Oracle Cloud Infrastructure Integration

Oracle Cloud Infrastructure (OCI) is a suite of cloud services that enables organizations to build, deploy, and manage a variety of applications and workloads. As part of its security architecture, OCI includes virtual firewalls that control network traffic as it passes through your Virtual Cloud Networks (VCNs). Traffic that is either accepted or rejected by these firewalls is recorded in VCN Flow Logs. These logs are managed through the OCI Logging service, where they can be viewed, searched, and exported. Using the OCI Connector Hub, Flow Logs are delivered to an OCI Object Storage.

Enable the OCI integration to ingest VCN Flow Logs directly from OCI Object Storage and leverage them as network telemetry to generate security findings within the XDR platform.

Note: You can integrate one or more OCI regions or tenancies with a single Cisco XDR tenant. Ensure that, for each OCI region or tenancy you wish to monitor, a corresponding Oracle Cloud Infrastructure integration instance is configured within Cisco XDR.

  1. In the Cisco XDR navigation menu, choose Administration > Integrations.

  2. On the Integrations page, click the Third-Party tab and navigate to the Oracle Cloud Infrastructure integration.

  3. Click the plus sign (+) in the lower-right corner of the card. The Oracle Cloud Infrastructure integration page is displayed.

  4. Expand the Integration Guide area and follow the instructions on how to add the Oracle Cloud Infrastructure integration in Cisco XDR.

Incidents are groups of correlated events generated using data ingested from your integrated products. By correlating events which could be part of a larger threat into an incident, it reduces the time typically required to investigate individual security alerts or detections. For more information about Cisco XDR Incidents feature, see Incidents.

When you enable the Oracle Cloud Infrastructure integration, Cisco XDR ingests the VCN flow logs from Oracle Cloud Infrastructure for incident correlation.

To view incidents with Oracle Cloud Infrastructure data:

  1. In the Cisco XDR navigation menu, choose Incidents.

  2. Look for XDR Cloud in the Source column to find incidents generated with Oracle Cloud Infrastructure data.

  3. Select an incident and open the Incident Detail page.

  4. Click on the Detection page to see events from Oracle Cloud Infrastructure and other sources.

If you do not have any incidents with Oracle Cloud Infrastructure data, you can verify that Cisco XDR is receiving data from Oracle Cloud Infrastructure using the Detection Ingest Status card on the Dashboards page. For more information about Cisco XDR Dashboards, see Dashboards.

To create a new dashboard that includes Detection Ingest Status card:

  1. In the Cisco XDR navigation menu, choose Control Center > Dashboards and click Customize in the upper right corner of the Dashboards page.

  2. In the My Dashboards area, click Create new dashboard and enter a unique dashboard name in the Dashboard Name field.

  3. In the list of integrations, find the Secure Cloud Analytics integration and click the (Expand) icon.

  4. Check the Detection Ingest Status check box to add the card to the dashboard.

  5. Click Save.

    The new customized dashboard is displayed on the Dashboards page. If no data is displayed in the Detection Ingest Status card for Oracle Cloud Infrastructure, check your integration configuration.

You can perform the following tasks after you integrate Oracle Cloud Infrastructure with Cisco XDR:

  • Detection findings - View the security events generated by Oracle Cloud Infrastructure to validate the data that is ingested by Cisco XDR for incident generation. For details, see Detection Findings.