Oracle and UserAdded alerting
We were doing some testing with our Oracle system and I noticed that a "New User Added" alert that we created was not firing. We keyed our circuits off the "User.Management.Users.Additions" Event category.
Circuit Label: UserAdded-Database
UserAdded-Database Consider every event in the Event Selection
Device Set Class/Device Type IP Address/Mask Operator
Event Set Event Type/Device Type Comparison Value/Mask Operator
Event Category/ALL IN User.Management.Users.Additions
I checked the Messages and there is NOTHING categorized as "User.Management.Users.Additions" for the Oracle database category. In fact, the ONLY User.Management events for the class Storage.Database (11 of them) are for Microsoft SQL database.
I see a variety of "create" messages defined for Oracle. How would we get the appropriate events included in User.Management.User.Additions? Is this something that RSA would have to enhance via a Content Update? Since the 'create' command in Oracle applies to many things, I imagine there would be some parsing required to catch just the 'create user' information.