At a recent Symantec DLP User Group meeting in Minneapolis, several of us got into a discussion on what is the best way to audit DLP Administrators and users... here are my thoughts on the topic:
Perfect solution - Symantec makes the events in the AUDITLOG table available in the Enforce console under System-Events. We could then develop alerts to send these events to a SIEM tool.
Option 1 - Write an Stored Procedure in Oracle that triggers when there is an insert into the AUDITLOG table. That stored procedure would then send the data to some SIEM tool for correlation and alerting.
Option 2 – Develop a process to query the AUDITLOG table on a scheduled basis to extract the newest records. This could be scheduled to run every 5/10/15 minutes – however often you desire. The results of the query would be sent to your SIEM tool for correlation and alerting.
Option 3 - Some SIEM tools can actually query databases to grab log records. Per our conversation, it didn’t sound like yours could do this.
Remember, create an Oracle user with READ ONLY access to JUST the AUDITLOG table. Don’t use the same oracle account you used when installing the Enforce server.
Here is a description and a sample SQL query for the AUDITLOG table.
SQL> desc auditlog
Name Null? Type
----------------------------------------- -------- -------------------------
AUDITLOGID NOT NULL NUMBER(38)
TIME NOT NULL TIMESTAMP(6)
IPADDRESS VARCHAR2(2048 CHAR)
USERNAME NOT NULL VARCHAR2(2048 CHAR)
ROLE VARCHAR2(2048 CHAR)
ENTITY NOT NULL VARCHAR2(2048 CHAR)
ACTION NOT NULL VARCHAR2(2048 CHAR)
DETAIL CLOB
# This SQL CODE USES “|” as a delimeter between the fields. Watch out for the last field, detail, it’s a big one.
SET HEAD OFF
SET TRIM ON
SET WRAP OFF
SET LINESIZE 5000
SET PAGESIZE 9999
SELECT
auditlogid || '|' ||
to_char(time,'DD-MON-YYYY HH24:MI:SS') || '|' ||
ipaddress || '|' ||
username || '|' ||
role || '|' ||
entity || '|' ||
action || '|' ||
REPLACE(REPLACE(dbms_lob.substr( detail, 3500, 1 ),CHR(13), ' '), CHR(10), '')
FROM auditlog
ORDER BY auditlogid;