EventLog Analyzer for effective Oracle Database auditing and compliance

This guide serves as your comprehensive resource for leveraging ManageEngine EventLog Analyzer to audit, monitor, and secure Oracle Database. The log management solution supports auditing, threat detection, and data security use cases, along with comprehensive compliance reporting capabilities provided by EventLog Analyzer.

Understanding Oracle Database auditing reports: Use cases

Oracle Database auditing captures detailed information about user activities within the database. The data gathered through auditing provides valuable insights into user actions, enabling you to monitor access patterns and identify potential security risks.

Use case Description Why implement? Available reports
Database activity monitoring Database activity monitoring involves tracking and analyzing changes, queries, and user actions within a database to ensure data security, detect unauthorized access, and maintain data integrity. Implementing database activity monitoring enables early detection of suspicious activity, helping prevent potential breaches and data loss. It also supports compliance with regulations by ensuring consistent oversight of sensitive data handling.
  • Created Clusters
  • Dropped Clusters
  • Altered Clusters
  • Tables Created
  • Tables Dropped
  • Databases Created
  • Databases Altered
  • Tables Altered
  • Tables Selected
  • Databases Dropped
  • Tables Inserted
  • Tables Updated
  • Tables Deleted
  • Created functions
  • Dropped functions
  • Altered functions
  • Schemas Created
  • Created procedures
  • Dropped procedures
  • Altered procedures
  • Executed procedures
  • Triggers Created
  • Triggers Dropped
  • Triggers Altered
Auditing account management Auditing account management in Oracle Database involves tracking and recording changes to user accounts, roles, and privileges to ensure security and compliance. To detect unauthorized access or modifications, ensure regulatory compliance, and maintain data integrity by monitoring user activities and changes within the database.
  • Created profiles
  • Dropped profiles
  • Altered profiles
  • User Created
  • User Dropped
  • User Altered
  • Roles created
  • Dropped roles
  • Altered roles
  • Granted roles
  • Revoked roles
  • System Grant
  • System Revoke
  • Alter System
Auditing server report An auditing server report in Oracle Database tracks and logs database activities, providing detailed records of user actions for security and compliance purposes. Implementing this ensures the detection of unauthorized access or anomalies, aids in regulatory compliance, and enhances the overall security posture of the database system.
  • Connect Events
  • Server Startup
  • Server Shutdown
  • Logons
  • Logoff
  • Failed Logons
  • Top logons based on users
Security reports Security reports in an Oracle Database provide detailed information about the security posture and potential vulnerabilities of the database system. Implementing security reports is crucial to identify and mitigate security risks, ensure compliance with regulatory standards, and protect sensitive data from unauthorized access.
  • SQL Injection
  • Account Lockouts
  • Expired Passwords
  • Denial of Service

Threat detection use cases

The table below outlines the preconfigured threat detection scenarios supported for the Oracle Database platform through EventLog Analyzer. Additionally, our solution provides a customizable correlation rule builder, empowering users to craft their own detection rules.

Use case Event type Relevant MITRE ATT&CK TTPs Detection rules
SQL injection Event id: 24001 - Login success
  • ID: T1190
  • Tactic: Initial Access
  • Reports:Applications - Oracle - Security Reports
  • Correlation:Web server threats - Repeated SQL injection attempts
Account lockouts Event ID 4740 - A user account was locked out.
  • ID: T1531
  • Tactic: Impact
Reports:Applications - Oracle - Security Reports
Denial of service Event ID 5149 - Success audit
  • ID: T1498
  • Sub-techniques: T1498.001, T1498.002
  • Tactic: Impact
Reports:Applications - Oracle - Security Reports

Compliance

The below table illustrates how EventLog Analyzer can help you meet compliance use cases for Oracle Database. For detailed solution mapping, check out this space.

EventLog Analyzer reports and alerts Detection rules Regulatory mandates Requirements
  • Oracle Security Changes
  • Oracle SQL Injection
  • Oracle Connect Events
  • Oracle Failed Logons
  • Oracle Account Lockouts
  • Oracle Expired Password
  • Oracle Denial of Service
Repeated SQL injection attempts GDPR
  • GDPR ARTICLE 5 (1B)
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (1D)
    ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
    NRC
  • ACT B.1.6
  • ACT C.3.4
  • ACT C.11.4
    COCO 2.Authentication and Access Control
    NERC
  • CIP 007-6 R4.1
  • CIP 007-6 R4.2
  • CIP 007-6 R5.7
    CCPA and CPRA Section 1798.150.(a)
    FERPA Section 99.31 (a)(1)(ii)
    PDPA
  • RULE VI Section 25
  • RULE VII Section 30
    NIST CSF Data Security (PR.DS)
    POPIA
  • Chapter 3 - Section 19 (2) (a)
  • Chapter 3 - Section 20 (1) (b)
    QCF
  • 3.2 Endpoint Security Service
  • 4.2 Application Security Service
  • 4.6.2 Threat Modelling
  • 6.2 Data Protection Service
  • 6.8.3 Data at rest
  • 7.2 Change and Patch Management Service
  • 8.11 Security monitoring and operations strategy
    TISAX 4.2.1
    SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  • 3.3.7 Change Management
    PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
    CJDN Application Development
    UAE- NESA T3.2.3T7.6.1
    LGPD Art 14
  • Oracle DDL Changes
  • Oracle Database Created
  • Oracle Database Deleted
  • Oracle Database Modified
  • Oracle Table Created
  • Oracle Table Deleted
  • Oracle Table Modified
  • Oracle Procedure Created
  • Oracle Procedure Deleted
  • Oracle Procedure Modified
  • Oracle Cluster Created
  • Oracle Cluster Deleted
  • Oracle Cluster Modified
  • Oracle Trigger Created
  • Oracle Trigger Deleted
  • Oracle Trigger Modified
  GDPR
  • GDPR ARTICLE 5 (1D)
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (1B)
  • GDPR ARTICLE 32 (1D)
    ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
    NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.4
  • ACT C.3.7
  • ACT C.4.3
    CCPA and CPRA Section 1798.150.(a)
    FERPA Section 99.31 (a)(1)(ii)
    PDPA
  • RULE VI Section 25
  • RULE VII Section 30
    NIST CSF Data Security (PR.DS)
    POPIA
  • Chapter 3 - Section 19 (2) (a)
  • Chapter 3 - Section 20 (1) (b)
    QCF
  • 3.2 Endpoint Security Service
  • 4.2 Application Security Service
  • 4.6.2 Threat Modelling
  • 6.2 Data Protection Service
  • 6.8.3 Data at rest
  • 7.2 Change and Patch Management Service
  • 8.11 Security monitoring and operations strategy
    SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  • 3.3.6 Application Security
  • 3.3.7 Change Management
    PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
    CJDN Application Development
    UAE- NESA T3.2.3T7.6.1
    LGPD Art 14
  • Oracle DML Changes
  • Oracle Selected Table
  • Oracle Inserted Table
  • Oracle Updated Table
  • Oracle Deleted Table
  • Oracle Executed Procedure
  GDPR
  • GDPR ARTICLE 5 (1D)
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (1B)
  • GDPR ARTICLE 32 (1D)
    ISLP
  • ARTICLE 12
  • ARTICLE 13
  • ARTICLE 19.3
  • ARTICLE 20.5
  • ARTICLE 30.4
  • ARTICLE 30.6
    NRC
  • ACT B.1.6
  • ACT B.1.22
  • ACT B.2.6
  • ACT C.3.4
  • ACT C.3.7
  • ACT C.4.3
    CCPA and CPRA Section 1798.150.(a)
    FERPA Section 99.31 (a)(1)(ii)
    PDPA
  • RULE VI Section 25
  • RULE VII Section 30
    NIST CSF Data Security (PR.DS)
    POPIA
  • Chapter 3 - Section 19 (2) (a)
  • Chapter 3 - Section 20 (1) (b)
    QCF
  • 3.2 Endpoint Security Service
  • 4.2 Application Security Service
  • 4.6.2 Threat Modelling
  • 6.2 Data Protection Service
  • 6.8.3 Data at rest
  • 7.2 Change and Patch Management Service
  • 8.11 Security monitoring and operations strategy
    SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.2.1.3 Cyber Security Risk Response
  • 3.3.6 Application Security
  • 3.3.7 Change Management
    PDPL
  • Article 19 - Information Security
  • Article 21 - Controls and Procedures for Dealing with Credit Data
    CJDN Application Development
    UAE- NESA T3.2.3T7.6.1
    LGPD Art 14
  • Oracle Account Changes
  • Oracle Profile Created
  • Oracle Profile Deleted
  • Oracle Profile Modified
  • Oracle User Created
  • Oracle User Deleted
  • Oracle User Modified
  • Oracle Role Created
  • Oracle Role Deleted
  • Oracle Role Modified
  • Oracle Granted Roles
  • Oracle System Grant
  • Oracle System Revoke
  • Oracle Revoked Roles
  • Oracle Alter System
  GDPR
  • GDPR ARTICLE 5 (1F)
  • GDPR ARTICLE 32 (1D)
    Cyber essentials User Access Control
    NERC
  • CIP 005-6 R1.3
  • CIP 007-6 R5.3
    CCPA and CPRA Section 1798.150.(a)
    FERPA Section 99.31 (a)(1)(ii)
    CMMC C013 - CM.2.061
    POPIA Chapter 3 - Section 19 (2) (a)
    QCF
  • 3.2 Endpoint Security Service
  • 5.2.2 Network Access Control Management Service
  • 6.8.3 Data at rest
  • 7.2 Change and Patch Management Service
  • 8.11 Security monitoring and operations strategy
    TISAX
  • 4.1.2
  • 4.1.3
  • 5.2.4
    SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.3.6 Application Security
  • 3.3.7 Change Management
    UAE- NESA
  • T3.2.3
  • T7.6.1
    LGPD Art 14
  • Oracle Auditing Server Reports
  • Oracle Logoffs
  • Oracle Connect Events
  • Oracle Server Startup
  • Oracle Logons
  • Oracle Server Shutdown
  • Oracle Failed Logons
  CCPA and CPRA Section 1798.150.(a)
    FERPA Section 99.31 (a)(1)(ii)
    POPIA Chapter 3 - Section 19 (2) (a)
    QCF
  • 6.8.3 Data at rest
  • 7.2 Change and Patch Management Service
  • 8.11 Security monitoring and operations strategy
    TISAX 4.1.2
    SAMA
  • 3.2.1.1 Cyber Security Risk Identification
  • 3.3.7 Change Management
    CJDN Application Development
    UAE- NESA
  • T3.2.3
  • T7.6.1
    LGPD Art 14