Oracle Cloud Infrastructure (OCI) and services provide effective and manageable security that enables you to run mission-critical workloads and store your data with confidence. To achieve cloud security operational excellence, it is crucial to continuously monitor and improve the security posture of our customers' OCI tenancy and adopt essential cyber hygiene practices. For our customers navigating the dynamic cloud security landscape without a dedicated Security Information and Event Management (SIEM) system, the Security Fundamentals Dashboards are set to support our customers in building and maintaining strong security observability and governance around the OCI cloud resources so that our customers can stay vigilant in an ever-evolving cyber landscape. The Security Fundamentals Dashboards proactively aggregate and analyze OCI logs related to security events by leveraging the advanced capabilities of OCI Logging Analytics, coupled with near real-time monitoring and alerting allows security operations teams to detect security risks faster, focus on the key information based upon the tuning of the systems, and take appropriate actions to mitigate the risks.

OCI Security Fundamentals Dashboard Artifacts

The first release of the Security Fundamentals Dashboards contains the following three dashboards:

• Identity Security Dashboard
• Network Security Dashboard
• Security Operations Dashboard

The code is available here and is provided as a sample code for reference. The sample code can be customized for additional enhancements.

OCI Security Fundamentals Dashboard Details

• Out-of-box dashboards for rapid security threat detection
• Designed for customers interested in observing critical security events in their tenancies
• Dashboards are based on Oracle security analytics and monitoring best practices
• The dashboards query data from the OCI native Audit and VCN Flow Logs for continuous Identity and Network security events monitoring
• Meets the Maturity Acceleration Program-Foundation (MAP-F) capabilities related to Logging Monitoring and Alerting and provides visibility into key security metrics
• Observability and Management Logging Analytics is the main service for the solution
• Consumption is based on the size and retention of the underlying logs

Note: OCI Maturity Acceleration Program-Foundation (MAP-F) is a collaborative customer engagement that seeks to help organizations in building, deploying, and maintaining their foundational security capabilities, to support secure operations in OCI.

Security Fundamentals Dashboards Widgets:

OCI Security Fundamentals Dashboards Onboarding

Logging Analytics should be set up in your tenancy 

• Logging Analytics

Configure Logging Analytics

• Configure Your Service
• Prerequisite IAM Policies
• Enable Access to Logging Analytics and Its Resources

Audit and Network Logs Ingestion

• Ingest OCI VCN Flow Logs into OCI Logging Analytics
• Ingest OCI Audit logs into OCI Logging Analytics

Logging Analytics is integrated with Oracle Threat Intelligence to automatically receive the threat feed as the logs are ingested. The feature is available for all the log sources in the regions where both Logging Analytics and Oracle Threat Intelligence services are enabled. The Threat IPs widget makes use of this feature, which is not enabled by default. 

To enable:

1. In OCI console, Navigate to Observability and Management -> Logging Analytics -> Administration
2. Click on Sources. in search box in the top right, search for “vcn”. You should get 2 sources: OCI VCN Flow Logs and OCI VCN Flow Unified Schema Logs
3. Edit each source. On the Edit screen, click the Field Enrichment tab. Ensure the Enabled checkbox is checked for the Geo location function
4. Edit the Geo location function by clicking the three dots, and check Threat Intelligence Enrichment checkbox. 
5. If it is not, check the checkbox and click Save Changes
6. Repeat above 5 steps for OCI Network Firewall Traffic Logs, OCI Network Firewall Threat Logs, OCI Load Balancer Access Logs, OCI Load Balancer Error Logs, OCI WAF Logs, OCI Audit Logs Sources. 

Security Fundamentals Dashboards Deployment using OCI Marketplace App

Security Fundamentals Dashboards (SFD) OCI Marketplace App offers a seamless, one-click solution for customers to effortlessly deploy SFD dashboards and automate the collection of essential security-related logs in Logging Analytics. This streamlined approach simplifies the setup of comprehensive security monitoring across OCI environments, empowering customers to enhance their cloud security posture with minimal effort.

To launch the Marketplace app:

• In OCI console, Navigate to Marketplace -> All Applications
• Search “Security Fundamentals Dashboards”
• Check I have reviewed and accept the Oracle standard Terms and Restrictions.
• Click Launch Stack

• 

   

• Review the Stack Information and Click Next
• Select the Dashboard Compartment from the dropdown to deploy the dashboards
• Check Create Service Connector for IAM Identity Domain Audit?
• Update the Logging Analytics Log Group Name if needed
• Switch Service Connector Hub State from INACTIVE to ACTIVE
• Check Include Network Related Logs? checkbox
• Add the Logging service Network related logs Log Group OCIDs 
• Click Next for the final Review, Click Create to run the stack 

• 

   

Manual Deployment of OCI Security Fundamentals Dashboards

The required files for the Security Fundamentals Dashboards are stored in the following GitHub repo:

https://github.com/oracle-quickstart/oci-o11y-solutions/tree/main/knowledge-content/MAP/security-fundamentals-dashboards

Download the files to your local workstation. There are 3 files with the “.json” extension corresponding to the 3 security dashboards

1. Identity Security: Identity Security.json
2. Network Security: Network Security.json
3. Security Operations: Security Operations.json

Follow these steps to import the JSON files:

1. Login to tenancy
2. Navigate to LA Dashboards Console -> Observability & Management -> Logging Analytics -> Dashboards
3. Click on “Import Dashboards”
4. Navigate to the folder containing dashboards and select the first dashboard JSON file
5. Select “Specify a compartment for all dashboards” and choose a compartment
6. Select “Specify a compartment for all saved searches” and choose a compartment
7. Click on “Import”
8. Repeat steps 3-7 for the second JSON file
9. (Optional) Follow the above steps to enable the Threat Intelligence service integration with Logging Analytics

It may take some time for the data to start flowing into the dashboard. You will not see any data unless there are activities on the target system(s) that would be picked up by the corresponding widget/query.

OCI Security Fundamentals Dashboards Visualization

Security Fundamentals Dashboards now detects security threats and issues in your OCI tenancy. For example, Threat IPs detected in VCN Flow Logs accessing OCI cloud resources or spikes detected in Network Ingress Traffic from Public IPs need further investigation from the security teams to mitigate security risks across your tenancy. 

Conclusion

Security Fundamentals Dashboards provide a great starting point to monitor security events using Network logs and Audit logs via Logging Analytics for our OCI customers. By leveraging these OCI features, organizations can gain valuable insights into their OCI security posture and make informed decisions to secure and manage cloud resources.

Sign up for an Oracle Cloud Infrastructure free trial account today to try out new Oracle Cloud Infrastructure features!

Resources

• Elevating Network Security: Introducing New SFD Network Security Dashboard
• Enable Logs for VCN Flow Logs 
• Enable Logs for OCI Network Firewall Traffic Logs and Threat Logs
• Enable Logs for OCI Load Balancer Access Logs and Error Logs
• Enable Logs for OCI Web Application Firewall 
• Monitoring OCI Web Application Firewall (WAF) with Logging Analytics
• Logging Analytics - Configure Your Service
• Logging Analytics - Prerequisite IAM Policies
• Logging Analytics - Enable Access to Logging Analytics and Its Resources