12 Using Oracle Database Firewall with ArcSight SIEM
This appendix contains:
-
About the Integration of Oracle Database Firewall with ArcSight SIEM
-
Enabling the Oracle Database Firewall-ArcSight SIEM Integration
-
Oracle Database Firewall-ArcSight SIEM Syslog Mapping Tables
About the Integration of Oracle Database Firewall with ArcSight SIEM
The ArcSight Security Information Event Management (SIEM) system is a centralized system for logging, analyzing, and managing syslog messages from different sources. ArcSight SIEM enables Oracle Database Firewall to provide full details of any security alerts or other selected event types, including the message text, priority and IP address of any attacker. If you are using a Management Server, then it sends the ArcSight SIEM messages, otherwise the events are sent from the standalone Database Firewall.
If you are also using the BIG-IP ASM interface, and an attack originates from the internet, Database Firewall provides the actual IP address of the attacking Web client. This feature enables you to pinpoint the source of the internet-based attack.
You do not need to install additional software if you want to integrate ArcSight SIEM with Database Firewall. You can configure the integration by using the Database Firewall Administration Console, which is described in the next section.
The syslog messages sent to the ArcSight SIEM Server are independent of any other syslog messages that may sent from Database Firewall. This means you can send standard syslog messages to a different destination.
Enabling the Oracle Database Firewall-ArcSight SIEM Integration
When you enable the Oracle Database Firewall and ArcSight SIEM integration, the settings take effect immediately. You do not need to restart Database Firewall.
To enable ArcSight SIEM for Oracle Database Firewall:
-
Log in to the Administration Console for the standalone Database Firewall or the Management Server.
See "Logging in to the Administration Console" for more information.
-
Select the System tab.
-
In the Connectors menu, select ArcSight SIEM.
The ArcSight SIEM page appears.
Description of the illustration arcsight_config.gif
-
Specify the following options:
-
Enable ArcSight event forwarding: Select this check box to enable the ArcSight interface.
-
ArcSight destinations: Depending on the communications protocol you are using, enter the IP address or host name of the ArcSight server in the UDP or TCP field. This setting enables the syslog log output to be sent to this ArcSight server in Common Event Format (CEF).
-
Event categories: Select any combination of syslog categories depending on which type of messages that are needed in the ArcSight server. For detailed information about the message types, see "Oracle Database Firewall-ArcSight SIEM Syslog Mapping Tables".
-
Limit message length: To avoid sending large amounts of SQL text across the network, you can choose to limit the message to a specified number of bytes.
-
Maximum message length (bytes): Enter the maximum length that you want. The range allowed is 1024 to 1048576 characters. The default is 256 bytes.
-
-
Click the Apply button.
Oracle Database Firewall-ArcSight SIEM Syslog Mapping Tables
About the ArcSight SIEM Integration
You can send the ArcSight SEIM syslog output, as described in Oracle Database Firewall Security Guide. The following tables describe which messages are passed to ArcSight SIEM and the fields of the Oracle Database Firewall messages map to the relevant ArcSight keys.
Table 12-1 describes the message types that Oracle Database Firewall sends to ArcSight SIEM.
Table 12-1 Message Types Sent to ArcSight SIEM
| Message Type | Event Name | Description |
|---|---|---|
|
DBFW:3 |
Heartbeat |
Heartbeat messages. One message is generated every second while Database Firewall is running. |
|
DBFW:4 |
Property change |
Property change message. Describes configuration changes that are made by users. |
|
DBFW:8 |
Database audit |
Database Object Auditing messages. These are generated by the Stored Procedure Auditing or User Role Auditing functionality of the Database Firewall. |
|
DBFW:9 |
Statement alert |
Statement alerts. An alert of this type is given to display a full SQL statement and associated details. If database response monitoring is enabled, the response information is included in the alert. |
|
DBFW:10 |
Statement alert (WAF) |
Statement Web Application Firewall (WAF) alerts. An alert of this type is given when the Database Firewall appliance is working together with a Web Application Firewall. If database response monitoring is enabled, the response information is included in the alert. |
|
DBFW:11 |
Login alert |
A user has attempted to log in to the database. If database response monitoring is enabled, the result of the login attempt (success or failure) is included in the alert. |
|
DBFW:12 |
Logout alert |
A user has explicitly logged out from the database, or their TCP session has been closed. |
|
DBFW:system |
System messages |
System messages in operating system format. These are alerts generated by the underlying operating system on which Database Firewall is installed. |
DBFW:3 (Heartbeat)
DBFW:3 heartbeat messages are generated every second while Database Firewall is running. The heartbeat message contains statement counts.
Table 12-2 describes the DBFW:3 CEF header fields.
Table 12-2 DBFW:3 (Heartbeat) CEF Header Fields
| Header Name | Content | Example |
|---|---|---|
|
Version |
Fixed integer: |
Not applicable |
|
Device Vendor |
Fixed string: |
Not applicable |
|
Device Product |
Fixed string: |
Not applicable |
|
Device Version |
Database Firewall version |
|
|
SignatureID |
Fixed string: |
Not applicable |
|
Name |
Fixed string: |
Not applicable |
|
Severity |
Fixed integer: |
Not applicable |
Table 12-3 describes the DBFW:3 extension fields.
Table 12-3 DBFW:3 (Heartbeat) Extension Fields
| Database Firewall Field | Description | ArcSight Key Name | Example |
|---|---|---|---|
|
Monitoring point IP |
IP address of originating monitoring point |
dvc |
|
|
timestamp |
Time stamp of event. Must be converted to milliseconds. |
rt |
|
|
Rest of message |
All fields of a DBFW:3 heartbeat message |
msg |
|
DBFW:4 (Property Change)
DBFW:4 property change messages describe configuration changes made by users to the Database Firewall or Management Server.
Table 12-4 describes the DBFW:4 CEF header fields.
Table 12-4 DBFW:4 (Property Change) CEF Header Fields
| Header Name | Content | Example |
|---|---|---|
|
Version |
Fixed integer: |
Not applicable |
|
Device Vendor |
Fixed string: |
Not applicable |
|
Device Product |
Fixed string: |
Not applicable |
|
Device Version |
Database Firewall version |
|
|
SignatureID |
Fixed string: |
Not applicable |
|
Name |
Fixed string: |
Not applicable |
|
Severity |
Fixed integer: |
Not applicable |
Table 12-5 describes the DBFW:4 extension fields.
Table 12-5 DBFW:4 (Property Change) Extension Fields
| Database Firewall Field | Description | ArcSight Key Name | Example |
|---|---|---|---|
|
Monitoring point IP |
IP address of originating monitoring point |
dvc |
|
|
timestamp |
Time stamp of event. Must be converted to milliseconds. |
rt |
|
|
category |
Category of event |
cat |
|
|
name |
Name of system property changed |
cs4 |
|
|
Not applicable |
Fixed string: |
cs4Label |
Not applicable |
|
value |
Value property is assigned |
cs2 |
1 |
|
Not applicable |
Fixed string: |
cs2Label |
Not applicable |
DBFW:8 (Database Audit)
DBFW:8 database audit messages capture audits from stored procedure auditing and user role auditing, after each run is completed. (See Chapter 5, "Configuring Stored Procedure Auditing," and Chapter 6, "Configuring and Using Role Auditing," for more information about this type of auditing.)
Table 12-6 describes the DBFW:8 CEF header fields.
Table 12-6 DBFW:8 (Database Audit) CEF Header Fields
| Header Name | Content | Example |
|---|---|---|
|
Version |
Fixed integer: |
Not applicable |
|
Device Vendor |
Fixed string: |
Not applicable |
|
Device Product |
Fixed string: |
Not applicable |
|
Device Version |
Database Firewall version |
|
|
SignatureID |
Fixed string: |
Not applicable |
|
Name |
Fixed string: |
Not applicable |
|
Severity |
Fixed integer: |
Not applicable |
Table 12-7 describes the DBFW:8 extension fields.
Table 12-7 DBFW:8 (Database Audit) Extension Fields
| Database Firewall Field | Description | ArcSight Key Name | Example |
|---|---|---|---|
|
Monitoring point IP |
IP address of originating monitoring point |
dvc |
|
|
Target Database |
Connection string for audit database |
request |
|
|
Protected Database |
Name of database |
cs3 |
|
|
Not applicable |
Fixed string: |
cs3Label |
Not applicable |
|
Audit start time |
Starting time stamp of audit. Value is milliseconds since 1-Jan-1970. |
start |
|
|
Object collected time |
Time when all information had been collected from the database. Value is milliseconds since 1-Jan-1970. |
rt |
|
|
Audit end time |
End time stamp of audit. Value is milliseconds since 1-Jan-1970. |
end |
|
|
Database counter |
Number of databases found |
flexNumber1 |
|
|
Not applicable |
Fixed string: |
flexNumber1Label |
Not applicable |
|
New counter |
Count of new items |
flexNumber2 |
|
|
Fixed string: |
flexNumber2Label |
Not applicable |
|
|
Modified counter |
Count of modified items |
cn1 |
|
|
Not applicable |
Fixed string: |
cn1Label |
Not applicable |
|
Deleted counter |
Count of deleted items |
cn2 |
|
|
Not applicable |
Fixed string: |
cn2Label |
Not applicable |
|
Unchanged counter |
Count of unchanged items |
cn3 |
|
|
Not applicable |
Fixed string: Unchanged |
cn3Label |
Not applicable |
DBFW:9 (Statement Alert)
DBFW:9 statement message alerts include the full audited SQL statement and associated details. Statement alerts are individual to each user, depending on how the user has configured the baseline. If database response monitoring is enabled, then the response information is included in the alert. To enable database response monitoring, see Chapter 10, "Configuring and Using Database Response Monitoring."
Table 12-8 describes the DBFW:9 CEF header fields.
Table 12-8 DBFW:6 (Statement Alert) CEF Header Fields
| Header Name | Content | Example |
|---|---|---|
|
Version |
Fixed integer: |
Not applicable |
|
Device Vendor |
Fixed string: |
Not applicable |
|
Device Product |
Fixed string: |
Not applicable |
|
Device Version |
Database Firewall version |
|
|
SignatureID |
Fixed string: |
Not applicable |
|
Name |
Fixed string: |
Not applicable |
|
Severity |
Value between 0 and 10 |
|
Table 12-9 describes the DBFW:9 extension fields.
Table 12-9 DBFW:6 (Statement Alert (WAF)) Extension Fields
| Database Firewall Field | Description | ArcSight Key Name | Example |
|---|---|---|---|
|
Monitoring point IP |
IP address of originating monitoring point |
dvc |
|
|
action |
Action taken. Should be translated into the words in the syslog spec doc. |
act |
|
|
timestamp |
Time stamp of event. Must be converted to milliseconds. |
rt |
|
|
db_client |
Database client IP address |
src |
|
|
db_server |
Database server IP address |
dst |
|
|
user_name |
Database username. If blank it should say |
duser |
Not recorded |
|
statement |
SQL statement |
msg |
select dvdcatalog.*, fullpromoname, imageurl, imagealt, landingpageid from dvdcatalog, dual left join promo on promo.catalog_no = catalog_no and sysdate between startdate and enddate where ((select count(*) from star inner join starlink on star.starid = starlink.starid where starlink.catalog_no = catalog_no and (starname like '#########' and starname like '########' )) > 0) and status = 0 and not art_type = 0 and not art_class = '###' and rownum < 000 order by ordered desc, title |
DBFW:10 (Statement Alert (WAF))
DBFW:10 statement Web Application Firewall (WAF) message alerts are generated when Database Firewall is working with a Web Application Firewall. If database response monitoring is enabled, then the alert includes the response information. To enable database response monitoring, see Chapter 10, "Configuring and Using Database Response Monitoring."
Table 12-10 describes the DBFW:10 CEF header fields.
Table 12-10 DBFW:7 (Statement Alert (WAF)) CEF Header Fields
| Header Name | Content | Example |
|---|---|---|
|
Version |
Fixed integer: |
Not applicable |
|
Device Vendor |
Fixed string: |
Not applicable |
|
Device Product |
Fixed string: |
Not applicable |
|
Device Version |
Database Firewall version |
|
|
SignatureID |
Fixed string: |
Not applicable |
|
Name |
Fixed string: |
Not applicable |
|
Severity |
Value between 0 and 10 |
|
Table 12-11 describes the DBFW:10 extension fields.
Table 12-11 DBFW:7 (Statement Alert (WAF)) Extension Fields
| Database Firewall Field | Description | ArcSight Key Name | Example |
|---|---|---|---|
|
Monitoring point IP |
IP address of originating monitoring point |
dvc |
|
|
action |
Action taken. Should be translated into the words in the syslog spec doc. |
act |
|
|
db_client |
Database client IP address |
src |
|
|
db_server |
Database server IP address |
dst |
|
|
user_name |
Database username. If blank it should say |
duser |
|
|
web user name |
Username used by Web application |
suser |
|
|
HTTP request |
Full HTTP request |
request |
|
|
Http Method |
HTTP method |
requestMethod |
|
|
Http Protocol |
Protocol |
app |
|
|
Policy Name |
Policy Name |
cs1 |
|
|
Not applicable |
Fixed string: |
cs1Label |
Not applicable |
|
Session Cookies |
Session cookies |
requestCookies |
|
|
Http Referer |
Referring URL |
requestContext |
|
|
Http User Agent |
Browser type |
requestClientApplication |
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) |
|
Cardinal IP Address |
IP address of originating Web client |
sourceTranslatedAddress |
|
|
statement |
SQL statement |
msg |
SELECT * FROM \"A_updates\" WHERE id = '10' |
DBFW:11 (Login Alert)
DBFW:11 login message alerts reveal when a user has attempted to log in to the database. If database response monitoring is enabled, then the result of the login attempt (success or failure) is included in the event. To enable database response monitoring, see Chapter 10, "Configuring and Using Database Response Monitoring."
Table 12-12 describes the DBFW:11 CEF header fields.
Table 12-12 DBFW:11 (Login Alert) CEF Header Fields
| Header Name | Content | Example |
|---|---|---|
|
Version |
Fixed integer: |
Not applicable |
|
Device Vendor |
Fixed string: |
Not applicable |
|
Device Product |
Fixed string: |
Not applicable |
|
Device Version |
Database Firewall version |
|
|
SignatureID |
Fixed string: |
Not applicable |
|
Name |
Fixed string: |
Not applicable |
|
Severity |
Value between 0 and 10 |
|
Table 12-13 describes the DBFW:11 extension fields.
Table 12-13 DBFW:11 (Login Alert) Extension Fields
| Database Firewall Field | Description | ArcSight Key Name | Example |
|---|---|---|---|
|
Enforcement point IP |
IP address of originating enforcement point |
dvc |
|
|
action |
Action |
act |
|
|
timestamp |
Time stamp of event. Must be converted to millisecs. |
rt |
|
|
db_client |
Database client IP |
src |
|
|
db_server |
Database server IP |
dst |
|
|
user_name |
Database username. If blank it should say |
duser |
|
|
db_resp |
String representing Database Firewall's interpretation of the database response |
cs2 |
|
|
Not applicable |
Fixed string: |
cs2Label |
Not applicable |
|
db_resp_code |
Signed Integer code returned from the database |
cn1 |
4002 |
|
Not applicable |
Fixed string: |
cn1Label |
Not applicable |
|
db_resp_text |
Response text returned from the database |
cs5 |
|
|
Not applicable |
Fixed string: |
cs5Label |
Not applicable |
|
db_resp_detail |
Detailed response text returned from the database |
cs6 |
|
|
Not applicable |
Fixed string: |
cs6Label |
Not applicable |
DBFW:12 (Logout Alert)
DBFW:12 logout message alerts reveal when a user has explicitly logged out of the database, or if the user's TCP session has closed.
Table 12-14 shows the DBFW:12 CEF header fields.
Table 12-14 DBFW:12 (Logout Alert) CEF Header Fields
| Header Name | Content | Example |
|---|---|---|
|
Version |
Fixed integer: |
Not applicable |
|
Device Vendor |
Fixed string: |
Not applicable |
|
Device Product |
Fixed string: |
Not applicable |
|
Device Version |
Database Firewall version |
|
|
SignatureID |
Fixed string: |
Not applicable |
|
Name |
Fixed string: |
Not applicable |
|
Severity |
Fixed integer: |
Not applicable |
Table 12-15 shows the DBFW:12 extension fields.
Table 12-15 DBFW:12 (Logout Alert) Extension Fields
| Database Firewall Field | Description | ArcSight Key Name | Example |
|---|---|---|---|
|
Enforcement point IP |
IP address of originating enforcement point |
dvc |
|
|
timestamp |
Time stamp of event. Must be converted to millisecs. |
rt |
|
|
db_client |
Database client IP |
src |
|
|
db_server |
Database server IP |
dst |
|
|
user_name |
Database username. If username is not determined, then the string will be |
duser |
|
DBFW:system (System Message (Operating System Alerts))
DBFW:system message alerts, which are in operating system file format, are generated by the underlying operating system on which Database Firewall is installed. An example of this type of alert is a hardware failure notification.
Table 12-16 describes the DBFW:system CEF header fields.
Table 12-16 DBFW:system (System Message) CEF Header Fields
| Header Name | Content | Example |
|---|---|---|
|
Version |
Fixed integer: |
Not applicable |
|
Device Vendor |
Fixed string: |
Not applicable |
|
Device Product |
Fixed string: |
Not applicable |
|
Device Version |
Database Firewall version |
|
|
SignatureID |
Fixed string: |
Not applicable |
|
Name |
Fixed string: |
Not applicable |
|
Severity |
Fixed integer: |
Not applicable |
Table 12-17 describes the DBFW:system extension fields.
Table 12-17 DBFW:system (System Message) Extension Fields