With the hot announcement of a brand new partnership between Microsoft and Oracle for Oracle database products and services, I sought after to seem additional into putting in log assortment from Oracle Cloud to Microsoft Sentinel.
After I began digging there wasn’t a lot knowledge to be had (excluding some minor weblog posts from the Oracle aspect, however I sought after to make use of one thing more practical the usage of message streaming.
Microsoft has created an integration to be had within the content material hub, this template deploys a collection of Analytics Regulations, Searching Queries, and Workbooks.
When you’ve deployed the content material hub you are going to see a brand new information connector which we will be able to then use to arrange the combination (and sure, this integration makes use of Azure Purposes to tug log information from the message streaming provider from OCI)
Whilst you move into the connector you are going to get details about deploying the ARM template which units up the Azure serve as. I’ll get again to that, however first, allow us to arrange the vital feedback in Oracle Cloud.
At first, you wish to have to have an Oracle Cloud tenant and get right of entry to to a root compartment, from there we want to generate an API key. Click on at the profile image and click on My Profile
Click on on API Keys and Click on Upload API Key, from there click on Generate API Key Pair and Obtain the Personal Key after which click on upload. (We’d like the Personal Key for authenticating from the Serve as later)
Then you are going to get a Configuration Report Preview, reproduction the entire content material right here since we will be able to want that later.
Now we want to configure the streaming of the logs. First, move into the streaming provider and create a circulate pool.
(Be certain it’s publicly to be had) Subsequent ,move into Streams and create a brand new circulate that makes use of the created circulate pool. As soon as the introduction is completed, just be sure you reproduction the OCID and Message Endpoint of the circulate.
(DO NOT CLICK PRODUCE TEST MESSAGE)
Subsequent, move into the Carrier Connectors and click on “Create Carrier Connector” and right here we outline the supply as logging and goal streaming
You’ll be able to depart logging on the defaults if you wish to accumulate the whole lot, and the objective is the circulate we not too long ago created.
Now that we’ve got the combination in position you’ll be able to return to the circulate and test that audit logs are being despatched to the message bus. This will also be carried out via clicking load messages
Now that logs are being despatched, we will be able to return to the Sentinel configuration. The configuration report for the ARM template will glance one thing like this (primarily based upon your previous copied content material and in addition the Workspace ID on your Sentinel Workspace)
Which can then deploy the Azure Serve as operating a collection of Python purposes that are brought about each and every 5 mins to gather and push information into the Log Analytics workspace.
As soon as the serve as is deployed, you’ll be able to see that the entire configuration is saved at once into the configuration of the serve as.
/Yikes! I’ll come again with an Azure Key Vault integration publish later. However! in the event you entered the credentials as it should be you will have to have the ability to see this when the serve as is administered for the primary time
You’ll be able to then view the logs within the customized log desk referred to as OCI_Logs_CL.