A Smarter, Oracle Cloud Guard for OCI Events Integration

Security Information and Event Management (SIEM) is one of the most critical elements in Information Security. Businesses that run their workloads both on-premises and on the Oracle Cloud Infrastructure often rely on two individual sets of SIEM consoles — i.e., one for their on-prem infrastructure and one for the cloud, namely, the Oracle Cloud Guard (widely known for the Security Zones feature). While both these tools do a tremendous work, a holistic view on the entire on-prem and Oracle Cloud Infrastructure information security systems remain absent, triggering operational inefficiencies, and overheads in managing the security information and events for each infrastructure, separately. Moreover, automation – the key in seamlessly detecting and resolving the configuration and activity anomalies, rather proves inadequate because of the lack of integration, and the dependence on manual remedial response.

To address this problem, Oracle has introduced a smarter Oracle Cloud Guard, bundled with —

  1. a greater number of new event types
  2. intelligent categorization, and newer fields containing action details, insights, e.g., the ‘reason’ field
  3. enhanced automated remediation
  4. zero false problem events, and unnecessary and ‘unactionable’ recommendations, and
  5. most importantly, the capacity to integrate with any SIEM console deployed for on-prem event and security information management, offering the essential, holistic view to the users – via Oracle Events Service to OCI Notifications (slack, email, PagerDuty), Oracle Functions

What is new about the Oracle Cloud Guard event types, and insight fields?

The new event types now include ‘Problem-Dismissed’, and particularly the modified ‘Problem Threshold Reached’ in lieu of the ‘Target-Information’ — as a part of the intelligent categorization drive in Oracle Cloud Guard (e.g., complying with a naming convention aligned with product’s functionality).

The significance of these new event types solves great many problems. Firstly, the problem summary is now readily available in event data/logs. Secondly, under the event type ‘Problem-Detected’ there are sub-events capable of distinguishing a new problem, an existing problem update, Cloud Guard directed re-opening of an existing problem, and User-directed re-opening of an existing problem. And this is exactly where the additional fields, such as the ‘reason’ field come into play for storing details of the events, as well as the insights (if any). This indeed is a big change since it eliminates false or redundant notifications, and instead sends a correspondence of update, along with the details of actions leading to the event.

Further, when a problem is automatically or manually remediated, an event is sent outlining one of the three available options through which the corrective measure was undertaken. The event would either record ‘User marked the problem as resolved’, ‘Problem auto resolved’, or ‘User does manual problem remediation / responder rules configured for auto remediation’. And, lastly comes the ‘Problem-Dismissed’ event, which is triggered upon the acceptance or rejection of an actionable recommendation by the Oracle Cloud Guard.

With these many feature additions, along with the option for integration of Oracle Cloud Guard with on-prem SIEM console, or API, via Oracle Event Services to OCI Notifications, or the Oracle Functions, it clearly prepares the ground for the next generation of security information and event management system.

Below are some important links for setting up notifications, and external consoles for Oracle Cloud Guard:

  1. https://blogs.oracle.com/cloudsecurity/post/quick-tip-4—setting-up-notifications-for-oracle-cloud-guard-in-3-easy-steps
  2. https://www.ateam-oracle.com/integrate-oracle-cloud-guard-with-external-systems-using-oci-events-and-functions
  3. https://blogs.oracle.com/cloudsecurity/post/announcing-oracle-cloud-guards-expanded-oci-events-integration