Note:

Capture Oracle Cloud Guard Events into Oracle Analytics Cloud

Introduction

This tutorial walks through forwarding Oracle Cloud Guard events to Oracle Autonomous JSON Database (AJD) and capturing them in Oracle Analytics Cloud. There will be a subsequent tutorial that will analyze and display cloud guard events in Oracle Analytics Cloud.

High Level Architecture

High Level Architecture.

Objectives

Prerequisites

Task 1: Configure Oracle Cloud Guard to Trigger Cloud Events

Configure Oracle Cloud Guard to respond to the detector recipes. The responder rules should make sure that the Status for Oracle Cloud Guard event is set to Enabled as shown in the following image.

Responder Rules.

Task 2: Create OCI Events Service Rules to Detect Oracle Cloud Guard Problems and Invoke OCI Functions

  1. OCI Events Service enables you to create automation based on the state changes of resources throughout the tenancy. By using events it allows development teams to automatically respond when a resource changes its state.

    To get the events, navigate to Observability & Management and click Events Service. Create a new rule and configure the event type that will be written to the function as shown in the following image.

    Rules Definition.

  2. Click the ellipsis icon (three vertical dots) to edit the Oracle Cloud Guard events and to send it to a function as shown in the following image.

    Parameter Definition. Add an action to forward cloud guard events to a function as shown below. Event Action. Configure the event types. Event Types.

Task 3: Create a Function to Forward Events to AJD

  1. Go to the OCI Console, navigate to Developer Services and click Functions.

  2. Select an existing application or click Create Application. Create a new OCI Functions within your application. For more information, see Functions QuickStart on Cloud Shell.

    Note: Assuming you have successfully completed the prerequisites.

  3. Run the following command to see your application in the list of applications.

    fn ls apps

  4. It is recommended to create a boilerplate Python function first. The fn init – runtime oci-event-to-db command will generate a folder named oci-event-to-db with three files named func.py, func.yaml and requirements.txt.

  5. An AJD table must exist and be REST enabled. As shown in the image below. Rest Enabled.

  6. Update the func.py file content with the following code.

    import io
import json
import re
import requests

eventTable="https://mrj6p3vkk4ramuu-cgdata.adb.us-ashburn-1.oraclecloudapps.com/ords/cguser/event/"

from fdk import response

def handler(ctx, data: io.BytesIO=None):
try:
bodytxt = data.getvalue()
body = json.loads(bodytxt)

# print("event type: " + body["eventType"])
# print("compartment name: " + body["data"]["compartmentName"])

headers = {'Content-type': 'application/json', 'accept': 'application/json'}
req = requests.post(eventTable, json={ "event": body }, headers=headers)

except (Exception, ValueError) as ex:
print('ERROR:', ex, flush=True)
raise

return response.Response(
ctx,
response_data=[ json.loads(req.text)["id"] ],
# response_data=json.loads(req.text),
headers={"Content-Type": "application/json"}
)

  7. Update the func.yaml file content with the following code.

    schema_version: 20180708
name: oci-event-to-db
version: 0.0.44
runtime: python
build_image: fnproject/python:3.11-dev
run_image: fnproject/python:3.11
entrypoint: /python/bin/fdk /function/func.py handler
memory: 256

  8. Update the requirements.txt file content with the following code.

    Requests
oci
fdk

  9. Run the following command to deploy your function.

    fn -v deploy -app oci-event-to-db

Task 4: Flatten the Database using ORDS

  1. Once the Oracle Cloud Guard events are stored in AJD, check the database for Oracle Cloud Guard activities by checking the Events table. Run the following SQL statement.

    SELECT * FROM EVENTS

  2. Since the Oracle Cloud Guard events are stored in Java Script Object Notation (JSON) format, it has to be flattened or converted into relational format for Oracle Analytics Cloud to analyze the data.

    To flatten the database, follow the steps:

    1. Create an index on the Events table and run the following SQL statement to flatten it.

      Create search index event_idx on event (event) for JSON parameters ('DATAGUIDE ON');

    2. Create a view.

      exec dbms_json.create_view_on_path('flat_event', 'event', 'event', '$’);

  3. Run the following SQL statement to check the columns created in the above steps.

    SELECT COLUMN_NAME,DATA_TYPE FROM all_tab_columns where table_name ='FLAT_EVENT' order BY column_id;

    You should see the columns along with the data type as shown in the following image.

    Relational Format.

Task 5: Connect to Oracle Analytics Cloud

  1. After the database is converted to relational format from JSON, connect to Oracle Analytics Cloud. Go to the OCI console and navigate to the AJD instance and on click database connection provide the credentials and download the wallet as shown in the following image.

    AJD Connection.

  2. Log in to Oracle Analytics Cloud, click Create a new connection and click on Oracle Autonomous Data Warehouse and select the wallet that was downloaded in step 1.

    Oracle Analytics Cloud Connection Types.

  3. Once the connection is established OAC will display it under Connections as follows. Oracle Analytics Cloud Connection list.

  4. Double click on the connection to create a new dataset in OAC, expand on the schema and drag the table on to the canvas. Oracle Analytics Cloud dataset.

Acknowledgments

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.