Oracle Cloud Infrastructure  Audit  is included at no cost with each tenancy and records activity across the tenancy for all supported Oracle Cloud Infrastructure services. This information can be retrieved and processed by a tenancy owner for various use cases.
In this blog post I will show how to retrieve audit data for a given time period and several use cases around its consumption.
About Oracle Cloud Infrastructure Audit and use cases
Oracle Cloud Infrastructure Audit  automatically records calls to all supported Oracle Cloud Infrastructure public API endpoints as log events. This information can then be leveraged for the following purposes:
Customers can collect logs centrally using log management, or security incident and event management (SIEM) solutions. The following are common use cases:
By default, Oracle Cloud Infrastructure Audit is in recording mode and cannot be turned off. The default retention period 90 days, but as a best practice, customers may change the policy to the maximum retention.
Retrieving Audit events
In order to make use of audit events, the first step is to retrieve and store audit events. Let’s take a look into the ways in which an Audit event can be retrieved:
For this blog post, I will use the Oracle Cloud Infrastructure Python SDK ; I will make use of retrieve_audit_events.py 
About the retrieve_audit_events.py demo script
As mentioned, let’s use the python script, which retrieves logs for a tenancy  for a given time period across:
Before you make use of this demo script, it is important to understand its pre-requisites:
Installation of Oracle Cloud Infrastructure Python SDK 
IAM Permissions - READ permissions for audit-events for a user used above to execute the demo script, The IAM policy would look like:
Allow group <GroupName> to READ audit-events in tenancy
Configuration of Python SDK  - The following are the important parameters for the local configuration:
RSA private key in PEM format
Recommendations when using the demo script retrieve_audit_events.py
The following are a few recommendations while using this demo script:
Number of resources for each compartment for each region
Number of updates to the Oracle Cloud Infrastructure environment (e.g. start/stop/termination of instances) - Write events
The method in which you regularly query metadata (e.g. using console vs CLI) - Read events
The time span for which the Audit Events are queried (e.g. 20 minutes, 1 hr, 365days)
Example use case and analysis of events
Let’s focus on a use case where we want to find out how many changes were made to our tenancy across a month.
For this use case, we want to retrieve all the audit events and filter write operations such as Create/Modify/Delete operations on Oracle Cloud Infrastructure resources, which can be done by eliminating all the list/get operations required to retrieve the metadata.
For our test tenancy, consisting of 13 compartments, Audit entries were retrieved for a time span of one month. The following were the timestamps:
start_time=‘2017-11-05T00:00:00 GMT’ to end_time=‘2017-12-05T00:00:00GMT’
The demo script took about 6 minutes to execute fully on a VM.Standard1.8 with Ubuntu 16.04.
The following is a table that shows the number of write events vs all the events throughout the tenancy.
This analysis gives us an insight into the amount and the type of data being retrieved. Understanding this is important for processing data for respective use cases. For example, if we wish to track changes on specific cloud resources, such as an instance, then focusing only on write events will be required.
In this blog, we learned about Oracle Cloud Infrastructure Audit and how it can be leveraged to retrieve all activities that occurred across a tenancy. After each retrieval, the results can be indexed into a SIEM tool for further processing.