OCI Audit Log Integration to Wazuh

OCI Audit Log Integration to Wazuh

Introduction

This document outlines the steps taken to integrate Oracle Cloud Infrastructure (OCI) audit logs into the SOC system, allowing for enhanced monitoring and security incident analysis

Prerequisites

  1. Oracle Cloud Infrastructure account with necessary permissions.
  2. Access to the OCI console.
  3. Python environment for running scripts.
  4. Wazuh Manager for ingesting logs.

Configuration Steps

Step 1: Create a Group

A group named SOC_HAWKEYE was created to consolidate users and permissions related to SOC activities




Step 2: Create an IAM User

An IAM user named soc_agent was created for interfacing with OCI services.



Step 3: Create a Policy

Policies were created in the root compartment to grant the SOC_HAWKEYE group the necessary permissions.
Policy Statements:
  1. Allow group SOC_HAWKEYE to inspect all-resources in compartment tenancy
  2. Allow group SOC_HAWKEYE to read instances in tenancy
  3. Allow group SOC_HAWKEYE to read audit-events in tenancy


Step 4: Download API Key and Configuration

The API private key and configuration file for the soc_agent user were generated and downloaded for programmatic access.



Step 5: Python Script for Log Fetching

A Python script was created using the oci module to perform the following actions:
  1. Fetch logs from OCI.
  2. Perform duplicate check.
  3. Ingest logs into Wazuh.


Step 6: Cronjob Setup

A cronjob was set up to run the Python script every 15 minutes.



Step 7: Verification

Steps were taken to verify the integration, including:
  1. Confirming the successful execution of the Python script.
  2. Checking the Wazuh Manager for the presence of OCI audit logs.



    • Related Articles

    • Integration: CrowdStrike with Wazuh

      Introduction This document provides a step-by-step guide on integrating CrowdStrike's Falcon platform with Wazuh SIEM to enable centralized security event management. This integration allows organizations to leverage CrowdStrike's advanced threat ...

    • Monitoring Office 365 Activity Using Wazuh

      Overview: This article provides guide on Monitoring Office 365 Activity Using Wazuh. This contains all requirements, configuration guide, and sample output to fully integrate to your Office 365 environment. Attachments and Guide: For detailed ...

    • Integrating Windows Systems to the SOC

      Overview: This article provides essential guidance on integrating Windows systems into the Security Operations Center (SOC), complete with a detailed step-by-step guide and necessary files included in the attachments. The Wazuh agent is a single and ...

    • Using Windows Event Forwarding for Centralized Windows Monitoring

      Overview: This article provides guide on using Windows Event Forwarding for Centralized Windows Monitoring. This contains all requirements, configuration guide, and sample screenshots to guide you on the procedure. Attachments and Guide: For detailed ...