Listing Sightings and Getting Their Details

View resource profiles and their key attributes in Cloud Guard to quickly identify the highest priority events.

Prerequisite: Enable the OCI Threat Detector recipe in at least one Cloud Guard target that's defined in your environment and contains the root compartment.

To create a target and add the recipe, see Creating an OCI Target.

Note

When you create a target, Cloud Guard requires an Activity Detector Recipe and a Configuration Detector Recipe to be attached. If you don't want to enable those detectors on the target, you can remove them after you finish creating the target. See Editing an OCI Target and Its Attached Recipes.
To add the OCI Threat Detector recipe to an existing target, see Editing an OCI Target and Its Attached Recipes.

Note

After the preceding prerequisite is met, Cloud Guard begins a learning period. This learning period varies in length from a few hours to a few days, depending on the sighting type. Cloud Guard doesn't start monitoring to detect threats until the learning period ends. If no suspicious activity is occurring, you still see no threat information on the Threat monitoring page.

1. Open the navigation menu and click Identity & Security. Under Cloud Guard, click Threat monitoring.
2. To change the scope for which threats are included, use the following options under Scope:
  
  Compartment: Select a compartment. To include all the compartments under it in the scope, select Include child compartments.
  
  Tag filters: Click add, and then fill in the Tag filters dialog box. If you add more than one tag, all must be matched.
3. To filter the list on dates and risk score values, make selections in the lists under the chart at the top of the page.
4. To filter the list on other parameters, click Add filter, select a Filter type, and then select one or more values.
5. In the 30-day risk score trend chart at the top of the page, view risk score changes over time.
  
  By default, the chart graphs overall risk scores for the resource profiles with the top 10 risk scores over the past 30 days.
  
  Change the data displayed by making a different selection from the Top 10 list in the top-right corner of the chart. These options are typically shown for a shorter time period.
6. To highlight the graph information for a particular resource profile, hover over the name in the list under the Top 10 selection box.
7. To view specific risk score information for a point in the graph, hover over the point.
  The resource profile for the risk score information is also highlighted, in the list below the Top 10 selection box.
8. To view detailed information for a particular resource profile, click its link in the Resource profile column.
  The threat monitoring details page displays the following information:
  
  The General Information tab summarizes the threat.
  
  The 30-day risk score trend chart shows risk score changes over time for this particular resource profile.
  
  The Sightings section lists the sightings that factor into the risk score.
  
  Under Resources, select another resource to display different information:
  
  Impacted resources shows information about the resources involved.
  
  Endpoints shows the IP addresses involved.
  
  Tip
  
  If the Risk score for a Resource profile on the Threat monitoring page is 80 or greater, a problem has been triggered. To process the problem:
  
  Click the link in the Risk profile column.
  
  In the General Information tab at the top of the details page, click the problem name link, next to Problems.
  For guidance on processing problems, see Processing and Resolving Problems on the Problems Page
For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

Sightings

Use the oci cloud-guard sighting get command and required parameters to get a specific sighting:
oci cloud-guard sighting get --sighting-id <sighting_ocid> [OPTIONS]
Use the oci cloud-guard sighting-summary list-sightings command and required parameters to list all sightings for a compartment:
oci cloud-guard sighting-summary list-sightings --compartment-id, -c <compartment_ocid> [OPTIONS]
Sighting Endpoints

Use the oci cloud-guard sighting-endpoint-summary list-sighting-endpoints command and required parameters to list endpoints for a specific sighting:
oci cloud-guard sighting-endpoint-summary list-sighting-endpoints --sighting-id <sighting_ocid> [OPTIONS]
Impacted Resources

Use the oci cloud-guard sighting-summary list-sightings command and required parameters to list all impacted resources for sightings for a sighting:
oci cloud-guard sighting-impacted-resource-summary list-sighting-impacted-resources --sighting-id <sighting_ocid> [OPTIONS]
Sightings

Run the GetSighting operation to get a specific sighting.

Run the ListSightings operation to list all sightings for a compartment.

Sighting Endpoints

Run the ListSightingEndpoints operation to list endpoints for a specific sighting.

Impacted Resources

Run the ListSightingImpactedResources operation to list all impacted resources for sightings for a compartment.

Oracle Cloud Infrastructure Documentation

Listing Sightings and Getting Their Details