via Legacy Agent (dependency on Syslog)
Syslog via AMA (dependency on Syslog)

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`Syslog`	Syslog via AMA (dependency), Syslog via Legacy Agent (dependency), [Deprecated] Oracle Database Audit	Analytics, Hunting, Workbooks

Content Items

This solution includes 22 content item(s):

Content Type	Count
Analytic Rules	10
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
OracleDBAudit - Connection to database from external IP	Medium	InitialAccess, Collection, Exfiltration	`Syslog`
OracleDBAudit - Connection to database from unknown IP	Medium	InitialAccess	`Syslog`
OracleDBAudit - Multiple tables dropped in short time	Medium	Impact	`Syslog`
OracleDBAudit - New user account	Low	InitialAccess, Persistence	`Syslog`
OracleDBAudit - Query on Sensitive Table	Medium	Collection	`Syslog`
OracleDBAudit - SQL injection patterns	Medium	InitialAccess	`Syslog`
OracleDBAudit - Shutdown Server	Medium	Impact	`Syslog`
OracleDBAudit - Unusual user activity on multiple tables	Medium	Collection	`Syslog`
OracleDBAudit - User activity after long inactivity time	Medium	InitialAccess, Persistence	`Syslog`
OracleDBAudit - User connected to database from new IP	Low	InitialAccess	`Syslog`

Hunting Queries

Name	Tactics	Tables Used
OracleDBAudit - Action by Ip	InitialAccess, DefenseEvasion, Collection, Impact	`Syslog`
OracleDBAudit - Action by user	InitialAccess, DefenseEvasion, Collection, Impact	`Syslog`
OracleDBAudit - Active Users	InitialAccess, DefenseEvasion	`Syslog`
OracleDBAudit - Audit large queries	InitialAccess, DefenseEvasion	`Syslog`
OracleDBAudit - Dropped Tables	Impact	`Syslog`
OracleDBAudit - Inactive Users	InitialAccess	`Syslog`
OracleDBAudit - Top tables queries	Collection	`Syslog`
OracleDBAudit - Users Privileges Review	InitialAccess, PrivilegeEscalation	`Syslog`
OracleDBAudit - Users connected to databases during non-operational hours.	InitialAccess, DefenseEvasion, Collection, Impact	`Syslog`
OracleDBAudit - Users with new privileges	InitialAccess, PrivilegeEscalation	`Syslog`

Workbooks

Name	Tables Used
OracleDatabaseAudit	`Syslog`

Parsers

Name	Description	Tables Used
OracleDatabaseAuditEvent	-	`Syslog` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	11-12-2024	Removed Deprecated Data connectors
3.0.2	23-07-2024	Deprecated data connectors
3.0.1	26-04-2024	Repackaged for fix on parser in maintemplate to have old parsername and parentid
3.0.0	19-12-2023	Documentation changes for oracle data base audit