Oracle Cloud Infrastructure Security Fundamentals Dashboards using OCI Logging Analytics

September 19, 2023 | 10 minute read
Royce Fu
Principal Database and O&M Solution Architect
Johannes Murmann
Master Principal Security Cloud Architect.
Amine Tarhini
Principal Security and Management Platform Specialist
Text Size 100%:

 

Oracle Cloud Infrastructure (OCI) and services provide effective and manageable security that enables you to run your mission-critical workloads and store your data with confidence. To achieve cloud security operational excellence, it is crucial to continuously monitor and improve the security posture of our customers' OCI tenancy and adopt essential cyber hygiene practices. For our customers navigating the dynamic cloud security landscape without a dedicated Security Information and Event Management (SIEM) system, the Security Fundamentals Dashboards are set to support our customers in building and maintaining strong security observability and governance around the OCI cloud resources so that our customers can stay vigilant in an ever-evolving cyber landscape. The Security Fundamentals Dashboards proactively aggregate and analyze OCI logs related to security events by leveraging the advanced capabilities of OCI Logging Analytics, coupled with near real-time monitoring and alerting allows security operations teams to detect security risks faster, focus on the key information based upon the tuning of the systems, and take appropriate actions to mitigate the risks.

Dashboard Artifacts

The first release of the Security Fundamentals Dashboards contains the following three dashboards:

  • Identity Security Dashboard
  • Network Security Dashboard
  • Security Operations Dashboard

The code is available here and is provided as a sample code for reference. The sample code can be customized for additional enhancements.

Security Fundamentals Dashboard Details

  • Out-of-box dashboards for rapid security threat detection
  • Designed for customers interested in observing critical security events in their tenancies
  • Dashboards are based on Oracle security analytics and monitoring best practices
  • The dashboards query data from the OCI native Audit and VCN Flow Logs for continuous Identity and Network security events monitoring
  • Meets the Maturity Acceleration Program-Foundation (MAP-F) capabilities related to Logging Monitoring and Alerting and provides visibility into key security metrics
  • Observability and Management Logging Analytics is the main service for the solution
  • Consumption is based on the size and retention of the underlying logs

Note: OCI Maturity Acceleration Program-Foundation (MAP-F) is a collaborative customer engagement that seeks to help organizations in building, deploying, and maintaining their foundational security capabilities, to support secure operations in OCI.

 

SFD Identity Dashboard
Figure 1:  SFD Identity Security

 

SFD Netwok Security
Figure 2:  SFD Network Security

 

SFD Security Operations
Figure 3:  SFD Security Operations

 

Security Fundamentals Dashboards Widgets:

 

Category

Widgets

Description

IAM

Local User Password reset

Bar Chart showing the count of successful Local Password resets aggregated over 1 day.

IAM

Local User Creation

Bar Chart showing the count of successful or unsuccessful  Local User creations aggregated over 1 day.

IAM

Local User Changes

Bar Chart showing the count of successful or unsuccessful  Local User changes aggregated over 1 day. This includes Deactivate User, Delete User, Update User, Update User Capabilities, Update User State, Update User Password via UI

IAM

Local Dormant Users

Tile showing the count of dormant users that haven't successfully logged in to the OCI console within the last 30 days

IAM

Local Group Changes

Bar Chart showing count of successful or unsuccessful Local group changes aggregated over 1 day. This includes "Add user to group" and "Remove user from group"

IAM

IAM Policy Update

Bar Chart showing the count of successful or unsuccessful IAM policy changes across the tenancy aggregated over 1 day. This includes Create Policy, Update Policy, and Delete Policy. 

IAM

IDP Group mapping update

Bar Chart showing the count of successful or unsuccessful IDP group mapping change across the tenancy aggregated over 1 day. This includes "Add user to idpgroup", "Remove user from idpgroup", "Create idpgroup mapping", "Delete idpgroup mapping, "Update idpgroup mapping"

IAM

IDP Changes

Bar Chart showing the count of successful or unsuccessful Identity Provider changes across the tenancy aggregated over 1 day. This includes Creating, Updating,  and deleting IDP.

IAM

Local Successful Logins

Bar Chart showing the count of successful Local Logins aggregated over 1 day.

IAM

Local Failed Logins

Bar Chart showing the count of unsuccessful Local Logins aggregated over 1 day. This includes failed login due to a wrong password or disabled user.

IAM

API Key Creation

Bar Chart showing the count of successful or unsuccessful API key creations (additions to a user) aggregated over 1 day.

IAM

Top Identity Events Producers

Pie Chart identifying the top producers of Identity-related audit events. Internal users and services have been filtered out. Otherwise, the result could be skewed heavily.

Network

Total Network Traffic

Graph showing the total network traffic across all VCN Flow logs. Aggregated over 5 mins spans and shown in KB.

Network

Network Ingress Traffic from Public

Graph showing the total Ingress network traffic across all VCN Flow logs originating from a Public IP. Aggregated over 5 mins spans and shown in KB.

Network

Security list changes

Bar Chart showing any changes to Security Lists in the tenancy. This includes creating, deleting, and updating to security lists and rules.

Network

NSG changes

Bar Chart showing any changes to Network Security Groups in the tenancy. This includes creating, deleting, and updatingupdating Network Security Groups.

Network

Changes to Gateways

Bar Chart showing any changes to Gateways in the tenancy. This includes creating, updating, and  deleting DRGs, NAT GW, IGW, SGW, and Peering Gateways

Network

Threat IPs - Timeline

Graph showing the count of Threat IPs over time across Flow logs and the OCI Audit log from both egress and ingress traffic. 

Operations

Data freshness

Time stats showing the last collection time for Audit and Flowlogs. The number should be small typically < 3 mins.

Operations

Service Connector errors 

Based on the Service Connector Hub metric namespace and showing errors related to reading from OCI Logging (Source), writing to Logging Analytics (Target), and Service Connector Errors.

 

Enable Security Fundamentals Dashboards in 4 Steps

Enable Security Fundamentals Dashboards in 4 Steps
Figure 4: Enable Security Fundamentals Dashboards in 4 Steps

 

Security Fundamentals Dashboards Onboarding

Logging Analytics should be set up in your tenancy 

Configure Logging Analytics

Security Fundamentals Dashboards Log Ingestion

Logging Analytics is integrated with Oracle Threat Intelligence to automatically receive the threat feed as the logs are ingested. The feature is available for all the log sources in the regions where both Logging Analytics and Oracle Threat Intelligence services are enabled. The Threat IPs widget makes use of this feature, which is not enabled by default. 

To enable:

  1. In the OCI console, Navigate to Observability and Management -> Logging Analytics->Administration
  2. Click on “Sources”. in the search box in the top right, search for “vcn”. You should get 2 sources: “OCI VCN Flow Unified Schema Logs” and “OCI VCN Flow Logs”
  3. Edit each source. On the Edit screen, click the “Field Enrichment” tab. Ensure the "Enabled" checkbox is checked for the "Geo-location" function
  4. Edit the "Geo-location" function by clicking the three dots, and checking the "Threat Intelligence enrichment" checkbox. 
  5. If it is not, check the checkbox and click "Save Changes"
  6. Repeat the above 5 steps for the "OCI Audit Logs" Log Source. 

Security Fundamentals Dashboards Deployment

The required files for the security dashboards are stored in the following GitHub repo:

https://github.com/oracle-quickstart/oci-o11y-solutions/tree/main/knowlege-content/MAP/security-fundamentals-dashboards

Download the files to your local workstation. There are 3 files with the “.json” extension corresponding to the 3 security dashboards

  1. Identity Security: Identity Security.json
  2. Network Security: Network Security.json
  3. Security Operations: Security Operations.json

Follow these steps to import the JSON files:

  1. Login to tenancy
  2. Navigate to LA Dashboards Console -> Observability & Management -> Logging Analytics -> Dashboards
  3. Click on “Import Dashboards”
  4. Navigate to the folder containing dashboards and select the first dashboard JSON file
  5. Select “Specify a compartment for all dashboards” and choose a compartment
  6. Select “Specify a compartment for all saved searches” and choose a compartment
  7. Click on “Import”
  8. Repeat steps 3-7 for the second JSON file
  9. (Optional) Follow the above steps to enable the Threat Intelligence service integration with Logging Analytics

It may take some time for the data to start flowing into the dashboard. You will not see any data unless there are activities on the target system(s) that would be picked up by the corresponding widget/query.

Security Fundamentals Dashboards Visualization

Security Fundamentals Dashboards now detects security threats and issues in your OCI tenancy. For example, Threat IPs detected in VCN Flow Logs accessing OCI cloud resources or spikes detected in Network Ingress Traffic from Public IPs need further investigation from the security teams to mitigate security risks across your tenancy. 

SFD Dashboard Widgets
Figure 5:  SFD Dashboard Widgets

Conclusion

Security Fundamentals Dashboards provide a great starting point to monitor security events using VNC Flow logs and Audit logs via Logging Analytics for our OCI customers. By leveraging these OCI features, organizations can gain valuable insights into their OCI security posture and make informed decisions to secure and manage cloud resources.

Sign up for an Oracle Cloud Infrastructure free trial account today to try out new Oracle Cloud Infrastructure features!

Royce Fu

Principal Database and O&M Solution Architect

Royce Fu is the Principal Database Solution Architect of the North America Cloud Technology and Engineering Team. Royce's area of specialty is core Database Technology and OCI O&M including Exadata and Database Platform Engineering, Architecture, and Integration. He started his career as Java software engineer and spent last 12 years in database engineering and architecture.

Johannes Murmann

Master Principal Security Cloud Architect.

Amine Tarhini

Principal Security and Management Platform Specialist

Amine is a member of the North America Technology Platform Specialist Team at Oracle Corporation. Amine specializes in Oracle Observability & Management platform (O&M), and Oracle Enterprise Manager (OEM).


Previous Post

Optimize application workload with SQL Plan Management in OCI Database Management

Derik Harlow | 5 min read

Next Post


Create custom Event Compression Policies in Enterprise Manager to reduce event noise

Desiree Abrokwa | 8 min read