OCI Threat Management

Introduction

Oracle Cloud Infrastructure (OCI) threat management helps to detect misconfigured resources, insecure activities across tenants, malicious threat activities, and provides security administrators with the visibility to triage and resolve cloud security issues.

When an OCI account is onboarded in CoreStack, threat management is disabled by default. The user must access the CoreStack application and configure threat management. It’s important to configure threat management to know about the threats related to an account. The user can take remediation steps after knowing more about any threats.

Enabling threat management in the CoreStack application enables the Cloud Guard service. Cloud Guard is the service provided by OCI for threat management. CoreStack uses Cloud Guard to get threat information, alerts, etc.

Threat management for an OCI account is enabled from the Account Governance screen. There are two steps for this configuration:

  1. Verify if the OCI account is configured for threat management in Cloud Guard.
  2. After the Cloud Guard configuration is validated, the second step is to save the Cloud Guard configuration for the OCI account.

If the account is not configured, then a new configuration needs to be added and then saved. Users can delete the configuration for threat management for an account anytime.

If threat management configuration is enabled, then users can view the threat related details on the Security Governance screen of the CoreStack application. Users can view the threat details in different chart formats including a threat dashboard. The threat dashboard shows detailed information about the threats captured for an account. Users can monitor their accounts this way and take necessary remediation steps.

Configuring Threat Management

Perform the following steps to enable threat management in an OCI account:

  1. Sign in to the CoreStack application.
  2. Navigate to Governance > Account Governance.
  3. In the Cloud Account Summary section, hover the cursor over OCI and click the number next to Tenancy.

All OCI accounts are displayed.

  1. For a particular OCI account, in the ACTIONS column, click VIEW > View Settings.
  1. On the Cloud Account Details screen, click Governance Configuration > SECURITY.
  1. To enable threat management, click CONFIGURE.

The THREAT MANAGEMENT CONFIGURATION screen displays. This screen shows two steps, that is, step one is Verify Access and step two is Cloud Guard.

  1. In the VERIFY ACCESS step, in the Select your option field, select either of the following and click Next:
    • Check Existing Configuration: Select this option to check if threat management is enabled or not in Cloud Guard for the selected OCI account.
    • Create New: Select this option to enable threat management for the selected account.
  1. If the user selects Check Existing Configuration, then in the CLOUD GUARD step, click VALIDATE. The Validating Cloud Guard section shows a message with the status of Cloud Guard.
    • If the status of Cloud Guard is ENABLED, then click SAVE & FINISH.
    • If the status of Cloud Guard is DISABLED, then click VERIFY ACCESS step (step one) and select the Create New option.

📘

Note:

Ensure that Cloud Guard button is set to ON.

  1. If the user selects Create New, then in the CLOUD GUARD step, click FINISH and then click SAVE.

📘

Note:

Ensure that Cloud Guard button is set to ON.

This completes the configuration of threat management for an OCI account.

Deleting Threat Management Configuration

To delete the threat management configuration for an OCI account, do the following steps:

  1. Perform steps 1 - 5 explained above.
  2. Click DELETE CONFIGURATION.

This deletes the threat management configuration from CoreStack. Cloud Guard will still continue with the monitoring of threats for OCI accounts.

Monitoring Threats

After threat management configuration is enabled for an OCI account, the user must access the CoreStack application and navigate to Security > Posture to monitor the threats. Refer to Account Level View and follow the detailed procedure to monitor threats in an OCI account.

📘

Note:

Currently, multi-region support is not available for OCI accounts.