Transcription
Oracle CloudUsing Oracle Security Monitoring andAnalyticsE67074-28May 2019
Oracle Cloud Using Oracle Security Monitoring and Analytics,E67074-28Copyright 2017, 2020, Oracle and/or its affiliates.Primary Author: Oracle CorporationThis software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it onbehalf of the U.S. Government, then the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software,any programs embedded, installed or activated on delivered hardware, and modifications of such programs)and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Governmentend users are "commercial computer software" or "commercial computer software documentation" pursuantto the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such,the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works,and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programsembedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oraclecomputer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in thelicense contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloudservices are defined by the applicable contract for such services. No other rights are granted to the U.S.Government.This software or hardware is developed for general use in a variety of information management applications.It is not developed or intended for use in any inherently dangerous applications, including applications thatmay create a risk of personal injury. If you use this software or hardware in dangerous applications, then youshall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure itssafe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks areused under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc,and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.This software or hardware and documentation may provide access to or information about content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services unless otherwiseset forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will notbe responsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.
Contents12Getting Started with Oracle Security Monitoring and AnalyticsAbout Oracle Security Monitoring and Analytics1-1Collecting Operating System Logs from Your Host Platforms1-2Collect Linux Default Logs1-3Collect Windows Default Logs1-4About Roles and Users1-4Before You Begin with Security Monitoring and Analytics1-5Working with Security Monitoring and AnalyticsCreate a Security Alert Rule2-1Fine-tune Event Detection2-2Security Correlation Rule System2-2Tuning Rule Specs by Editing Its Parameters2-5Tuning Rule Exceptions by Whitelisting Rule Attributes2-7Administer Machine Learning CapabilitiesMachine Learning Capabilities Overview2-8Create a Peer Group Analysis Model2-9Create an SQL Analysis Model2-10Additional Machine Learning Features for Administrators2-11Enable and Disable Models2-11Search and View Models2-12Perform Security Analysis32-82-12Customize Your Security Dashboards2-12Security Intelligence Dashboard2-13Security Dashboards2-19Investigating and Analyzing Threats Based on Correlation RuleInvestigate and Analyze Threats in Response to an Alert Notification3-1Investigating Threats Detected by Correlation Rule3-1Investigating and Analyzing Users Associated with Threats3-2Isolate Risky Users Associated with Threats3-3iii
Isolate Assets Associated with ThreatsAConfiguration of Security Log SourcesConfiguration Quick-Start GuidesA-5Oracle DatabaseA-6Bluecoat ProxyA-7Apache TomcatA-9Cisco ASA FirewallA-10F5 Big FirewallA-11Fortinet FortiGate FirewallA-12MS Active DirectoryA-13Palo Alto FirewallA-14A-15Prerequisites and Requirements for Security SourcesA-16Validate Log CollectionsA-16SMA ReferenceSecurity Monitoring and Analytics TerminologyB-1Security Event Format - SEF HandbookB-2SEF Query SamplesB-2Filtering SEF QueriesB-2Commonly Used SEF FieldsB-4sef Field PropertiesB-4sefActor Field PropertiesB-5sefDestination Field PropertiesB-6sefOriginalActor Field PropertiesB-7SEF ElementsSecurity Intelligence ReferenceCA-4Oracle Audit Vault and Database FirewallCommon TasksB3-4B-7B-9User Identity Information and Alerting SourcesOracle Identity Cloud ServiceC-1Uploading User Data Using REST APIC-1Collect User Information from Oracle Identity Cloud Service (IDCS)C-1C-4Ingest Alert Data from Oracle CASB ServiceC-4iv
PrefaceOracle Security Monitoring and Analytics enables rapid detection, investigation andremediation of the broadest range of security threats across on-premises and cloudIT assets. Security Monitoring and Analytics provides integrated SIEM and UEBAcapabilities built on machine learning, user session awareness, and up-to-date threatintelligence context. This service is built on Oracle Management Cloud's secure,unified big data platform.Topics: Audience Related Resources ConventionsAudienceUsing Oracle Security Monitoring and Analytics is intended for users who want tomonitor and analyze security activity.Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit theOracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx acc&id docacc.Access to Oracle SupportOracle customers that have purchased support have access to electronic supportthrough My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx acc&id info or visit http://www.oracle.com/pls/topic/lookup?ctx acc&id trsif you are hearing impaired.Related ResourcesFor more information, see these Oracle resources: http://cloud.oracle.com Using Oracle Log Analytics Using Application Performance MonitoringUsing IT Analytics Cloud ServiceConventionsThe following text conventions are used in this document:5
ConventionsConventionMeaningboldfaceBoldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.italicItalic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.monospaceMonospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen, or text that you enter.6
1Getting Started with Oracle SecurityMonitoring and AnalyticsTopics: About Oracle Security Monitoring and Analytics Before You Begin with Security Monitoring and Analytics About Roles and Users Collecting Operating System Logs from Your Host PlatformsAbout Oracle Security Monitoring and AnalyticsNote:As of September 2019, no enhancements have been made to thisservice and this functionality is no longer available to new customers.What is Oracle Security Monitoring and Analytics?Oracle Security Monitoring and Analytics is a security solution provided as part ofOracle Management Cloud’s unified platform. Its core functionality is around cybersecurity, providing you with IT solutions in the form of anomaly detection andinvestigations, and remediation of the broadest range of security threats across onpremises and cloud IT assets. Oracle Security Monitoring and Analytics providesintegrated security information and event management (SIEM) and user, and entitybehavior analytics (UEBA) capabilities built on machine learning, user sessionawareness, and up-to-date threat intelligence context.The following diagram shows the integration of Oracle Security Monitoring andAnalytics with other cloud solutions also designed as platform components for OracleManagement Cloud.1-1
Chapter 1Collecting Operating System Logs from Your Host PlatformsProduct Key FeaturesReal-time threat detection based on rules and patterns:Universal threat visibility— Collect and analyze any security relevant data.SOC-ready content— Ready to use, vendor neutral SOC content library.Threat intelligence leverage— Connect to any threat feed, leverage embeddedreputation data.Advanced threat analytics and visualization:Data access anomaly detection— Detect SQL query anomalies for any user, databaseor application.Identify anomalous activity of an entity based on instance-based and peer-basedbehavior baselines.Multi-dimensional anomaly detection— Detect anomalies across multiple behavioralattributes.Session awareness and attack chain visualization— Faster detection with userawareness kill chain visualization.Enhanced Security Monitoring with Oracle Management Cloud Platform:Topology awareness— Detect multi-tier application attacks and lateral movementindicators.Additional features include: Correlation Rule-tunning Customizable Watchlists Storage management Integration with IDCS and CASB servicesCollecting Operating System Logs from Your Host PlatformsYou can collect log data from your hosts and get immediate insight into potentialsecurity threats across your environments.Topics: Collect Linux Default Logs Collect Windows Default Logs1-2
Chapter 1Collecting Operating System Logs from Your Host PlatformsCollect Linux Default LogsEnable default OS event logs in Linux.Prerequisite Checklist1. Host machine met OS requirements for local agentinstallationsRequirement for LogsCollection on Unix inInstalling and ManagingOracle Management CloudAgents2. Oracle Management Cloud environment met theminimum standard setup requirementsTo analyze security logdata you must firstenable Security Monitoringand Analytics (SMA)licensing. SMA licensingassumes that Log Analyticslicensing is enabled aswell. To enable thesecomponents and ensure youmeet other prerequisitessee Prerequisites andRequirements for SecuritySources.Configuration StepsLinux Log ConfigurationTask RequirementsFor additional details, see.STEP 1. - Enable hostmonitoring in OMC.Enable the Linux host whereyou installed the agent. Bydefault your host is alreadyadded as an entity, however,monitoring is disabled.Enable Host Monitoring inUsing Oracle InfrastructureMonitoringSTEP 2. - Associate your(Linux host) entity for logcollection.From Log Analytics LogAdmin Entities, click NewAssociation and select thenew Linux host.Configure New EntityAssociations in Using LogAnalyticsSTEP 3. - Select log sourcesfor your new (Linux host)entity.Select the Linux logs thatapply for your environment.Host SourcesAssociating Entities to ExistingLog Sources in Using OracleLog AnalyticsSTEP 4. - Validate your logcollection.Ensure your setup issuccessfully completed:validate your collection.Navigate to SecurityAnalytics Security DataExplorer.Validate Log CollectionsFor a complete list of supported log sources and quick-start configuration guides, seeAppendix Host Sources1-3
Chapter 1About Roles and UsersCollect Windows Default LogsEnable default logs for Windows platforms.PrerequisitesEnsure that your OMC environmentmeets the typical requirements to enableplatform logs.Table 1-1To analyze security log data you must firstenable Security Monitoring and Analytics(SMA) licensing. SMA licensing assumesthat Log Analytics licensing is enabledas well. To enable these componentsand ensure you meet other prerequisitessee Prerequisites and Requirements forSecurity Sources.Environment Requirements in Installingand Managing Oracle Management CloudAgentsLog Configuration StepsWindows Log Configuration Task RequirementsFor additional details, see.STEP 1. - Enable hostmonitoring in OMC.Enable the Windows hostEnable Host Monitoring inwhere you installed the agent. Using Oracle InfrastructureBy default your host is already Monitoringadded as an entity, however,monitoring is disabled.STEP 2. - Associate your(Windows host) entity for logcollection.From Log Analytics LogAdmin Entities, click NewAssociation and select thenew Windows host.Configure New EntityAssociations in Using LogAnalyticsSTEP 3. - Select log sourcesfor your new (Windows host)entity.Select the WindowsHost SourcesAssociating Entities to ExistingLog Sources in Using OracleLog AnalyticsSTEP 4. - Validate your logcollection.Ensure your setup issuccessfully completed:validate your collection.Navigate to SecurityAnalytics Security DataExplorer.Security Events logsource to associate with yourWindows host.Validate Log CollectionsFor a complete list of supported log sources and quick-start configuration guides, seeAppendix Host SourcesAbout Roles and UsersTo use Oracle Management Cloud you must be assigned either an OMC Administratoror an OMC User role from Oracle Cloud My Services. OMC Administrator role1-4
Chapter 1Before You Begin with Security Monitoring and AnalyticsThese users have complete access to the entire platform, including administrativeprivileges in other suite components like Oracle Log Analytics. Only users withthese privileges will be able to perform administrative tasks, such as deployingagents, changing configuration settings, and so on. OMC User roleThese users have have limited access and can only perform tasks such as viewingand monitoring infrastructure or application performance.Table 1-2 User roles and typical tasks with Security Monitoring and Analytics,per user role.User RoleTasksSecurity Operations Center Administrator (OMC Administrator) Security Operations Center Analyst(OMC User) Set up Oracle Security Monitoring andAnalytics.Configure machine learning models.Set up Oracle Log Analytics.Manage cloud agentsAdd and delete entities.Create and administer new log sources.Configure alert rules.Investigate and analyze user activity.Investigate and analyze events,anomalies, and alerts.Monitor the security posture of yourorganization.Before You Begin with Security Monitoring and AnalyticsIn this section you learn general concepts and related terms that are commonly usedin Oracle Security Monitoring and Analytics.Oracle Security Monitoring and Analytics Concepts and Related TermsTermDefinitionCloudagentOn-premises interface to Oracle Management Cloud, which is configured tomonitor various entities by collecting status, performance, and configurationdata.AssetA monitored resource, such as a database, a host server, a computeresource, or an application server, that can be monitored in OracleEnterprise Manager Cloud Control.Gateway A cloud agent that acts as a proxy between Oracle Management Cloud andall other cloud agents.LogentityThe name of a log file.LogsourceA named group of log files. The files that belong to this group can beconfigured using patterns such as /var/log/ssh*. A log source can beassociated with one or more parsers.1-5
Chapter 1Before You Begin with Security Monitoring and AnalyticsTermDefinitionOraclehomeA directory where Oracle products are installed, pointed to by anenvironment variable.ParserA named entity used to define how to parse all log entries in a log sourceand extract field information. It uses one or multiple parse expressions anda log entry delimiter to parse all log entries in a log source. It also specifieshow the parsed content is converted into fields.Remedia A task, or a set of tasks that implement a fix to a specific issue. Ationremediation task can be added as a response to an alert.ActionSMA Terminology ReferenceNote:See:1.Security Monitoring and Analytics Terminology2.Security Intelligence Reference3.SEF Elements1-6
2Working with Security Monitoring andAnalyticsThis section includes ways you can configure, administer, and maintain SecurityMonitoring and Analytics on a regular basis.Task DescriptionMore InformationReceive alert notifications based on securitythresholds values you define.Create a Security Alert RuleTune correlation rules to achieve more relevant Tuning Rule Specs by Editing Its Parametersdetections by adjusting available parametervalues.Specify associated elements in yourcorrelation rule as whitelisted to reduce falsepositives event detections.Tuning Rule Exceptions by Whitelisting RuleAttributesProvide learning orientation by specifyinglearning attributes using machine learningmodels.Administer Machine Learning CapabilitiesCreate a Security Alert RuleAlert rules trigger alert notifications when anomalous activity is detected.For example, you want Security Monitoring and Analytics to alert you with annotification email when a anomalous activity is detected. First, you need to createan alert rule and define its threshold values.1.From Security Monitoring and Analytics, click the Menu iconproduct name.2.Under Security Admin, select Alert Rules.3.Click Create Alert Rule, top-right under Alerts.4.Enter a name and a description.5.Alerts can be generated based on two severity levels (warning or critical).a.b., top-left under theSelect For All Threats and then choose one: Warning Alert —this generates a Warning alert for all threats. Critical Alert —this generates a Critical alert for all threats.Select Based on Risk Level.You can set thresholds for generating a warning or a critical alert based on risklevel of the threat. Chose or under operator. Under Warning Threshold, select Low, Medium or High for the Threat RiskLevel to generate a warning alert.2-1
Chapter 2Fine-tune Event Detection Under Critical Threshold, select Medium, High or Critical for the ThreatRisk Level to generate a Critical alert.When generating alerts based on risk level, the warning threshold level (low,medium, high) must be set lower than the critical threshold level (medium, high,critical).6.Add email recipients for alert notifications.7.Click Save.Fine-tune Event DetectionFine-tuning correlation rules takes into account the ongoing changes in your ITenvironment.Topics: Security Correlation Rule System Tuning Rule Specs by Editing Its Parameters Tuning Rule Exceptions by Whitelisting Rule AttributesSecurity Correlation Rule SystemSMA's Correlation Rule Engine comes with a correlation rule system right out of thebox.CategoryDescriptionAccountAccount rules identify accountmanagement related threatsAuthenticationAuthentication rules are related toauthentication activitiesAvailabilityAvailability rules identify availability statureof applications, hosts and devicesDataData rules identify data and metadatarelated threatsEndpointEndpoint rules identify threats againstendpointsNetworkNetwork rules are related to networkactivitiesAccountAccount rules identify account management related threats.1.LocalAccountCreation
Bluecoat Proxy A-7 Apache Tomcat A-9 Cisco ASA Firewall A-10 F5 Big Firewall A-11 Fortinet FortiGate Firewall A-12 MS Active Directory A-13 Palo Alto Firewall A-14 Common Tasks A-15 Prerequisites and Requirements for Security Sources A-16 Validate Log Collections A-16. B . SMA Ref
