Oracle Database Audit connector issues #8802
Comments
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
1 similar comment
|
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal. |
|
@garis We are working on it and next update is on 24Aug23 |
|
@garis after following the above-mentioned steps for Linux VM with oracle database got a compliance issue, so deleted the resources and working on alternate approach |
|
@garis Started working on this issue again from today,will update you the progress |
|
Hi @garis ,as discussed over teams, still working on this issue, will update you. |
|
Hi @garis , The following are the additional details required for the issue 1 ,we noticed the documentation is outdated, Issue 2 :Could you please share more details on OracleDBAudit - SQL injection patterns analytic rule issue,I got the details that we have changed log format, Can you please share set of log events/details expected to be detected for sql injection attacks? |
|
Hi @v-muuppugund if you configure everything correctly you will see that the SQL statements are not logged (at least this is what I saw). Because of this the OracleDBAudit - SQL injection patterns analytic rule will always try to search for events and data that can never be present on the workspace. |
|
Hi @garis ,its configured ,you are aware logging is limited in sql statements,there are limitations oracle data base unified and syslog limitations,that is why its not logged in to sql injection patterns. |
|
@v-muuppugund I am aware audit logs collected via syslog are limited, this is one reason why this issue is open. |
|
@garis yes ,the SQL injection patterns looking for the a above expression, which is never logged, we need to revalidate this sql injection patterns rule, but the main issue taking about there are limitations oracle data base unified and syslog limitations, so customers need to do changes at oracle side. |
|
@garis ,just want to update ,reg the analytic rules update for sql injection patterns ,as we have different oracle servers and try to have a unified system is little bit tricky, need to investigate more to have a unique rule and there are limitations, so customers need to do changes at oracle side,we need to do more research to have a unified system ,so can customers can use it |
|
@v-muuppugund then we need to improve the connector documentation to clearly illustrate all the limitations. |
|
|
@garis ,still working on draft content of the document,will raise the PR,update you |
|
@garis ,As updated over teams ,still working on content and will update the PR by 09/11/2023 |
|
@garis ,Still PR is under internal review and will get back to you by 17Nov23 |
|
@garis ,Still PR is under internal review and will get back to you once completed, post you updates by 21Nov23 |
|
@garis ,internal review done and working on changes ,will get back to you by 24Nov23 |
|
@garis , We will update you once the PR is completed, Thanks. |
|
@garis ,As discussed over teams, completed all the formalities, waiting for approval, once done, will update you. |
|
@garis PR is merged,so closing this issue,If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation! |
Raising this bug report as instructed within internal ICM 411742736.
I created a test (and working) environment and I believe the connector needs a review.
2 main issue so far:
Issue 1:
Step "3. Configure Oracle Database Audit events to be sent to Syslog" is wrong: we link 2 pages of the Oracle documentation but those pages are useless.
These are the steps that worked for me in obtaining a working config:
Issue 2:
The logging will be limited: for a SELECT statement Oracle will not log the full query in Syslog even after using something like "ALTER SYSTEM SET AUDIT_TRAIL=xml, extended SCOPE=SPFILE;" this is explained in this blog post and this Oracle doc "Only a subset of unified audit record fields are written to ensure that the audit record entries do not exceed the maximum allowed size for a SYSLOG entry (typically 1024 bytes)." For this reason I don't understand why the rule "OracleDBAudit - SQL injection patterns" exists or what is doing looking for data that will never be logged.
Additional context
Both AWS and IBM have slightly better docs about this.
The text was updated successfully, but these errors were encountered: