RSA Admin

Oracle and UserAdded alerting

Discussion created by RSA Admin Employee on Jun 1, 2011

We were doing some testing with our Oracle system and I noticed that a "New User Added" alert that we created was not firing.  We keyed our circuits off the "User.Management.Users.Additions" Event category.

Circuit Label: UserAdded-Database
Statement Contents
UserAdded-Database Consider every event in the Event Selection
Device Set  Class/Device Type IP Address/Mask Operator
Storage.Database ALL

Event Set Event Type/Device Type  Comparison Value/Mask Operator
Event Category/ALL IN User.Management.Users.Additions

I checked the Messages and there is NOTHING categorized as "User.Management.Users.Additions" for the Oracle database category.  In fact, the ONLY User.Management events for the class Storage.Database (11 of them) are for Microsoft SQL database.

I see a variety of "create" messages defined for Oracle.  How would we get the appropriate events included in User.Management.User.Additions?  Is this something that RSA would have to enhance via a Content Update?  Since the 'create' command in Oracle applies to many things, I imagine there would be some parsing required to catch just the 'create user' information.

Outcomes