topic Re: How to correlate data between Windows and Oracle? in Getting Data In

How to correlate data between Windows and Oracle?

blebit — Mon, 28 Sep 2020 18:29:46 GMT

Hi everyone,

I want to correlate data between windows and oracle.
Each user can logon on only one pc in the company. First, a user has to logon on Windows eventcode 4624, sourcetype=wineventlog:security, source_network_address=192... ... ....! after user opens an application which gathers info from an oracle db.
lets say this oracle db has sourcetype=my_appDB, which has terminalID, userID, functionID. so, in a normal activity source_network_address (from windows) must be equal with terminalID (from oracle), otherwise i have to create an alert.

can anyone help me on this?
many thanks

Re: How to correlate data between Windows and Oracle?

pedromvieira — Tue, 23 Dec 2014 14:04:16 GMT

Can you provide sample? The user is the same on both?

Re: How to correlate data between Windows and Oracle?

blebit — Tue, 23 Dec 2014 14:23:28 GMT

for user, it depends. it is not necessary. it may be John on windows and Smith on application

Re: How to correlate data between Windows and Oracle?

blebit — Mon, 28 Sep 2020 18:29:48 GMT

i want to create a table:

user (windows) | ip (from source_network_address) | userID (from app) | terminalID (the ip specified from app) | functionID (from app)

the main thing here is matching source_network_address with terminalID

Re: How to correlate data between Windows and Oracle?

pmdba — Tue, 23 Dec 2014 23:48:30 GMT

I'm not sure this alert will work. If the only thing that will match up between the Windows event and the database event is terminal ID, then as long as everything is working as intended they will always match. It wouldn't even matter if you matched up with the Windows data or not - as long as Terminal ID is coming from your network, there would be no reason to alert because you have nothing else to check (like Windows username and DB username matching). The problem is that with the right client (i.e. Java JDBC), the TerminalID can be spoofed to be anything. An attacker could make the Terminal ID appear to be something legitimate even if the connection is originating from somewhere else. In such a case, your alert still wouldn't detect anything.

If you want to protect your database from connections originating in unauthorized networks, check out Oracle Connection Manager. It's a free add-on to most Oracle database licenses. There's a paper on how to implement it here. You can then use Splunk to monitor the connection manager logs and send alerts when any connection is rejected. Depending on your version of Oracle and the size of your client network, you might also consider implementing Oracle's Valid Node Checking feature on the listener (explicit client IP addresses might be required).

Re: How to correlate data between Windows and Oracle?

pmdba — Tue, 23 Dec 2014 23:53:11 GMT

If setting up a connection manager is too much, you might also consider just using Splunk to monitor the existing database listener log and monitoring for client ip addresses that don't match your authorized network.