Oracle Cloud Infrastructure Documentation

Listing Sightings and Getting Their Details

View resource profiles and their key attributes in Cloud Guard to quickly identify the highest priority events.

Prerequisite: Enable the OCI Threat Detector recipe in at least one Cloud Guard target that's defined in your environment and contains the root compartment.

Note

After the preceding prerequisite is met, Cloud Guard begins a learning period. This learning period varies in length from a few hours to a few days, depending on the sighting type. Cloud Guard doesn't start monitoring to detect threats until the learning period ends. If no suspicious activity is occurring, you still see no threat information on the Threat monitoring page.
    1. Open the navigation menu and click Identity & Security. Under Cloud Guard, click Threat monitoring.
    2. To change the scope for which threats are included, use the following options under Scope:
      • Compartment: Select a compartment. To include all the compartments under it in the scope, select Include child compartments.
      • Tag filters: Click add, and then fill in the Tag filters dialog box. If you add more than one tag, all must be matched.
    3. To filter the list on dates and risk score values, make selections in the lists under the chart at the top of the page.
    4. To filter the list on other parameters, click Add filter, select a Filter type, and then select one or more values.
    5. In the 30-day risk score trend chart at the top of the page, view risk score changes over time.
      • By default, the chart graphs overall risk scores for the resource profiles with the top 10 risk scores over the past 30 days.
      • Change the data displayed by making a different selection from the Top 10 list in the top-right corner of the chart. These options are typically shown for a shorter time period.
    6. To highlight the graph information for a particular resource profile, hover over the name in the list under the Top 10 selection box.
    7. To view specific risk score information for a point in the graph, hover over the point.
      The resource profile for the risk score information is also highlighted, in the list below the Top 10 selection box.
    8. To view summary information for the resource profiles that are listed, scroll down to the table where the first column header is Resource profile:
      The table displays the following resource profile information:
      • Resource profile: The name of the affected resource profile. A resource profile consolidates sightings associated with a specific resource.
      • Risk score: The risk score for the resource profile. The risk score reflects the seriousness of the threat.
      • Sightings: The number of sightings posted against the resource ID in the resource profile. A sighting is an instance of a particular MITRE ATT&CK® framework technique within a MITRE ATT&CK® tactic.
      • Tactics: The number of MITRE ATT&CK® tactics involved in the sightings. A higher number here may indicate that an intruder is making progress in penetrating your security measures.
      • Resource type: The type of resource in the affected resource profile.
      • First detected: The date and time Cloud Guard first detected the sighting.
      • Last detected: The date and time Cloud Guard last detected the sighting.
      • First occurred: The date and time the incident first occurred.
      • Last occurred: The date and time the incident last occurred.
    9. To view detailed information for a particular resource profile, click its link in the Resource profile column.
      The Threat monitoring details page displays the following information:
      • The General Information tab summarizes the threat.
      • The 30-day risk score trend chart shows risk score changes over time for this particular resource profile.
      • The Sightings section lists the sightings that factor into the risk score.
      • Under Resources, select another resource to display different information:
        • Impacted resources shows information about the resources involved.
        • Endpoints shows the IP addresses involved.
      Tip

      If the Risk score for a Resource profile on the Threat monitoring page is 80 or greater, a problem has been triggered. To process the problem:
      1. Click the link in the Risk profile column.
      2. In the General Information tab at the top of the details page, click the problem name link, next to Problems.

        For guidance on processing problems, see Processing and Resolving Problems on the Problems Page

  • For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

    Sightings

    Use the oci cloud-guard sighting get command and required parameters to get a specific sighting:

    oci cloud-guard sighting get --sighting-id <sighting_ocid> [OPTIONS]

    Use the oci cloud-guard sighting-summary list-sightings command and required parameters to list all sightings for a compartment:

    oci cloud-guard sighting-summary list-sightings --compartment-id, -c <compartment_ocid> [OPTIONS]

    Sighting Endpoints

    Use the oci cloud-guard sighting-endpoint-summary list-sighting-endpoints command and required parameters to list endpoints for a specific sighting:

    oci cloud-guard sighting-endpoint-summary list-sighting-endpoints --sighting-id <sighting_ocid> [OPTIONS]

    Impacted Resources

    Use the oci cloud-guard sighting-summary list-sightings command and required parameters to list all impacted resources for sightings for a sighting:

    oci cloud-guard sighting-impacted-resource-summary list-sighting-impacted-resources --sighting-id <sighting_ocid> [OPTIONS]

  • Sightings

    Run the GetSighting operation to get a specific sighting.

    Run the ListSightings operation to list all sightings for a compartment.

    Sighting Endpoints

    Run the ListSightingEndpoints operation to list endpoints for a specific sighting.

    Impacted Resources

    Run the ListSightingImpactedResources operation to list all impacted resources for sightings for a compartment.