Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oracle Database Auditor: Workbooks with not results #10276

Closed
gmarmolejos opened this issue Apr 11, 2024 · 7 comments · May be fixed by #10273
Closed

Oracle Database Auditor: Workbooks with not results #10276

gmarmolejos opened this issue Apr 11, 2024 · 7 comments · May be fixed by #10273
Assignees
@v-sudkharat
Labels
Workbook Workbook specialty review needed

Comments

@gmarmolejos
Copy link

gmarmolejos commented Apr 11, 2024
edited

I'm sorry but I can't reopen the case. My user doesn't have this feature allow it.

Describe the bug
Oracle Database Auditor doesn't bring information about Oracle Database Table Queried and User' Privileges. It only shows the query returned no results

To Reproduce
Steps to reproduce the behavior:

Active Oracle Database Audit.
Enable Syslog in Linux Server.
Wait until Sentinel get the data.
Expected behavior
To be fair all the information are shows but those two. It's possible to modify the query to receive these information or why is in the workbook's sample these information?
If i try to execute use it the TableName object doesn't work either.

i create this issue previously here:
#9602

it was closed because v-muuppugund closed the issue (#9987) as per your standard operating procedures

And, i try to execute the sample shows by v-muuppugund but i don't get nothing new:

image

Is it possible that the change is not available, not yet?

The case was seeing by the user:

v-muuppugund (thanks for the help). i'm very grateful
@v-muuppugund
Copy link
Contributor

v-muuppugund commented Apr 11, 2024
edited

I'm sorry but I can't reopen the case. My user doesn't have this feature allow it.

Describe the bug Oracle Database Auditor doesn't bring information about Oracle Database Table Queried and User' Privileges. It only shows the query returned no results

To Reproduce Steps to reproduce the behavior:

Active Oracle Database Audit. Enable Syslog in Linux Server. Wait until Sentinel get the data. Expected behavior To be fair all the information are shows but those two. It's possible to modify the query to receive these information or why is in the workbook's sample these information? If i try to execute use it the TableName object doesn't work either.

i create this issue previously here: #9602

it was closed because v-muuppugund closed the issue (#9987) as per your standard operating procedures

And, i try to execute the sample shows by v-muuppugund but i don't get nothing new:

image

Is it possible that the change is not available, not yet?

The case was seeing by the user:

v-muuppugund (thanks for the help). i'm very grateful

@gmarmolejos Sure,Will keep open and update you on PR

@v-sudkharat v-sudkharat added the Workbook Workbook specialty review needed label Apr 11, 2024
@v-sudkharat v-sudkharat linked a pull request Apr 15, 2024 that will close this issue
Users/v muuppgund/oracle database auditupdates #10273
Draft
@v-sudkharat
Copy link
Contributor

Hey @gmarmolejos, we have raised the PR with the corrections. Once PR get merge the changes will be reflected in upcoming solution version.
PR link #10273

Thanks!

@v-muuppugund
Copy link
Contributor

v-muuppugund commented Apr 22, 2024
edited

I'm sorry but I can't reopen the case. My user doesn't have this feature allow it.

Describe the bug Oracle Database Auditor doesn't bring information about Oracle Database Table Queried and User' Privileges. It only shows the query returned no results

To Reproduce Steps to reproduce the behavior:

Active Oracle Database Audit. Enable Syslog in Linux Server. Wait until Sentinel get the data. Expected behavior To be fair all the information are shows but those two. It's possible to modify the query to receive these information or why is in the workbook's sample these information? If i try to execute use it the TableName object doesn't work either.

i create this issue previously here: #9602

it was closed because v-muuppugund closed the issue (#9987) as per your standard operating procedures

And, i try to execute the sample shows by v-muuppugund but i don't get nothing new:

image

Is it possible that the change is not available, not yet?

The case was seeing by the user:

v-muuppugund (thanks for the help). i'm very grateful
@gmarmolejos Mistakenly added no data screen shot as due to data during that time duration selected in work space,added the updated correct screen shot
image

@v-sudkharat v-sudkharat mentioned this issue May 17, 2024
Draft
@v-sudkharat
Copy link
Contributor

Hi @gmarmolejos, Could you please run below parser into your workspace and share result with us, so we can procedure to merge the changes into master.

 let ActionMappingTable = datatable(ACTION:string ,ActionName:string) [ 1, 'CREATE TABLE',
                             2, 'INSERT',
                             3, 'SELECT',
                             4, 'CREATE CLUSTER',
                             5, 'ALTER CLUSTER',
                             6, 'UPDATE',
                             7, 'DELETE',
                             8, 'DROP CLUSTER',
                             9, 'CREATE INDEX',
                             10, 'DROP INDEX',
                             11, 'ALTER INDEX',
                             12, 'DROP TABLE',
                             13, 'CREATE SEQUENCE',
                             14, 'ALTER SEQUENCE',
                             15, 'ALTER TABLE',
                             16, 'DROP SEQUENCE',
                             17, 'GRANT OBJECT',
                             18, 'REVOKE OBJECT',
                             19, 'CREATE SYNONYM',
                             20, 'DROP SYNONYM',
                             21, 'CREATE VIEW',
                             22, 'DROP VIEW',
                             23, 'VALIDATE INDEX',
                             24, 'CREATE PROCEDURE',
                             25, 'ALTER PROCEDURE',
                             26, 'LOCK',
                             27, 'NO-OP',
                             28, 'RENAME',
                             29, 'COMMENT',
                             30, 'AUDIT OBJECT',
                             31, 'NOAUDIT OBJECT',
                             32, 'CREATE DATABASE LINK',
                             33, 'DROP DATABASE LINK',
                             34, 'CREATE DATABASE',
                             35, 'ALTER DATABASE',
                             36, 'CREATE ROLLBACK SEG',
                             37, 'ALTER ROLLBACK SEG',
                             38, 'DROP ROLLBACK SEG',
                             39, 'CREATE TABLESPACE',
                             40, 'ALTER TABLESPACE',
                             41, 'DROP TABLESPACE',
                             42, 'ALTER SESSION',
                             43, 'ALTER USER',
                             44, 'COMMIT',
                             45, 'ROLLBACK',
                             46, 'SAVEPOINT',
                             47, 'PL/SQL EXECUTE',
                             48, 'SET TRANSACTION',
                             49, 'ALTER SYSTEM',
                             50, 'EXPLAIN',
                             51, 'CREATE USER',
                             52, 'CREATE ROLE',
                             53, 'DROP USER',
                             54, 'DROP ROLE',
                             55, 'SET ROLE',
                             56, 'CREATE SCHEMA',
                             57, 'CREATE CONTROL FILE',
                             59, 'CREATE TRIGGER',
                             60, 'ALTER TRIGGER',
                             61, 'DROP TRIGGER',
                             62, 'ANALYZE TABLE',
                             63, 'ANALYZE INDEX',
                             64, 'ANALYZE CLUSTER',
                             65, 'CREATE PROFILE',
                             66, 'DROP PROFILE',
                             67, 'ALTER PROFILE',
                             68, 'DROP PROCEDURE',
                             70, 'ALTER RESOURCE COST',
                             71, 'CREATE MATERIALIZED VIEW LOG',
                             72, 'ALTER MATERIALIZED VIEW LOG',
                             73, 'DROP MATERIALIZED VIEW LOG',
                             74, 'CREATE MATERIALIZED VIEW',
                             75, 'ALTER MATERIALIZED VIEW',
                             76, 'DROP MATERIALIZED VIEW',
                             77, 'CREATE TYPE',
                             78, 'DROP TYPE',
                             79, 'ALTER ROLE',
                             80, 'ALTER TYPE',
                             81, 'CREATE TYPE BODY',
                             82, 'ALTER TYPE BODY',
                             83, 'DROP TYPE BODY',
                             84, 'DROP LIBRARY',
                             85, 'TRUNCATE TABLE',
                             86, 'TRUNCATE CLUSTER',
                             91, 'CREATE FUNCTION',
                             92, 'ALTER FUNCTION',
                             93, 'DROP FUNCTION',
                             94, 'CREATE PACKAGE',
                             95, 'ALTER PACKAGE',
                             96, 'DROP PACKAGE',
                             97, 'CREATE PACKAGE BODY',
                             98, 'ALTER PACKAGE BODY',
                             99, 'DROP PACKAGE BODY',
                             100, 'LOGON',
                             101, 'LOGOFF',
                             102, 'LOGOFF BY CLEANUP',
                             103, 'SESSION REC',
                             104, 'SYSTEM AUDIT',
                             105, 'SYSTEM NOAUDIT',
                             106, 'AUDIT DEFAULT',
                             107, 'NOAUDIT DEFAULT',
                             108, 'SYSTEM GRANT',
                             109, 'SYSTEM REVOKE',
                             110, 'CREATE PUBLIC SYNONYM',
                             111, 'DROP PUBLIC SYNONYM',
                             112, 'CREATE PUBLIC DATABASE LINK',
                             113, 'DROP PUBLIC DATABASE LINK',
                             114, 'GRANT ROLE',
                             115, 'REVOKE ROLE',
                             116, 'EXECUTE PROCEDURE',
                             117, 'USER COMMENT',
                             118, 'ENABLE TRIGGER',
                             119, 'DISABLE TRIGGER',
                             120, 'ENABLE ALL TRIGGERS',
                             121, 'DISABLE ALL TRIGGERS',
                             122, 'NETWORK ERROR',
                             123, 'EXECUTE TYPE',
                             128, 'FLASHBACK',
                             129, 'CREATE SESSION',
                             157, 'CREATE DIRECTORY',
                             158, 'DROP DIRECTORY',
                             159, 'CREATE LIBRARY',
                             160, 'CREATE JAVA',
                             161, 'ALTER JAVA',
                             162, 'DROP JAVA',
                             163, 'CREATE OPERATOR',
                             164, 'CREATE INDEXTYPE',
                             165, 'DROP INDEXTYPE',
                             167, 'DROP OPERATOR',
                             168, 'ASSOCIATE STATISTICS',
                             169, 'DISASSOCIATE STATISTICS',
                             170, 'CALL METHOD',
                             171, 'CREATE SUMMARY',
                             172, 'ALTER SUMMARY',
                             173, 'DROP SUMMARY',
                             174, 'CREATE DIMENSION',
                             175, 'ALTER DIMENSION',
                             176, 'DROP DIMENSION',
                             177, 'CREATE CONTEXT',
                             178, 'DROP CONTEXT',
                             179, 'ALTER OUTLINE',
                             180, 'CREATE OUTLINE',
                             181, 'DROP OUTLINE',
                             182, 'UPDATE INDEXES',
                             183, 'ALTER OPERATOR',
                             197, 'PURGE USER_RECYCLEBIN',
                             198, 'PURGE DBA_RECYCLEBIN',
                             199, 'PURGE TABLESAPCE',
                             200, 'PURGE TABLE',
                             201, 'PURGE INDEX',
                             202, 'UNDROP OBJECT',
                             204, 'FLASHBACK DATABASE',
                             205, 'FLASHBACK TABLE',
                             206, 'CREATE RESTORE POINT',
                             207, 'DROP RESTORE POINT',
                             208, 'PROXY AUTHENTICATION ONLY',
                             209, 'DECLARE REWRITE EQUIVALENCE',
                             210, 'ALTER REWRITE EQUIVALENCE',
                             211, 'DROP REWRITE EQUIVALENCE'];
    Syslog
    | where SyslogMessage contains "Unified Audit" and ProcessName == "Oracle" 
    | extend MessageLength = strlen(SyslogMessage)
    	   , Privilege = column_ifexists("PRIVILEGE","")
    	   , ClientTerminal = column_ifexists("CLIENT TERMINAL","")
    	   , Status = column_ifexists("STATUS","")
    	   , Statement = column_ifexists("STATEMENT","")
    	   , SrcDvcHostname = column_ifexists("HostName","")
    	   , SrcIpAddr = column_ifexists("HostIP","")
    	   , SrcPortNumber = column_ifexists("PORT","")
    | parse SyslogMessage with * "LENGTH: '" LENGTH "'" *
    | parse-kv SyslogMessage as (TYPE:string, DBID:string, SESID:string, CLIENTID:string, ENTRYID:int, STMTID:int, DBUSER:string, CURUSER:string, ACTION:string, RETCODE:int, SCHEMA:string, OBJNAME:string) with (pair_delimiter=' ', kv_delimiter=':', quote='"')
    | lookup ActionMappingTable on ACTION
    | extend DbAction = case(isnotempty(ActionName), ActionName, "UNKNOWN ACTION")
    | extend EventVendor = 'Oracle'
    | extend EventProduct = "Oracle Audit"
    |project-rename  DbAction = DbAction
                    , DstUserName = DBUSER
                    , SrcUserName = CURUSER
                    , DbId = DBID
                    , SessionId = SESID
                    , EntryId = ENTRYID
                    , ReturnCode = RETCODE
                    , ObjName = OBJNAME
                    , Action = ACTION
    				,ActionLength = LENGTH
    | project TimeGenerated
            , EventVendor
            , EventProduct
            , SeverityLevel
            , MessageLength
            , Action
            , ActionLength
            , DbAction
            , DstUserName
            , Privilege
            , SrcUserName
            , ClientTerminal
            , Status
            , DbId
            , SessionId
            , EntryId
            , Statement
            , SrcDvcHostname
            , SrcIpAddr
            , SrcPortNumber
            , ReturnCode
           // , ObjCreator
            , ObjName
    		, CLIENTID
    		, STMTID
    		, SCHEMA
            //, OsUserId

Thanks!

@v-sudkharat
Copy link
Contributor

Hi @gmarmolejos, waiting for your response on above comment. Thanks!

@v-sudkharat
Copy link
Contributor

Hi @gmarmolejos, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 27-05-2024 date, we will be closing this issue.
Thanks!

@v-sudkharat
Copy link
Contributor

Hi @gmarmolejos, since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@v-sudkharat v-sudkharat

Labels
Workbook Workbook specialty review needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Users/v muuppgund/oracle database auditupdates Azure/Azure-Sentinel
3 participants
@gmarmolejos @v-sudkharat @v-muuppugund