1. Using Oracle Data Safe
  2. Alerts
  3. Alerts Overview

Alerts Overview

You can enable alerts on your target databases to track and be notified of particular user activities and unusual behavior.

You can choose to be alerted when a database parameter or audit policy changes, a failed login by an admin occurs, a user entitlement changes, and when a user is created or deleted.

About Alerts in Oracle Data Safe

An alert message proactively notifies you when a particular audit event happens on a target database. Alerts are based on the alert policies that you enable in Oracle Data Safe.

As a prerequisite to alert notification, you need an enabled audit policy. This policy is what generates the audit event. If the generated audit event matches the alert policy enabled for the target database, an alert is raised.

Oracle Data Safe Alert Policies

In Security Center, you can provision alert policies on your target databases. An alert policy defines a database event to monitor. Alert policies are rule-based and are triggered from the audit data collected.

For example, if the ORA_LOGON_FAILURES unified audit policy is provisioned on the target database, then when an administrator fails to log in to the target database, a Failed login audit record is generated because of this policy. The generated audit record is collected by Oracle Data Safe. When the alert policy Failed Logins by Admin User is enabled for the target, an alert is raised by Oracle Data Safe for the Failed login audit record

The following table lists the Oracle predefined alert policies, their severity levels, their descriptions, and the basis for each alert.

Predefined Alert Severity Level Description Required audit policies to trigger alert
Audit policy changes High Modifications to audit policies such as CREATE, ALTER, DROP, AUDIT, and NOAUDIT, as well as executions of DBMS_AUDIT_MGMT or DBMS_FGA package These are captured by mandatory audits in an Oracle Database.
Database parameter changes High Changes to database parameters using ALTER SYSTEM statement Critical Database Activity or ORA_DATABASE_PARAMETER audit policy
Database schema changes Medium Any changes to Data Definition Language (DDL) actions such as CREATE, ALTER, DROP, or TRUNCATE on database schema objects* Database Schema Changes or a similar audit policy
Failed logins by admin user Critical All failed login attempts by an admin user who has either administrative or system privileges ORA_LOGIN_FAILURES (ORA_LOGIN_LOGOUT for 23c) or a similar policy
Profile changes Critical Any changes to user profiles such as CREATE, ALTER, or DROP Critical Database Activity or a similar audit policy
User creation/modification Medium Any changes to database users such as CREATE, ALTER, or DROP Critical Database Activity, ORA_ACCOUNT_MGMT, or a similar policy
User entitlement changes Medium Any changes to user entitlement data such as GRANT or REVOKE of privileges on any database objects Critical Database Activity, ORA_ACCOUNT_MGMT, or a similar policy
SQL Firewall violations Critical SQL Firewall logs violations in real-time for every unmatched scenario of database connection or SLQ command execution against the entries in the enabled allowlist rules of the SQL Firewall policy. Enable audit when you deploy and enforce SQL Firewall policy for the database user

*Database schema objects include: PROCEDURE, PACKAGE, PACKAGE BODY, FUNCTION, TRIGGER, LIBRARY, SYNONYM, TABLE, DATABASE LINK, INDEX, OUTLINE, CONTEXT, ATTRIBUTE DIMENSION, DIMENSION, INDEXTYPE, OPERATOR, JAVA, MINING MODEL, TYPE BODY, TYPE, MATERIALIZED VIEW, MATERIALIZED VIEW LOG, MATERIALIZED ZONEMAP, VIEW, ANALYTIC VIEW, SEQUENCE, and CLUSTER

Target-Policy Associations

When you apply an alert policy on a target database, Oracle Data Safe creates an association between your target database and the alert policy, and automatically enables the policy on your target database. You can view associations on the Target-Policy Associations page in Security Center. You can disable or re-enable the alert policy as needed and delete the target-policy association. Disabling the alert policy does not pause audit collection. It temporarily pauses the policy evaluation for the audit event.

This is the typical use case. During a maintenance window, you know that certain activities in the database are going to generate audit events, but you do not want alert notifications sent to the administrator during this window. You can pause the alert evaluation by disabling it momentarily.

Important:

You can apply alert policies before or after audit data collection is started for a target database. But when you want to start generating alerts, first ensure that appropriate audit polices are configured, that audit collection is enabled for the audit trails, and that Oracle Data Safe is collecting audit data from the target database.

All Alerts Report

Oracle Data Safe provides an interactive All Alerts report that shows you a high-level summary of your alerts. You can set filters, show and hide report columns, save your changes as a custom report, and generate and download PDF and XLS reports. You can update, delete, and generate PDF and XLS reports from custom reports. You cannot delete the All Alerts report. The following screenshot shows you an example of an All Alerts report for six target databases.

Description of all_alerts_report.png follows
Description of the illustration all_alerts_report.png

Alerts Workflow

The general steps for applying for a target database are as follows:

  1. Obtain permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM) to inspect target databases and use the Alerts feature in the relevant compartment.
  2. Register your target database. A default audit profile, audit policy, and audit trail are automatically created for you.
  3. Review and modify the default audit profile for your target database to customize audit data retention settings and paid usage settings.
  4. Review and modify the default audit policy for your target database to ensure the unified audit policies that are appropriate to track activities of interest are enabled on your target database. Among those policies, decide which audit events you want to configure for proactive monitoring via alerts.
  5. Review the audit trails for your target database and ensure that they are started so that they can collect audit data. They should be in either the Collecting or Idle state.
  6. Apply alert policies to your target database.
    • When an alert policy is enabled, you can receive alerts for that policy.
    • When an alert policy is disabled, alert policy evaluation is suspended. Audit policy and audit data collection remains intact.
  7. Set up event and alarm notifications. For example, you can subscribe to the Alert Generated event to be automatically informed when an alert is generated. Additionally, you can set up an alarm to receive a notification when for example, over a 100 alerts are generated within 5 minutes.

Prerequisites for Using Alerts

These are the prerequisites for using Alerts:

  • Register the target databases that you want to use with the Alerts feature.
  • Obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM) to use the Alerts feature in Oracle Data Safe. An OCI administrator can grant view or manage permission as needed on the following resources::
    • data-safe-alerts
    • data-safe-alert-policies
    • data-safe-target-alert-policy-associations
    • data-safe-report-definitions
    • data-safe-work-requests (lets you view the list of work requests and their details)

As an alternative to selectively granting permissions, you can grant permissions on data-safe-alert-family in the relevant compartments, which would include permissions on all of the resources above. See data-safe-alert-family Resource in the Administering Oracle Data Safe guide for more information.

See Also:

The Administering Oracle Data Safe guide provides these sections to help with establishing the prerequisites: