Update OracleDatabaseAudit.json

Azure · Apr 18, 2024 · 7954c24 · 7954c24
1 parent 56e5270
commit 7954c24
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/Solutions/OracleDatabaseAudit/Workbooks/OracleDatabaseAudit.json b/Solutions/OracleDatabaseAudit/Workbooks/OracleDatabaseAudit.json
@@ -66,7 +66,7 @@
         "type": 3,
         "content": {
           "version": "KqlItem/1.0",
-          "query": "OracleDatabaseAuditEvent\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
+          "query": "Syslog \r\n| | where SyslogMessage contains "Unified Audit" \r\n and ProcessName == "Oracle"\r\n  make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
           "size": 0,
           "title": "Events over time",
           "timeContext": {
@@ -142,7 +142,7 @@
         "type": 3,
         "content": {
           "version": "KqlItem/1.0",
-          "query": "Syslog \r\n | where SyslogMessage contains "Unified Audit" \r\n and ProcessName == "Oracle"\r\n and SyslogMessage contains "DBUSER"| summarize count()",
+          "query": "Syslog \r\n | where SyslogMessage contains "Unified Audit" \r\n and ProcessName == "Oracle"\r\n and SyslogMessage contains "DBUSER"| summarize TotalEvents = count() \r\n| order by TotalEvents\r\n| take 10 ",
           "size": 3,
           "title": "Database Users Activity (Events)",
           "timeContext": {
@@ -161,7 +161,7 @@
         "type": 3,
         "content": {
           "version": "KqlItem/1.0",
-          "query": "Syslog \r\n | where SyslogMessage contains "Unified Audit" \r\n and ProcessName == "Oracle"\r\n and SyslogMessage contains "DBUSER"| summarize count()",
+          "query": "Syslog \r\n | where SyslogMessage contains "Unified Audit" \r\n and ProcessName == "Oracle"\r\n and SyslogMessage contains "SYS"| summarize TotalEvents = count()\r\n",
           "size": 3,
           "title": "Source Users Activity (Events)",
           "timeContext": {
@@ -207,7 +207,7 @@
         "type": 3,
         "content": {
           "version": "KqlItem/1.0",
-          "query": "OracleDatabaseAuditEvent\r\n| where isnotempty(SrcDvcHostname)\r\n| summarize TotalEvents = count() by SrcDvcHostname\r\n| join kind = inner (OracleDatabaseAuditEvent\r\n | where isnotempty(SrcDvcHostname)\r\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by SrcDvcHostname)\r\n on SrcDvcHostname\r\n| project SrcDvcHostname, TotalEvents, Trend\r\n| order by TotalEvents\r\n| top 10 by TotalEvents",
+          "query": "Syslog\r\n| where isnotempty(HostName)\r\n| summarize TotalEvents = count() by HostName\r\n",
           "size": 3,
           "title": "Top Source Hosts",
           "timeContext": {
@@ -265,7 +265,7 @@
         "type": 3,
         "content": {
           "version": "KqlItem/1.0",
-          "query": "OracleDatabaseAuditEvent\n| where DbAction =~ 'SELECT'\n| extend TableName = replace(@'[,\\(\\)]', '', extract(@'(?i)SELECT(.*?)FROM\\s(.*?)\\s', 2, Action))\n| where isnotempty(TableName)\n| where TableName !in ('select', 'SELECT')\n| summarize count() by TableName\n| order by count_\n\n\n",
+          "query": "Syslog\n| where SyslogMessage contains "Unified Audit" \r\n and ProcessName == "Oracle"\r\n and SyslogMessage !contains "ACTION:"3""\r\n| summarize count() \n\n\n",
           "size": 0,
           "title": "Database Tables Queried",
           "timeContext": {
@@ -349,7 +349,7 @@
         "type": 3,
         "content": {
           "version": "KqlItem/1.0",
-          "query": "OracleDatabaseAuditEvent\r\n| where TimeGenerated > ago(30d)\r\n| order by TimeGenerated\r\n| where isnotempty(SrcUserName)\r\n| where isnotempty(DbAction)\r\n| summarize EventTime = max(TimeGenerated) by SrcUserName, DbAction\r\n| order by EventTime desc\r\n| join (OracleDatabaseAuditEvent\r\n    | where TimeGenerated > ago(30d)\r\n    | order by TimeGenerated\r\n    | where isnotempty(SrcUserName)\r\n    | where isnotempty(DbAction)\r\n    | summarize by SrcUserName) on SrcUserName\r\n| project EventTime, SrcUserName, DbAction\r\n\r\n",
+          "query": "Syslog\n| where SyslogMessage contains "Unified Audit" \r\n and ProcessName == "Oracle"\r\n  and TimeGenerated > ago(30d)\r\n| order by TimeGenerated\r\n| where SyslogMessage contains "SYS"\r\n| SyslogMessage contains "ACTION"\r\n| summarize EventTime = max(TimeGenerated) \r\n| order by EventTime desc\r\n",
           "size": 1,
           "title": "Latest User Actions",
           "timeContext": {
@@ -371,7 +371,7 @@
         "type": 3,
         "content": {
           "version": "KqlItem/1.0",
-          "query": "OracleDatabaseAuditEvent\r\n| where isnotempty(SrcUserName)\r\n| where isnotempty(Privilege)\r\n| summarize Privileges = makeset(Privilege) by SrcUserName",
+          "query": "Syslog\n| where SyslogMessage contains "Unified Audit" \r\n and ProcessName == "Oracle"\r\n and SyslogMessage contains "ACTION:"506""\r\n| summarize count() \n\n\n",
           "size": 1,
           "title": "Users' Privileges",
           "timeContext": {