Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Oracle Cloud Access Security Broker (CASB)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
API   Risk Events, Risk Alerts and Policy Event logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Oracle-CASB-" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 3 event types defined.

 

Rules

There are no specific rules available for Oracle CASB.

Reports

There are no specific reports available for Oracle CASB. You can view all Oracle events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "Oracle-CASB-".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

Setup in FortiSIEM

FortiSIEM processes events from this via the Oracle CASB API. Configure and obtain from the Oracle CASB Portal, the access key and secret from the API before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      Settings Description
      Name Enter a name for the credential.
      Device Type Oracle CASB
      Access Protocol Oracle CASB API
      Pull Interval 5 minutes
      Access Key The access key for your Oracle CASB instance.
      Secret Key The secret key for Oracle CASB instance.

      Confirm Secret Key

      Input the same secret key as above for verification.

      Description Description about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to Oracle CASB.
  5. To see the jobs associated with Oracle CASB, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "CASB" in the search box.

Sample Log

<![CDATA[[FSM-OracleCASB-riskevent] [1] {"id":"aa1nhj35-6d84-3f5a-a9b5-3e1509bad324","uri":"/v1/events/riskevent?eventId=aa1eab35-6d84-3f5a-a9b5-3e1509bad324&applicationInstanceId;=5786ed4c-3527-413d-8j19-da93d0f065c8","appname":"AWS","appinstance":"awse2e_01","appinstanceid":"64909d3d-3855-5de1-49ed-6452ae9f6365","snapdate":"2017-10-25","title":"DeleteSecurityGroup action in EC2 SecurityGroup \"SecurityGroup\"","additionalDetails":[{"Details":[{"name":"Actor","value":"funct_test_nonservice"},{"name":"Resource type","value":"EC2 SecurityGroup"},{"name":"Group","value":"SecurityGroup"},{"name":"Resource name","value":"[JKSecurityGroup]"},{"name":"Action","value":"DeleteSecurityGroup"},{"name":"Policy alert name","value":"EC2 - Instances Network Routes Network ACL VPN and Security Group changes"},{"name":"Occurred","value":"2017-10-25T17:17:29Z"},{"name":"recommendationkey","value":"AWS~PolicyAlert~ec2deletesecuritygroup"}],"Logdata":"{\"requestParameters\" :{\"groupName\" :\"SecurityGroup\"},\"responseElements\" :{\"_return\" :true},\"eventVersion\" :\"1.05\",\"eventTime\" :\"2017-10-25T17:17:29Z\",\"eventSource\" :\"ec2.amazonaws.com\",\"eventName\" :\"DeleteSecurityGroup\",\"awsRegion\" :\"us-east-1\",\"sourceIPAddress\" :\"54.191.225.186\",\"userAgent\" :\"aws-sdk-java/1.10.54 Linux/3.13.0-35-generic Java_HotSpot(TM)_64-Bit_Server_VM/25.60-b23/1.8.0_60\",\"userIdentity\" :{\"type\" :\"IAMUser\",\"principalId\" :\"BGHAJVECQI6KOIYZMM42A\",\"arn\" :\"arn:aws:iam::141111463221:user/funct_test_nonservice\",\"accountId\" :\"141111462111\",\"accessKeyId\" :\"BJKFJ4J6OYTZDBHN3KA\",\"userName\" :\"funct_test_nonservice\"},\"requestID\" :\"bc44cd99-fac7-4e6c-8868-382c26fc95ee\",\"eventID\" :\"664d6fa8-8bdf-4bda-af5c-55d447620a78\"}"}],"category":"Policy alert","priority":"High","status":"Open","createdon":"2017-10-25T17:33:55.000Z","realeventtime":"2017-10-25T17:17:29.000Z"}]]>

Oracle Cloud Access Security Broker (CASB)

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
API   Risk Events, Risk Alerts and Policy Event logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "Oracle-CASB-" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 3 event types defined.

 

Rules

There are no specific rules available for Oracle CASB.

Reports

There are no specific reports available for Oracle CASB. You can view all Oracle events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "Oracle-CASB-".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

Setup in FortiSIEM

FortiSIEM processes events from this via the Oracle CASB API. Configure and obtain from the Oracle CASB Portal, the access key and secret from the API before proceeding.

Complete these steps in the FortiSIEM UI:

  1. Go to the ADMIN > Setup > Credentials tab.
  2. In Step 1: Enter Credentials:
    1. Follow the instructions in “Setting Credentials“ in the User's Guide to create a new credential.
    2. Enter these settings in the Access Method Definition dialog box:

      Settings Description
      Name Enter a name for the credential.
      Device Type Oracle CASB
      Access Protocol Oracle CASB API
      Pull Interval 5 minutes
      Access Key The access key for your Oracle CASB instance.
      Secret Key The secret key for Oracle CASB instance.

      Confirm Secret Key

      Input the same secret key as above for verification.

      Description Description about the device
  3. In Step 2: Enter IP Range to Credential Associations, click New.
    1. Enter a host name, an IP, or an IP range in the IP/Host Name field.
    2. Select the name of your credential from the Credentials drop-down list.
    3. Click Save.
  4. Click the Test drop-down list and select Test Connectivity to test the connection to Oracle CASB.
  5. To see the jobs associated with Oracle CASB, select ADMIN > Setup > Pull Events.
  6. To see the received events select ANALYTICS, then enter "CASB" in the search box.

Sample Log

<![CDATA[[FSM-OracleCASB-riskevent] [1] {"id":"aa1nhj35-6d84-3f5a-a9b5-3e1509bad324","uri":"/v1/events/riskevent?eventId=aa1eab35-6d84-3f5a-a9b5-3e1509bad324&applicationInstanceId;=5786ed4c-3527-413d-8j19-da93d0f065c8","appname":"AWS","appinstance":"awse2e_01","appinstanceid":"64909d3d-3855-5de1-49ed-6452ae9f6365","snapdate":"2017-10-25","title":"DeleteSecurityGroup action in EC2 SecurityGroup \"SecurityGroup\"","additionalDetails":[{"Details":[{"name":"Actor","value":"funct_test_nonservice"},{"name":"Resource type","value":"EC2 SecurityGroup"},{"name":"Group","value":"SecurityGroup"},{"name":"Resource name","value":"[JKSecurityGroup]"},{"name":"Action","value":"DeleteSecurityGroup"},{"name":"Policy alert name","value":"EC2 - Instances Network Routes Network ACL VPN and Security Group changes"},{"name":"Occurred","value":"2017-10-25T17:17:29Z"},{"name":"recommendationkey","value":"AWS~PolicyAlert~ec2deletesecuritygroup"}],"Logdata":"{\"requestParameters\" :{\"groupName\" :\"SecurityGroup\"},\"responseElements\" :{\"_return\" :true},\"eventVersion\" :\"1.05\",\"eventTime\" :\"2017-10-25T17:17:29Z\",\"eventSource\" :\"ec2.amazonaws.com\",\"eventName\" :\"DeleteSecurityGroup\",\"awsRegion\" :\"us-east-1\",\"sourceIPAddress\" :\"54.191.225.186\",\"userAgent\" :\"aws-sdk-java/1.10.54 Linux/3.13.0-35-generic Java_HotSpot(TM)_64-Bit_Server_VM/25.60-b23/1.8.0_60\",\"userIdentity\" :{\"type\" :\"IAMUser\",\"principalId\" :\"BGHAJVECQI6KOIYZMM42A\",\"arn\" :\"arn:aws:iam::141111463221:user/funct_test_nonservice\",\"accountId\" :\"141111462111\",\"accessKeyId\" :\"BJKFJ4J6OYTZDBHN3KA\",\"userName\" :\"funct_test_nonservice\"},\"requestID\" :\"bc44cd99-fac7-4e6c-8868-382c26fc95ee\",\"eventID\" :\"664d6fa8-8bdf-4bda-af5c-55d447620a78\"}"}],"category":"Policy alert","priority":"High","status":"Open","createdon":"2017-10-25T17:33:55.000Z","realeventtime":"2017-10-25T17:17:29.000Z"}]]>