Skip to main content

Oracle Cloud Infrastructure Event Collector

This Integration is part of the Oracle Cloud Infrastructure (OCI) Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

This integration fetches audit log events from an Oracle Cloud Infrastructure resources. Audit log events can be used for security audits, to track usage of and changes to Oracle Cloud Infrastructure resources, and to help ensure compliance with standards or regulations.

API References#

Oracle Cloud Infrastructure Audit Logs API documentation Oracle Cloud Infrastructure Audit API Endpoints (available Regions)

Configure Oracle Cloud Infrastructure Event Collector on Cortex XSIAM#

  1. Navigate to Settings > Configurations > Automation & Feed Integrations.
  2. Search for Oracle Cloud Infrastructure.
  3. Click Add instance to create and configure a new integration instance.

OCI Related Parameters#

Oracle Cloud Infrastructure SDKs and CLI require basic configuration information, which is achieved by using configuration parameters either with a configuration file or a runtime defined configuration dictionary. This integration uses the runtime defined configuration dictionary. More about OCI configuration here.

Tenancy OCIDOCID of your tenancy. To get the value, see Required Keys and OCIDs.True
User OCIDOCID of the user calling the API. To get the value, see Required Keys and OCIDs.
Example: ocid1.user.oc1..<unique_ID>
API Key FingerprintFingerprint for the public key that was added to this user. To get the value, see Required Keys and OCIDs.True
Private KeyPrivate Key for authentication.
Important: The key pair must be in PEM format. For instructions on generating a key pair in PEM format, see Required Keys and OCIDs.
API Private Key TypeThe type of the private key. The possible values are: PKCS#1 and PKCS#8. The default value is PKCS#8. A link explaining the difference between the 2 types see linkFalse
RegionAn Oracle Cloud Infrastructure region. See Regions and Availability Domains.
Example: us-ashburn-1
Compartment OCIDAn Oracle Cloud Identifier compartment. The default value is the Tenancy OCID parameter. See Finding the OCID of a Compartment.False
First fetch timeFirst fetch time (< number > < time unit >, e.g., 12 hours, 1 day, 3 months). Default is 3 days.False
Trust any certificate (not secure)Use SSL secure connection or ‘None’.False
User system proxy settingsRuns the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.False
  1. Click Test to validate the URLs, tokens, and connection.


You can execute the following command from the Cortex XSIAM CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.


Manual command to fetch and display events.

Base Command#



Argument NameDescriptionRequired
should_push_eventsSet this argument to true in order to create events, otherwise the command will only display them. Default is false.True