Hi everyone,
I want to correlate data between windows and oracle.
Each user can logon on only one pc in the company. First, a user has to logon on Windows eventcode 4624, sourcetype=wineventlog:security, source_network_address=192... ... ....! after user opens an application which gathers info from an oracle db.
lets say this oracle db has sourcetype=my_appDB, which has terminalID, userID, functionID. so, in a normal activity source_network_address (from windows) must be equal with terminalID (from oracle), otherwise i have to create an alert.
can anyone help me on this?
many thanks
I'm not sure this alert will work. If the only thing that will match up between the Windows event and the database event is terminal ID, then as long as everything is working as intended they will always match. It wouldn't even matter if you matched up with the Windows data or not - as long as Terminal ID is coming from your network, there would be no reason to alert because you have nothing else to check (like Windows username and DB username matching). The problem is that with the right client (i.e. Java JDBC), the TerminalID can be spoofed to be anything. An attacker could make the Terminal ID appear to be something legitimate even if the connection is originating from somewhere else. In such a case, your alert still wouldn't detect anything.
If you want to protect your database from connections originating in unauthorized networks, check out Oracle Connection Manager. It's a free add-on to most Oracle database licenses. There's a paper on how to implement it here. You can then use Splunk to monitor the connection manager logs and send alerts when any connection is rejected. Depending on your version of Oracle and the size of your client network, you might also consider implementing Oracle's Valid Node Checking feature on the listener (explicit client IP addresses might be required).
If setting up a connection manager is too much, you might also consider just using Splunk to monitor the existing database listener log and monitoring for client ip addresses that don't match your authorized network.
Can you provide sample? The user is the same on both?
i want to create a table:
user (windows) | ip (from source_network_address) | userID (from app) | terminalID (the ip specified from app) | functionID (from app)
the main thing here is matching source_network_address with terminalID
for user, it depends. it is not necessary. it may be John on windows and Smith on application