1. Using Oracle CASB Cloud Service
  2. Enhancing Security
  3. Creating Policies and Managing Policy Alerts
  4. Creating Policy Alerts for Oracle Identity Cloud Service (IDCS)

Creating Policy Alerts for Oracle Identity Cloud Service (IDCS)

Create custom policies to generate alerts for actions on resources that are specific to your IDCS environment.

Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.

You can configure policies for any changes in roles or objects.

Creating an IDCS Policy

Follow these general steps for any policy you create to generate an alert for actions in IDCS.

The following are general steps for creating an IDCS policy. Once created, when the policy conditions are met, Oracle CASB Cloud Service displays an alert in Risk Events and optionally can send the alert through email.

  1. Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon Image of the Navigation Menu icon. to display it.
  2. On the Custom tab, click New Policy.
  3. In the Name page:

    1. Enter a name for the policy.

    2. (Optional) Enter a description.

    3. Select a Priority.

    4. If you want policy violations to be included in user risk score computations, select Include in user risk score.

    5. Click Next.

  4. On the Resource page, make these selections.
    Field Value(s)

    Application type

    Select IDCS.

    Application instance

    The application instance(s). Select Any if you want the alert to apply to every registered instance of the selected application type. Otherwise, select one or more individual instances.
  5. Specify resource details and actions.

    1. Specify Resource details, using the information in the table below:

      Field Value(s)

      Resource

      The type of object you want to monitor. Currently, the only object you can monitor is Identity.

      Resource name 
      You must provide a name for the selected resource type. If you select:
      • Text, select an operator from the drop-down list (Equal to, Contains), Begins with or Ends with and enter type a full or partial rule name.
      • Regular expression, enter .* to match all email retention rules.

    2. Specify an Action on the resource using the table below:

      Action on this resource Description

      Failed login

      A failed login occurred.

      Login

      A successful login occurred.

    3. (Optional) Add more Resource name-Action pairs to refine your policy.

      You can specify more than one resource name-action pair for the same resource type (Resource field) selection. When you add more resource name-action pairs, the alert will be triggered when any one resource name-action pair is matched.

      • Click Add resource and action to add another resource name to the policy alert, or to add the same resource name again with a different action.

      • Click Duplicate resource and action to copy the resource name-action pair you just added as the basis for the resource name-action pair you want to add.

    4. Click Next when you have finished specifying resource name-action pairs.

      You are now on the Username page.

  6. (Optional) On the Username page, filter the alert so that it is triggered only if the named user performs the action that you set on the Resource page.
    1. In the drop-down list, select Username contains or Username does not contain.
    2. In the text box to the right, enter one or more text strings that the user name must contain, or not contain, in order to trigger the alert.

      Separate multiple entries with commas. With multiple entries, if any one entry is contained, or not contained, in the name of the user who took the action, the alert is triggered.

    3. Click Next to go on to the next page.
  7. (Optional) On the Conditions page, set conditions so that an alert is triggered only if the specified conditions are met.

    For information on condition parameters available for use in policy alerts for discovered applications, see Condition Parameters for IDCS.

    1. Click Add condition or Add Free-From Condition.
    2. Select a Parameter, an Operator, and a Value from the drop-down lists.

      In free-form conditions, you enter values for Parameter and Value.

    3. To add another condition or free-form condition, repeat the 3 steps above.

      Note:

      When you specify multiple conditions, the conditions are ANDed. The alert is triggered only if all of the conditions are met. If you need to OR multiple conditions, create a separate policy for each condition.
    4. Click Next to go on to the next page.
  8. On the Action page, set your  notifications:

    • Show an alert in the Risk Events page is always selected. When an event matches the policy, Oracle CASB Cloud Service always adds an alert to Risk Events.

    • Show these instructions in the alert. Select this option to add instructions for the person who might read an alert related to this policy.

  9. When you are done, click Next, review your settings, then click Submit.

Condition Parameters for IDCS

Review the parameters and operators that are available in the Conditions page of the policy creation wizard for IDCS.

These parameters and operators are available on the Conditions page of the New Policy wizard to fine tune your alerts for IDCS.

Note:

The exact list of parameters that you see on the Conditions page depends on the resource details that you specify on the Resource page. Not all parameters are available with all resources.

Parameter Operator Value

IP address v4

Include this list of addresses (In or Equal to) or exclude them (Not in or Not equal to).

A comma-separated list of IPv4 addresses.

Device

Include or exclude the selected device type.

Select Desktop, Mobile, API Call, or Other.

Timestamp

The drop-down list determines whether the time is exact, later than the time you entered, or earlier (given a 24-hour time frame). Oracle CASB Cloud Service evaluates the timestamp using Greenwich Mean Time (GMT).

A value as a time in 24-hour HH:MM:SS format.

CASB threat intelligence IP reputation

Equal to is the only option.

To flag events from IP addresses with bad or good reputations, select:

  • Suspicious for bad reputations.

  • Regular for good reputations.

Group

Include this list of groups (In) or exclude them (Not in).

Comma-separated list of group names.

City, State, or Country

  • Equal to requires matching the name you enter in Value.

  • Not Equal to requires not matching the name you enter in Value.

  • In requires matching any one of several names you enter in Value.

  • Not in requires matching none of several names you enter in Value.

The name of the city, or the state or province, in the physical address that’s associated with the IP address.