Getting Data In

How to correlate data between Windows and Oracle?

blebit
Path Finder

Hi everyone,

I want to correlate data between windows and oracle.
Each user can logon on only one pc in the company. First, a user has to logon on Windows eventcode 4624, sourcetype=wineventlog:security, source_network_address=192... ... ....! after user opens an application which gathers info from an oracle db.
lets say this oracle db has sourcetype=my_appDB, which has terminalID, userID, functionID. so, in a normal activity source_network_address (from windows) must be equal with terminalID (from oracle), otherwise i have to create an alert.

can anyone help me on this?
many thanks

0 Karma

pmdba
Builder

I'm not sure this alert will work. If the only thing that will match up between the Windows event and the database event is terminal ID, then as long as everything is working as intended they will always match. It wouldn't even matter if you matched up with the Windows data or not - as long as Terminal ID is coming from your network, there would be no reason to alert because you have nothing else to check (like Windows username and DB username matching). The problem is that with the right client (i.e. Java JDBC), the TerminalID can be spoofed to be anything. An attacker could make the Terminal ID appear to be something legitimate even if the connection is originating from somewhere else. In such a case, your alert still wouldn't detect anything.

If you want to protect your database from connections originating in unauthorized networks, check out Oracle Connection Manager. It's a free add-on to most Oracle database licenses. There's a paper on how to implement it here. You can then use Splunk to monitor the connection manager logs and send alerts when any connection is rejected. Depending on your version of Oracle and the size of your client network, you might also consider implementing Oracle's Valid Node Checking feature on the listener (explicit client IP addresses might be required).

0 Karma

pmdba
Builder

If setting up a connection manager is too much, you might also consider just using Splunk to monitor the existing database listener log and monitoring for client ip addresses that don't match your authorized network.

0 Karma

pedromvieira
Communicator

Can you provide sample? The user is the same on both?

0 Karma

blebit
Path Finder

i want to create a table:

user (windows) | ip (from source_network_address) | userID (from app) | terminalID (the ip specified from app) | functionID (from app)

the main thing here is matching source_network_address with terminalID

0 Karma

blebit
Path Finder

for user, it depends. it is not necessary. it may be John on windows and Smith on application

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...