Audit basic login anomalies detector


Job details

Name: Audit basic login anomalies detector
Platform: Oracle
Category: Audit
Description: Check that looks for anomalies in new sessions logging on the database
Long description:
Version: 3.8
Default schedule: * * * *
Requires engine install: Yes
Compatibility tag: .[type=‘instance’ & databasetype=‘oracle’]/.[hasengine=‘YES’]

Parameters

Name Default value Description
Match database keep time (days) 60 The number of days we keep a record of an action before it is removed from normal behavior table.
Gathering baseline YES YES means it will accept all new behavior as normal and gather information for building up a anomalies database.

Job Summary

SELECT * FROM dbwatch_aud.dbw_ano_bas_login_record ORDER BY DBW_ROW_SEQ;
SELECT * FROM sys.aud$ WHERE sessionid IN (SELECT sessionid FROM dbwatch_aud.dbw_ano_bas_login_record) ORDER BY sessionid, entryid;

Implementation Details

Tables Created

Table Name Description
dbw_ano_bas_login_rowsets Maintains a log of processed logon row sets, marking the timestamp and status of verification
dbw_ano_bas_login_db Stores login actions with their MD5 hash checksums for quick verification of existing data
dbw_ano_bas_login_db_new Utilized for new unique login actions, recorded as part of the anomaly detection process
dbw_ano_bas_login_record Logs detailed information about each login activity, including user ID and host details
dbw_ano_bas_login_readable Contains human-readable descriptions of login actions, generated from login records

Core Functions and Procedures

Dependencies and Cleanup

Reporting