OracleOCI

Oracle Cloud Infrastructure (OCI) is Oracle’s public cloud platform — similar to AWS, Azure, or Google Cloud — designed to run enterprise workloads securely and efficiently.

It provides cloud services such as Compute, Storage, Networking, Databases, Security, and Observability. 

Types of Logs You Can Collect from Oracle OCI

Oracle OCI generates several types of logs that you can extract through APIs, CLI, or connectors (like ArcSight SmartConnector):

Audit Logs (Activity Logs) - Records every API call or console action — who did what, when, and from where.

Service Logs (Explore Logs) - Logs from OCI services (Compute, Object Storage, Load Balancer, VCN Flow, Functions, etc.) — used for troubleshooting and analytics. 

Flow Logs - Network traffic records (source/destination, ports, protocols, etc.) — useful for network forensics. 

Custom Logs - Application or system logs you send to OCI Logging from your own workloads. 

Sign in to the OCI Console

1. Go to https://cloud.oracle.com/?tenant=.

2. Sign in with your tenancy and user credentials.

3. Click your profile icon (upper-right corner).

4. Choose User Settings.

5. Click on Token and keys

• If you are Admin and you want creating a key for another user: go to Identity & Security → Domains → select the domain→ User management → select the user → API Keys.

Add a new API Key

1. Click Add API Key.

2. Choose Generate API Key Pair (recommended).

   • This option automatically creates both public and private keys.

3. When prompted, click Download Private Key — this file ends with .pem.

   • Store it securely (for example: ~/.oci/oci_api_key.pem).

4. Click Add to finish.

Copy the Configuration Snippet

After adding the key, the Console shows a Configuration File Preview.

Here are the details that you need to the OCI Service:

[DEFAULT]

user=ocid1.user.oc1..aaaaaaaaexample

fingerprint=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:77:88:99:00

tenancy=ocid1.tenancy.oc1..aaaaaaaexampletenancy

region=us-ashburn-1

key_file=The Private Key file that you downloaded before

• You can always view this snippet again:
  User Settings → API Keys → ⋮ (menu) → View Configuration File

Add Permissions to the user to read Audit Logs

1. In the left menu, navigate to Identity & Security → Policies.

2. Find the compartment or tenancy where the policy should apply.

   • For most API integrations, this is at the tenancy level.

3. Click Create Policy.

Define the Policy

1. Fill in the fields as follows:

• Name: (e.g.) AllowAuditAccess

• Description: (e.g.) Allow API key users in AuditReaders group to read Audit logs

• Compartment: choose your tenancy root compartment

• Statement: enter the permissions (see examples below)

2. Under Policy Builder:

• Choose in the Policy Use cases drill down Audit.

• Choose in the Common policy templates drill down Let auditors inspect your resources.

3. Choose Groups check box.

4. Select the group to add permissions for.

5. click Create.

/All Rules/Real-time Rules/Mobula/Products/ORACLE/OCI@ORACLE/ORACLE OCI Audit/OCI: Admin Logged In Successfully

/All Rules/Real-time Rules/Mobula/Products/ORACLE/OCI@ORACLE/ORACLE OCI Audit/OCI: First-Time Admin User Activity

/All Rules/Real-time Rules/Mobula/Products/ORACLE/OCI@ORACLE/ORACLE OCI Audit/OCI: Multiple Admin Account Login Failures

/All Rules/Real-time Rules/Mobula/Products/ORACLE/OCI@ORACLE/ORACLE OCI Audit/OCI: User Logged In from Known Malicious IP

/All Rules/Real-time Rules/Mobula/Products/ORACLE/OCI@ORACLE/ORACLE OCI Audit/OCI: User Logged In from Multiple Countries

/All Rules/Real-time Rules/Mobula/Products/ORACLE/OCI@ORACLE/ORACLE OCI Audit/OCI: User Logged In From Unauthorized Country

/All Rules/Real-time Rules/Mobula/Products/ORACLE/OCI@ORACLE/ORACLE OCI Audit/OCI: User Logged In Outside Working Hours