Oracle Cloud Infrastructure (OCI) Integration Guide

The following instructions are for configuring the Oracle Cloud Infrastructure (OCI) integration to facilitate log ingestion into Secureworks® Taegis™ XDR. XDR consumes logs from OCI via the OCI Streaming Service.

Prerequisites

Ensure the following prerequisites are met before proceeding:

1. Optional & Recommended: Create a dedicated user account for the XDR integration
2. Create an OCI Stream

3. Configure OCI logs to be published to a Stream using a Service Connector

   Important

   This guide assumes these prerequisite steps are complete before beginning set up.

Supported OCI Log Types

Use the list below to see the OCI log type and the corresponding Oracle documentation about the log type.

• Audit (general audit logs)
• com.oraclecloud.objectstorage
• com.oraclecloud.eventsservice.eventrule.ruleexecutionlog
• com.oraclecloud.filestorageservice
• com.oraclecloud.vcn.flowlogs.DataEvent
• com.oraclecloud.loadbalancer.access
• com.oraclecloud.loadbalancer.waf
• com.oraclecloud.networkfirewall.traffic
• com.oraclecloud.networkfirewall.threat
• com.oraclecloud.vpn.ipseclog.read

Data Provided from Integrations

	Normalized Data	Out-of-the-Box Detections	Vendor-Specific Detections
Oracle Cloud Infrastructure (OCI)	CloudAudit	HTTP, Netflow	NIDS, Thirdparty

Note

XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Recommended Practices

Create a Dedicated Domain, Compartment, and Group for Logging

It is highly recommended to follow the principle of least privilege. The only privilege a user requires is stream-pull to pull data from an Oracle stream.

You can create a dedicated User, Compartment, Domain, and a Group for XDR integration purposes.

Create a Dedicated User for Logging

You will create a new user for logging purposes. By default, the new user will not have any privileges. Later, the user can be placed into the user group created above. You can create a new policy similar to the one shown below to allow stream-pull privilege on the user group like shown below.

Create an OCI Stream

1. Navigate to OCI Streams and create a new Stream.

   

   Create OCI Stream

2. Select the Stream Pool, then copy the OCID value.

• Example Value: ocid1.streampool.oc1.ap-acme-1.ambbbbbbbbbbbeiadnkcxdp6f2vx5glmsihhme6n7ks7iiyz2prh123456789

  

  Copy the Stream Pool ID

Create a Service Connector

1. Access the OCI Console:
   • Open the navigation menu and select Analytics & AI.
   • Under Messaging, select Connector Hub.
2. Initiate Connector Creation:
   • Press Create Connector to start the process.
3. Define Basic Information:
   • Provide a Display Name for your connector.
   • Select the Compartment where the connector will reside.
4. Configure Source and Target:
   • Specify the Source of the data. For example, if using a Streaming source, you will need to input the relevant streaming details in JSON format.
   • Define the Target service where the data will be sent. This could be Logging Analytics, Object Storage, or another service.
5. Set Optional Parameters:
   • Optionally, you can assign tags to the connector for better organization and management.
6. Create the Connector:
   • Review your settings and select Create to finalize the creation of the service connector.

7. Confirm Data Flow:

   • After creating the connector, ensure it is actively moving data by enabling logs for the connector and checking for expected results in the target service.

   Important

   Ensure that the Service Connector has permissions to write to the Stream. An Example Policy is shown below.

   

   Service Connector Policy

Complete the OCI Integration in XDR

1. From the Taegis Menu, select Integrations → Cloud APIs.

2. Select Add an Integration from the top of the page.

   

   Add an Integration

3. From the Optimized tab, select Oracle Cloud Infrastructure.

4. Enter the following values:

   • Taegis Integration Name — This serves as a unique name for your integration; it can include any valid values up to 100 characters.
   • Username — User account created for this integration.
   • Auth Token — Authentication token associated with the user account.
   • Stream Pool ID — The Stream Pool ID copied in the Create an OCI Stream section
   • Tenant Name — Your OCI tenant name. See the additional information section for guidance.
   • Topic Name — The Topic Name is the same as the Stream name.
   • Region — The OCI region values can be referenced on Oracle's Documentation site.

   

   Complete OCI Integration

5. Select Done. The Cloud API Integrations page displays with the successfully added OCI integration.

Additonal Information

Getting the Tenant Name

Nested Compartments

If a Streaming topic is within a nested Compartment (for example, tenancy1/compartment1/compartment2/compartment3), there is no need to include the Compartment names as a part of the Tenant Name value. In this case, use tenancy1 as the Tenant Name in XDR.

Federated Users

If federated users are being used, a default Compartment by the name OracleIdentityCloudService is created. In this case, the tenant name should be followed by the Compartment name. See the example below.

Examples

• Tenancy: acme
• Compartment: OracleIdentityCloudService
• Policy statement:
  Allow group 'OracleIdentityCloudService'/streamreaders to use stream-pull on tenancy acme
• Tenant Name: acme/OracleIdentityCloudService for the XDR integration