{"id":906,"date":"2026-04-16T15:37:29","date_gmt":"2026-04-16T15:37:29","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-audit-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-governance-and-administration\/"},"modified":"2026-04-16T15:37:29","modified_gmt":"2026-04-16T15:37:29","slug":"oracle-cloud-audit-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-governance-and-administration","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-audit-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-governance-and-administration\/","title":{"rendered":"Oracle Cloud Audit Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Governance and Administration"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Governance and Administration<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Audit<\/strong> is the service that records <strong>who did what, when, and from where<\/strong> across Oracle Cloud Infrastructure (OCI). It captures <strong>API-driven actions<\/strong> (including most Console actions because the Console calls OCI APIs) and stores them as immutable audit events for investigation, governance, and compliance.<\/p>\n\n\n\n<p>In simple terms: <strong>Audit is your OCI activity history<\/strong>. When someone creates a VCN, deletes a bucket, changes a security list, or updates an IAM policy, Audit records the action so you can prove what happened and trace it back to the responsible identity.<\/p>\n\n\n\n<p>Technically, OCI Audit records <strong>request\/response metadata for supported OCI API operations<\/strong> and exposes those events through the OCI Console, REST API, CLI, and SDKs. You can filter by time range, compartment, event name, principal, and other fields. Audit is commonly paired with <strong>Service Connector Hub<\/strong> to export events to <strong>Object Storage<\/strong> (long-term retention), <strong>Logging<\/strong> or <strong>Streaming<\/strong> (near-real-time analytics), and then onward to SIEM or incident response tooling.<\/p>\n\n\n\n<p><strong>What problem it solves:<\/strong> Without centralized audit trails, security teams cannot reliably investigate incidents, platform teams cannot meet governance controls, and organizations cannot demonstrate compliance. Audit provides an authoritative activity trail for OCI control-plane operations.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Audit?<\/h2>\n\n\n\n<p><strong>Official purpose (OCI):<\/strong> OCI Audit records log events for OCI API calls and other relevant administrative actions, helping you monitor access and changes to OCI resources. (Verify the exact wording and scope in the official documentation, as it evolves.)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Automatic recording<\/strong> of supported OCI API calls as audit events.<\/li>\n<li><strong>Filtering and viewing<\/strong> events in the Console (by region, time window, compartment, event type\/name, principal, etc.).<\/li>\n<li><strong>Programmatic access<\/strong> via REST API, CLI, and SDKs.<\/li>\n<li><strong>Export\/streaming integrations<\/strong> using OCI services (commonly Service Connector Hub) to store and analyze events outside the default retention window.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components (conceptual)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Event producer:<\/strong> OCI services that generate audit events when their APIs are called.<\/li>\n<li><strong>Audit event store:<\/strong> The managed backend where events are retained for a limited time (retention is time-based; verify current duration in official docs).<\/li>\n<li><strong>Access interfaces:<\/strong><\/li>\n<li>OCI Console (Audit page)<\/li>\n<li>Audit REST API (<code>ListEvents<\/code>)<\/li>\n<li>OCI CLI (<code>oci audit event list<\/code>)<\/li>\n<li>SDKs (Java, Python, Go, etc.)<\/li>\n<li><strong>Downstream integration (optional):<\/strong><\/li>\n<li>Service Connector Hub (Audit \u2192 Object Storage \/ Streaming \/ Functions \/ Logging, depending on current supported targets)<\/li>\n<li>SIEM integration via Streaming\/Functions or via exported files<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed governance service<\/strong> for <strong>control-plane activity auditing<\/strong> (API calls and administrative actions).<\/li>\n<li>Not a host-level audit daemon and not an application log collector.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: regional vs global<\/h3>\n\n\n\n<p>OCI Audit is <strong>tenancy-wide in concept<\/strong>, but <strong>audit events are viewed and queried per region<\/strong> in practice. In the Console, you typically select a region and then view the events recorded in that region. For multi-region environments, you should plan to <strong>aggregate\/export<\/strong> events across regions if you need a single centralized view.<\/p>\n\n\n\n<p><strong>Verify in official docs<\/strong> for the latest details on:\n&#8211; whether specific event types are global or region-scoped,\n&#8211; retention duration,\n&#8211; and any cross-region access behavior.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How Audit fits into the Oracle Cloud ecosystem<\/h3>\n\n\n\n<p>Audit is a foundational <strong>Governance and Administration<\/strong> service in Oracle Cloud that complements:\n&#8211; <strong>IAM (Identity and Access Management):<\/strong> Audit shows the effects of IAM-controlled actions; IAM controls who can view audit events.\n&#8211; <strong>Compartments and policies:<\/strong> Audit events include compartment context and are commonly filtered by compartment boundaries.\n&#8211; <strong>Logging \/ Logging Analytics:<\/strong> Audit is a source of security-relevant data; exporting enables long-term retention and advanced analysis.\n&#8211; <strong>Service Connector Hub:<\/strong> Common mechanism to route audit events to storage\/analytics\/streaming.\n&#8211; <strong>Cloud Guard (where applicable):<\/strong> Cloud Guard may use OCI signals for detection; audit trails often support investigations and response workflows. (Verify current integration details in Cloud Guard docs.)<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Audit?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Accountability:<\/strong> Prove which identity performed an administrative action.<\/li>\n<li><strong>Change traceability:<\/strong> Understand why infrastructure changed and who changed it.<\/li>\n<li><strong>Compliance readiness:<\/strong> Meet auditability requirements (SOC 2, ISO 27001, HIPAA, PCI DSS, etc.) by maintaining a control-plane activity trail.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Root-cause analysis:<\/strong> Correlate outages to infrastructure changes (route table edits, security list changes, instance termination, etc.).<\/li>\n<li><strong>Forensics:<\/strong> Investigate suspicious activity (unexpected policy changes, unusual API usage).<\/li>\n<li><strong>Automation validation:<\/strong> Confirm that CI\/CD pipelines executed expected changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Standard operating procedures:<\/strong> Use Audit events to validate that change management processes are followed.<\/li>\n<li><strong>Central visibility across teams:<\/strong> In compartment-based orgs, Audit helps platform teams track activity without relying on self-reporting.<\/li>\n<li><strong>Integration with downstream tools:<\/strong> Export events to object storage or streaming for analysis, dashboards, and alerting.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Detect policy tampering:<\/strong> Track IAM policy changes, dynamic group modifications, and credential-related events.<\/li>\n<li><strong>Support incident response:<\/strong> Provide evidence timelines and actor attribution.<\/li>\n<li><strong>Least privilege validation:<\/strong> Identify over-privileged users by reviewing high-risk actions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit is managed and scales with your OCI activity; you don\u2019t manage infrastructure to store raw control-plane logs.<\/li>\n<li>Export patterns (regional connectors \u2192 central bucket\/stream) scale better than manual downloads.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose Audit<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Always\u2014Audit is typically <strong>foundational<\/strong> for OCI governance.<\/li>\n<li>Especially when you have:<\/li>\n<li>multiple environments (dev\/test\/prod),<\/li>\n<li>multiple teams,<\/li>\n<li>regulated workloads,<\/li>\n<li>strict change control,<\/li>\n<li>or heavy automation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it (or should complement it)<\/h3>\n\n\n\n<p>Audit is <strong>not sufficient<\/strong> when you need:\n&#8211; <strong>OS-level auditing<\/strong> (Linux auditd, Windows Event Logs)\n&#8211; <strong>Application logs<\/strong> (request logs, business events)\n&#8211; <strong>Network traffic logs<\/strong> (VPC flow logs equivalent; OCI has other network logging capabilities)\n&#8211; <strong>Database auditing<\/strong> at the database engine level<\/p>\n\n\n\n<p>In those cases, use Audit <strong>alongside<\/strong> OCI Logging, Logging Analytics, OS agents, and database-native auditing.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Audit used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Financial services (SOX, SOC controls)<\/li>\n<li>Healthcare (HIPAA-aligned operational controls)<\/li>\n<li>Government\/public sector (change accountability and forensic readiness)<\/li>\n<li>SaaS and technology (SOC 2, ISO 27001)<\/li>\n<li>Retail\/e-commerce (security monitoring + change governance)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud platform\/center-of-excellence teams<\/li>\n<li>Security engineering and SOC teams<\/li>\n<li>SRE and operations teams<\/li>\n<li>DevOps and platform engineering<\/li>\n<li>Compliance, risk, and internal audit teams (read-only access)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-tier web apps (network + compute changes)<\/li>\n<li>Data platforms (Object Storage, Data Flow, Autonomous Database control-plane operations)<\/li>\n<li>Kubernetes platforms (OKE cluster lifecycle operations)<\/li>\n<li>Shared services (network hub\/spoke, IAM governance)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-compartment landing zones<\/li>\n<li>Multi-region active\/active or active\/passive deployments<\/li>\n<li>Centralized security logging architectures (export Audit into centralized storage\/analytics)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production:<\/strong> Export and retain for months\/years (per policy), integrate with SIEM, alert on high-risk actions.<\/li>\n<li><strong>Dev\/test:<\/strong> Use Audit primarily for troubleshooting automation and catching destructive actions; optional export to reduce operational burden.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios that map well to OCI Audit\u2019s actual purpose: recording and retrieving control-plane events.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Investigate \u201cWho deleted a resource?\u201d<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> A bucket\/instance\/VCN is deleted and no one claims it.<\/li>\n<li><strong>Why Audit fits:<\/strong> Audit records delete API calls with principal identity, timestamp, request metadata.<\/li>\n<li><strong>Example:<\/strong> An instance termination event is traced to a CI\/CD service user using an API key from a specific IP range.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Track IAM policy changes (privilege escalation investigations)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Permissions suddenly broaden; potential privilege escalation.<\/li>\n<li><strong>Why Audit fits:<\/strong> IAM policy create\/update\/delete operations are audited.<\/li>\n<li><strong>Example:<\/strong> A new policy allowing <code>manage all-resources<\/code> appears; Audit shows the user and request time, enabling rollback and incident handling.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Validate infrastructure-as-code (IaC) deployments<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Terraform apply completed, but the environment doesn\u2019t match expectations.<\/li>\n<li><strong>Why Audit fits:<\/strong> Audit shows what API calls were made, in what order, and which succeeded\/failed.<\/li>\n<li><strong>Example:<\/strong> A route table update fails due to authorization; Audit confirms the failed call and the principal.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Change management evidence (CAB \/ ITIL)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Need evidence that changes occurred during an approved window.<\/li>\n<li><strong>Why Audit fits:<\/strong> Time-stamped events provide non-repudiable activity traces.<\/li>\n<li><strong>Example:<\/strong> Export Audit to Object Storage, then produce a change report for the weekly CAB.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Detect suspicious Console\/API activity<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Unusual high-risk actions outside business hours.<\/li>\n<li><strong>Why Audit fits:<\/strong> Audit captures actions regardless of whether initiated via Console or API.<\/li>\n<li><strong>Example:<\/strong> A policy delete occurs at 2 a.m.; a downstream alert triggers based on exported audit events.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Compartment boundary governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams operate in wrong compartments or cross-environment boundaries.<\/li>\n<li><strong>Why Audit fits:<\/strong> Events include compartment identifiers for filtering and governance reporting.<\/li>\n<li><strong>Example:<\/strong> A dev team creates prod resources in a shared compartment; Audit identifies repeated violations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Build an \u201cadmin activity dashboard\u201d<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Security wants a weekly summary: top actors, top actions, high-risk operations.<\/li>\n<li><strong>Why Audit fits:<\/strong> Export provides data for analytics tools; Audit events are structured.<\/li>\n<li><strong>Example:<\/strong> Stream events into a SIEM and create dashboards for IAM changes, network changes, and deletions.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Regulatory retention and eDiscovery support<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Default retention is insufficient for legal\/compliance requirements.<\/li>\n<li><strong>Why Audit fits:<\/strong> Export to Object Storage supports long-term retention and immutability controls (e.g., Object Storage retention rules, legal hold\u2014verify features per OCI Object Storage docs).<\/li>\n<li><strong>Example:<\/strong> Keep 1\u20137 years of administrative logs per policy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Incident timeline reconstruction<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> During an incident, you must reconstruct the exact sequence of infrastructure changes.<\/li>\n<li><strong>Why Audit fits:<\/strong> Provides chronological event sequence with request IDs and actors.<\/li>\n<li><strong>Example:<\/strong> A security list change opened port 22; Audit shows when it happened and by whom.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Prove automation identity usage (API keys, instance principals)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Service accounts might be used by humans or misused.<\/li>\n<li><strong>Why Audit fits:<\/strong> Audit events contain principal type and identity context.<\/li>\n<li><strong>Example:<\/strong> A supposed \u201cautomation user\u201d is used from an unexpected network; investigation begins.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Validate least privilege and access reviews<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Quarterly access reviews need evidence of actual privileged usage.<\/li>\n<li><strong>Why Audit fits:<\/strong> Audit shows which identities performed privileged actions.<\/li>\n<li><strong>Example:<\/strong> Remove unused admin permissions after showing no admin actions for 90 days (note: limited by Audit retention unless exported).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Multi-region governance aggregation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Events are region-scoped; governance requires central view.<\/li>\n<li><strong>Why Audit fits:<\/strong> Regional exports allow centralized aggregation.<\/li>\n<li><strong>Example:<\/strong> Each region exports to a central bucket\/stream, then a SIEM correlates across regions.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Note: Feature availability can change by region and over time. Verify current behavior in the official Audit docs.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 Automatic audit event collection<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Records supported OCI API calls as audit events without requiring agents.<\/li>\n<li><strong>Why it matters:<\/strong> You get governance coverage by default.<\/li>\n<li><strong>Practical benefit:<\/strong> No infrastructure to deploy; consistent event format.<\/li>\n<li><strong>Caveats:<\/strong> Not all actions in the ecosystem may be auditable; coverage depends on service support. Verify which services\/actions are included.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 Console viewing with filters<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Lets you browse and filter events in the OCI Console.<\/li>\n<li><strong>Why it matters:<\/strong> Fast investigations and basic reporting.<\/li>\n<li><strong>Practical benefit:<\/strong> Useful for quick \u201cwhat happened?\u201d questions.<\/li>\n<li><strong>Caveats:<\/strong> UI filtering is not a full SIEM; for long-term and advanced queries, export events.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Programmatic access via API\/CLI\/SDK<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Enables retrieving audit events by time window and filters.<\/li>\n<li><strong>Why it matters:<\/strong> Automation, reporting pipelines, integrations.<\/li>\n<li><strong>Practical benefit:<\/strong> Pull events into your tooling or build scheduled exports.<\/li>\n<li><strong>Caveats:<\/strong> API rate limits and pagination apply; handle retries and time windows.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Structured event schema (who\/what\/when\/where)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Provides fields like event time, event name, principal, request\/response metadata, and resource identifiers.<\/li>\n<li><strong>Why it matters:<\/strong> Enables consistent parsing and correlation.<\/li>\n<li><strong>Practical benefit:<\/strong> Build detections: \u201cpolicy changed\u201d, \u201csecurity list opened\u201d, \u201cbucket made public\u201d (depending on the specific audited events).<\/li>\n<li><strong>Caveats:<\/strong> Some fields vary by service\/event type.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 Default retention (time-limited)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Stores events for a fixed period in the Audit service.<\/li>\n<li><strong>Why it matters:<\/strong> Defines how far back you can investigate without exports.<\/li>\n<li><strong>Practical benefit:<\/strong> Short-term investigations require no setup.<\/li>\n<li><strong>Caveats:<\/strong> Retention is limited (commonly documented as ~90 days in OCI; <strong>verify current retention in official docs<\/strong>). Long-term retention requires export.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 Export and routing via Service Connector Hub (common pattern)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Routes audit events to other OCI services for storage\/processing.<\/li>\n<li><strong>Why it matters:<\/strong> Enables long-term retention, near-real-time analytics, and alerting pipelines.<\/li>\n<li><strong>Practical benefit:<\/strong> Centralize logs in Object Storage or stream to Functions\/SIEM.<\/li>\n<li><strong>Caveats:<\/strong> Requires IAM policies for the service connector to write to the target; targets and formats vary\u2014verify supported source\/target combinations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Compartment-aware governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Associates events with compartments and tenancy context.<\/li>\n<li><strong>Why it matters:<\/strong> Supports OCI\u2019s core governance model.<\/li>\n<li><strong>Practical benefit:<\/strong> Delegated admin models can limit who can view events for a scope (depending on policy design).<\/li>\n<li><strong>Caveats:<\/strong> Audit itself is a tenancy-wide concern; ensure your IAM policies match your governance intent.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level service architecture<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>An actor (user, group member, instance principal, resource principal, API key user, etc.) calls an OCI API (directly via SDK\/CLI or indirectly via Console).<\/li>\n<li>OCI service processes the request (create\/update\/delete\/list, etc.).<\/li>\n<li>An audit event is generated and stored in the Audit backend for that region.<\/li>\n<li>Authorized users\/tools query Audit events via Console\/API\/CLI.<\/li>\n<li>Optionally, events are exported to downstream services for long-term retention or analytics.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane request:<\/strong> API call to a service endpoint.<\/li>\n<li><strong>Audit event creation:<\/strong> Event is emitted containing metadata (principal, request, response status, resource references).<\/li>\n<li><strong>Access path:<\/strong> Query by time range and filters.<\/li>\n<li><strong>Export path (optional):<\/strong> Service Connector Hub reads from Audit source and writes to Object Storage\/Streaming\/etc.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations in OCI include:\n&#8211; <strong>IAM:<\/strong> Controls who can read audit events and who can create connectors.\n&#8211; <strong>Service Connector Hub:<\/strong> Route Audit events to downstream targets.\n&#8211; <strong>Object Storage:<\/strong> Durable, low-cost archive for retention beyond default.\n&#8211; <strong>Streaming:<\/strong> Near-real-time pipeline to SIEM or custom consumers.\n&#8211; <strong>Functions:<\/strong> Transform\/enrich\/forward events (for example to HTTP endpoints).\n&#8211; <strong>Logging \/ Logging Analytics:<\/strong> If you bring audit events into logging analytics, you can search and build detections (verify the recommended OCI approach and supported connectors).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services (typical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IAM policies for:<\/li>\n<li>viewing audit events,<\/li>\n<li>managing Service Connector Hub,<\/li>\n<li>writing to Object Storage \/ Streaming.<\/li>\n<li>Object Storage bucket (for archive) or Streaming stream (for real-time).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All access is through OCI IAM:<\/li>\n<li>Users and groups for human access<\/li>\n<li>Instance principals\/resource principals for automation<\/li>\n<li>Policies define who can:<\/li>\n<li>read\/inspect audit events<\/li>\n<li>manage connectors and targets<\/li>\n<li>Export connectors typically operate with an OCI service principal; IAM policies must permit the connector service to write to the target.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Querying Audit via Console\/API uses OCI public endpoints by default (unless you use private access patterns available to your tenancy\u2014verify options such as private endpoints where applicable).<\/li>\n<li>Export targets (Object Storage\/Streaming) are OCI services accessed within the OCI control plane; network egress costs generally depend on whether you send logs outside OCI.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit is itself a log source; it is not a metric service.<\/li>\n<li>For alerting:<\/li>\n<li>Export to a system that supports detections\/alerts (SIEM, Logging Analytics, custom pipeline).<\/li>\n<li>Build alerts for high-risk operations (policy changes, security list changes, key changes, etc.).<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h4>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  U[User \/ Automation] --&gt;|OCI API calls| S[OCI Services]\n  S --&gt; A[Audit (regional event store)]\n  A --&gt;|Console \/ API \/ CLI| V[Viewer: Security\/Ops]\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h4>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph R1[Region A]\n    U1[Users \/ CI-CD \/ Instance Principals] --&gt; S1[OCI Services APIs]\n    S1 --&gt; A1[Audit Events]\n    A1 --&gt; SCH1[Service Connector Hub]\n    SCH1 --&gt; OS1[(Object Storage - Audit Archive)]\n    SCH1 --&gt; ST1[(Streaming - Near real-time)]\n  end\n\n  subgraph R2[Region B]\n    U2[Users \/ Automation] --&gt; S2[OCI Services APIs]\n    S2 --&gt; A2[Audit Events]\n    A2 --&gt; SCH2[Service Connector Hub]\n    SCH2 --&gt; OS2[(Object Storage - Audit Archive)]\n    SCH2 --&gt; ST2[(Streaming - Near real-time)]\n  end\n\n  ST1 --&gt; FN[Functions \/ Consumers]\n  ST2 --&gt; FN\n  FN --&gt; SIEM[External SIEM \/ SOC Tools]\n\n  OS1 --&gt; LA[Analytics \/ eDiscovery]\n  OS2 --&gt; LA\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Tenancy and account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Oracle Cloud (OCI) tenancy<\/strong> with permissions to:<\/li>\n<li>view Audit events,<\/li>\n<li>create compartments,<\/li>\n<li>create Object Storage buckets,<\/li>\n<li>create Service Connector Hub connectors (optional for export lab).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles (minimum practical)<\/h3>\n\n\n\n<p>You need IAM policies that cover:\n&#8211; Reading audit events (often <code>inspect<\/code> or <code>read<\/code> on audit events)\n&#8211; Managing compartments (for the lab compartment)\n&#8211; Managing buckets\/objects (for the archive bucket)\n&#8211; Managing Service Connector Hub (to create and run a connector)<\/p>\n\n\n\n<p>OCI policy syntax and resource types can be specific. Use the IAM Policy Reference and verify the correct statements for:\n&#8211; <code>audit-events<\/code>\n&#8211; <code>service-connectors<\/code>\n&#8211; <code>object-family<\/code> \/ <code>buckets<\/code> \/ <code>objects<\/code><\/p>\n\n\n\n<p><strong>Verify in official docs<\/strong> for the exact policy verbs and resource types for Audit and Service Connector Hub.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Viewing Audit events is typically included as part of OCI governance (often no separate line-item cost), but:<\/li>\n<li>Object Storage has storage and request costs.<\/li>\n<li>Streaming, Functions, Logging\/Logging Analytics (if used) can have costs.<\/li>\n<li>Data egress to the internet or external SIEM can have costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools needed (for the hands-on lab)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI Console access<\/li>\n<li>Optional but recommended:<\/li>\n<li>OCI CLI installed and configured: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/li>\n<li><code>jq<\/code> for JSON filtering (local)<\/li>\n<li>Permission to create an API key for your user (or use Cloud Shell)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit is a core OCI service and should be available in commercial regions, but always <strong>verify region availability<\/strong> for your tenancy and for dependent services (Service Connector Hub, Streaming, etc.).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas \/ limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit query APIs can have rate limits; handle pagination and retry.<\/li>\n<li>Service Connector Hub has limits (connectors per compartment\/tenancy, throughput constraints).<\/li>\n<li>Object Storage has namespace and bucket constraints.<\/li>\n<\/ul>\n\n\n\n<p>Verify current service limits in OCI documentation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services (for the export portion)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Object Storage<\/li>\n<li>Service Connector Hub<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Audit pricing model (what to expect)<\/h3>\n\n\n\n<p>OCI <strong>Audit<\/strong> is generally treated as a foundational governance capability. In many OCI environments, <strong>capturing and viewing audit events does not incur a separate service charge<\/strong>. However, pricing and entitlements can change, and some advanced analysis\/export targets do cost money.<\/p>\n\n\n\n<p><strong>Always confirm<\/strong> using:\n&#8211; OCI pricing pages: https:\/\/www.oracle.com\/cloud\/price-list\/\n&#8211; OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html\n&#8211; Any Audit-specific pricing notes in the Audit documentation (if present)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (common indirect costs)<\/h3>\n\n\n\n<p>Even if Audit itself is \u201cno additional cost,\u201d the end-to-end solution often includes billable components:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Object Storage (archive)<\/strong>\n   &#8211; Storage capacity (GB-month)\n   &#8211; Requests (PUT\/GET\/LIST)\n   &#8211; Retrieval and lifecycle transitions (depending on storage tier)\n   &#8211; Cross-region replication (if enabled) and associated transfer costs<\/p>\n<\/li>\n<li>\n<p><strong>Service Connector Hub<\/strong>\n   &#8211; The connector service itself may be included, but it drives usage in targets (Object Storage requests, Streaming ingestion, etc.). Verify current billing model.<\/p>\n<\/li>\n<li>\n<p><strong>Streaming<\/strong>\n   &#8211; Partition hours, throughput units, retention configuration (pricing varies by region\/SKU\u2014verify)<\/p>\n<\/li>\n<li>\n<p><strong>Functions<\/strong>\n   &#8211; Invocations and compute time (if you transform\/forward events)<\/p>\n<\/li>\n<li>\n<p><strong>Logging \/ Logging Analytics<\/strong>\n   &#8211; Log ingestion volume, storage retention, and query\/analysis features (verify per service)<\/p>\n<\/li>\n<li>\n<p><strong>Network costs<\/strong>\n   &#8211; If you export to an external SIEM over the public internet, <strong>egress charges<\/strong> can apply.\n   &#8211; Intra-OCI traffic patterns may be cheaper than internet egress, but verify OCI networking pricing.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Cost drivers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Event volume:<\/strong> More API activity \u2192 more events \u2192 more exported data.<\/li>\n<li><strong>Retention duration:<\/strong> Long retention in Object Storage or Logging Analytics increases cost.<\/li>\n<li><strong>Export format and compression:<\/strong> Smaller objects reduce storage and egress.<\/li>\n<li><strong>Number of regions:<\/strong> Multi-region exports multiply storage and processing.<\/li>\n<li><strong>Downstream analytics:<\/strong> SIEM ingestion is often the largest cost center.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden\/indirect costs to plan for<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Operational overhead:<\/strong> Building and maintaining alert rules, dashboards, and response runbooks.<\/li>\n<li><strong>Compliance storage requirements:<\/strong> WORM\/immutability controls may influence storage tier choices.<\/li>\n<li><strong>Data duplication:<\/strong> Exporting to multiple targets (Object Storage + SIEM) can double costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Export only what you need (filter by compartments if supported).<\/li>\n<li>Prefer <strong>Object Storage lifecycle policies<\/strong> to move older data to cheaper tiers (verify tier options and retrieval requirements).<\/li>\n<li>Compress and batch exports where supported.<\/li>\n<li>Centralize exports to reduce duplicated pipelines.<\/li>\n<li>Avoid sending all audit logs to expensive SIEM tiers\u2014consider a tiered model:<\/li>\n<li>full archive in Object Storage<\/li>\n<li>high-risk subset forwarded to SIEM<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n<p>A small team can start with:\n&#8211; No export initially: use Console\/CLI queries within the default retention window.\n&#8211; Add export to Object Storage only when you need longer retention.\nCosts then depend on:\n&#8211; stored GB per month,\n&#8211; request rates,\n&#8211; and any cross-region transfers.<\/p>\n\n\n\n<p>Because OCI pricing is region- and SKU-dependent, <strong>do not assume a specific dollar amount<\/strong>\u2014use the OCI Cost Estimator and Object Storage pricing pages for your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production (multi-region, compliance retention, SIEM integration):\n&#8211; Budget for:\n  &#8211; Object Storage archive (potentially multiple TB over time),\n  &#8211; Streaming ingestion and consumers,\n  &#8211; SIEM ingestion licensing,\n  &#8211; possible cross-region aggregation costs,\n  &#8211; egress to external SOC tooling.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab shows how to <strong>generate audit events<\/strong>, <strong>query them<\/strong>, and <strong>export them to Object Storage<\/strong> for longer retention. It is designed to be safe and low-cost.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Perform a small OCI action that generates an Audit event.<\/li>\n<li>View and query the event in the Audit Console and via OCI CLI.<\/li>\n<li>Export Audit events to an Object Storage bucket using Service Connector Hub (optional but recommended for real-world practice).<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n&#8211; Create a compartment for the lab.\n&#8211; Create an Object Storage bucket for audit archives.\n&#8211; Generate an auditable action (create a bucket or tag namespace).\n&#8211; Find the resulting Audit event.\n&#8211; Configure a Service Connector Hub connector to deliver Audit events to Object Storage.\n&#8211; Validate exported objects in the bucket.\n&#8211; Clean up all created resources.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Create a compartment for the lab<\/h3>\n\n\n\n<p><strong>Console steps<\/strong>\n1. Open the OCI Console.\n2. Go to <strong>Identity &amp; Security \u2192 Compartments<\/strong>.\n3. Click <strong>Create Compartment<\/strong>.\n4. Name: <code>audit-lab<\/code>\n5. Description: <code>Audit hands-on lab<\/code>\n6. Parent compartment: (choose a non-production parent, often the root compartment if allowed)<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; A compartment named <code>audit-lab<\/code> exists and is in the <strong>Active<\/strong> state.<\/p>\n\n\n\n<p><strong>Notes<\/strong>\n&#8211; If you do not have permission to create compartments, ask an administrator to create one or run the lab in an existing sandbox compartment.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create an Object Storage bucket (archive target)<\/h3>\n\n\n\n<p>Audit has a default retention window; exporting to Object Storage is a standard pattern for longer retention.<\/p>\n\n\n\n<p><strong>Console steps<\/strong>\n1. Switch to the region where you want to run the lab (top-right region selector).\n2. Go to <strong>Storage \u2192 Object Storage &amp; Archive Storage \u2192 Buckets<\/strong>.\n3. Ensure you are in the <code>audit-lab<\/code> compartment.\n4. Click <strong>Create Bucket<\/strong>.\n5. Bucket name: <code>audit-archive-lab<\/code>\n6. Default storage tier: Standard (choose based on your cost\/retention needs)\n7. Create<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Bucket <code>audit-archive-lab<\/code> exists in your Object Storage namespace.<\/p>\n\n\n\n<p><strong>Cost note<\/strong>\n&#8211; Storage and requests may incur cost. Keep the bucket small and delete it in Cleanup.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Generate a new Audit event<\/h3>\n\n\n\n<p>Now perform a small action that will appear in Audit.<\/p>\n\n\n\n<p>Choose one:<\/p>\n\n\n\n<p><strong>Option A (simple): Create a second bucket<\/strong>\n1. In the same compartment, create another bucket named <code>audit-event-source-lab<\/code>.<\/p>\n\n\n\n<p><strong>Option B (governance-focused): Create a tag namespace<\/strong>\n1. Go to <strong>Governance &amp; Administration \u2192 Tag Namespaces<\/strong> (name can vary slightly).\n2. Create a namespace in <code>audit-lab<\/code>.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; The resource is created successfully.\n&#8211; Within a short delay (often minutes), an Audit event is recorded for the create operation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: View the event in the Audit Console<\/h3>\n\n\n\n<p><strong>Console steps<\/strong>\n1. Go to <strong>Governance &amp; Administration \u2192 Audit<\/strong>.\n2. Confirm the region matches where you performed the action.\n3. Set a time range that includes \u201cnow\u201d (for example, last 60 minutes).\n4. Filter by <strong>Compartment<\/strong>: <code>audit-lab<\/code>.\n5. Optionally filter by:\n   &#8211; Event name (contains \u201cCreate\u201d)\n   &#8211; Resource type (if available)\n   &#8211; Principal (your user)<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You see one or more events corresponding to the action from Step 3.\n&#8211; Opening an event shows details such as:\n  &#8211; event time,\n  &#8211; event name,\n  &#8211; principal\/user,\n  &#8211; request\/response details,\n  &#8211; resource identifiers.<\/p>\n\n\n\n<p><strong>Verification tip<\/strong>\n&#8211; If you don\u2019t see the event immediately, wait 2\u201310 minutes and refresh. Some delay is normal.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Query Audit events using OCI CLI<\/h3>\n\n\n\n<p>This step is useful for automation and repeatable reporting.<\/p>\n\n\n\n<p><strong>Prerequisite<\/strong>\n&#8211; OCI CLI configured (or use OCI Cloud Shell, which usually has CLI preinstalled).<\/p>\n\n\n\n<p><strong>1) Get the compartment OCID<\/strong>\nIn the Console, open the <code>audit-lab<\/code> compartment details and copy the OCID, or use CLI:<\/p>\n\n\n\n<pre><code class=\"language-bash\">oci iam compartment list --all --compartment-id-in-subtree true \\\n  --query \"data[?name=='audit-lab'] | [0].id\" --raw-output\n<\/code><\/pre>\n\n\n\n<p>Store it:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export COMPARTMENT_OCID=\"&lt;your_audit_lab_compartment_ocid&gt;\"\n<\/code><\/pre>\n\n\n\n<p><strong>2) Query events for a time window<\/strong>\nPick a start and end time in UTC (RFC3339 format). Example:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export START_TIME=\"2026-04-16T00:00:00Z\"\nexport END_TIME=\"2026-04-16T23:59:59Z\"\n<\/code><\/pre>\n\n\n\n<p>List events:<\/p>\n\n\n\n<pre><code class=\"language-bash\">oci audit event list \\\n  --compartment-id \"$COMPARTMENT_OCID\" \\\n  --start-time \"$START_TIME\" \\\n  --end-time \"$END_TIME\"\n<\/code><\/pre>\n\n\n\n<p><strong>3) Filter output (optional)<\/strong>\nIf you have <code>jq<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-bash\">oci audit event list \\\n  --compartment-id \"$COMPARTMENT_OCID\" \\\n  --start-time \"$START_TIME\" \\\n  --end-time \"$END_TIME\" \\\n| jq '.data[] | {time: .\"event-time\", name: .\"event-name\", principal: .principalName, compartmentId: .\"compartment-id\"}'\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; CLI output includes events for the chosen time range, including your create action.\n&#8211; You can identify the exact <code>event-name<\/code> used by OCI for that operation.<\/p>\n\n\n\n<p><strong>Common issue<\/strong>\n&#8211; Time window too narrow. Expand it to cover the time you performed Step 3.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Export Audit events to Object Storage with Service Connector Hub<\/h3>\n\n\n\n<p>This creates a practical long-term retention pipeline.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">6.1 IAM policy for the connector (required)<\/h4>\n\n\n\n<p>Service Connector Hub needs permission to write objects to your bucket.<\/p>\n\n\n\n<p>The exact policy statement can vary depending on OCI\u2019s current service principal naming and resource types. In many OCI setups, you grant permissions to the <strong>service<\/strong> that runs connectors (often referenced as <code>serviceconnectorhub<\/code> in policies).<\/p>\n\n\n\n<p><strong>Action: verify and apply the official policy guidance<\/strong> for:\n&#8211; allowing Service Connector Hub to write to Object Storage in the target compartment.<\/p>\n\n\n\n<p>Start by checking official docs for Service Connector Hub IAM policies:\nhttps:\/\/docs.oracle.com\/en-us\/iaas\/Content\/service-connector-hub\/home.htm<\/p>\n\n\n\n<p>A commonly used pattern (verify exact syntax) looks like:<\/p>\n\n\n\n<pre><code class=\"language-text\">Allow service serviceconnectorhub to manage object-family in compartment audit-lab\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; IAM policy exists that enables the connector to put objects into the <code>audit-archive-lab<\/code> bucket.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">6.2 Create the Service Connector<\/h4>\n\n\n\n<p><strong>Console steps<\/strong>\n1. Go to <strong>Governance &amp; Administration \u2192 Service Connector Hub<\/strong>.\n2. Click <strong>Create Service Connector<\/strong>.\n3. Name: <code>audit-to-objectstorage-lab<\/code>\n4. Source: <strong>Audit<\/strong>\n5. Configure source:\n   &#8211; Compartment: <code>audit-lab<\/code> (or tenancy scope if required by your design)\n   &#8211; Event types\/filters: keep defaults unless you need to narrow scope\n6. Target: <strong>Object Storage<\/strong>\n7. Configure target:\n   &#8211; Compartment: <code>audit-lab<\/code>\n   &#8211; Bucket: <code>audit-archive-lab<\/code>\n   &#8211; Object name prefix (optional): <code>audit\/<\/code>\n8. Create<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; The connector is created and shows as <strong>Active<\/strong> (or similar).\n&#8211; New audit events will be delivered to the bucket after a short delay.<\/p>\n\n\n\n<p><strong>Operational note<\/strong>\n&#8211; Delivery is often near-real-time but not guaranteed to be instantaneous. Expect a few minutes of lag.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Validate exported audit objects in the bucket<\/h3>\n\n\n\n<p><strong>Console validation<\/strong>\n1. Go to <strong>Object Storage \u2192 Buckets \u2192 audit-archive-lab \u2192 Objects<\/strong>.\n2. Look for new objects under the prefix you configured (for example <code>audit\/<\/code>).<\/p>\n\n\n\n<p><strong>CLI validation<\/strong>\nFirst, get your Object Storage namespace:<\/p>\n\n\n\n<pre><code class=\"language-bash\">oci os ns get --query \"data\" --raw-output\n<\/code><\/pre>\n\n\n\n<p>List objects:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export NAMESPACE=\"&lt;your_object_storage_namespace&gt;\"\n\noci os object list \\\n  --namespace-name \"$NAMESPACE\" \\\n  --bucket-name \"audit-archive-lab\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; One or more objects exist containing exported audit data.\n&#8211; Download one object and inspect format (it may be JSON lines or JSON documents depending on connector settings\u2014verify current behavior).<\/p>\n\n\n\n<p>Download an object (replace <code>OBJECT_NAME<\/code>):<\/p>\n\n\n\n<pre><code class=\"language-bash\">oci os object get \\\n  --namespace-name \"$NAMESPACE\" \\\n  --bucket-name \"audit-archive-lab\" \\\n  --name \"OBJECT_NAME\" \\\n  --file .\/audit-export-sample.json\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>You have successfully completed the lab if:\n&#8211; You can see an audit event in <strong>Governance &amp; Administration \u2192 Audit<\/strong> for the action in Step 3.\n&#8211; You can retrieve the same event using <code>oci audit event list<\/code>.\n&#8211; If you created the connector: you see exported audit objects in the <code>audit-archive-lab<\/code> bucket.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<p><strong>Problem: No events appear in the Audit Console<\/strong>\n&#8211; Confirm you are in the <strong>same region<\/strong> where the action occurred.\n&#8211; Expand the time window.\n&#8211; Ensure the action is supported by Audit (most OCI control-plane actions are, but verify).\n&#8211; Wait a few minutes; ingestion delay can occur.<\/p>\n\n\n\n<p><strong>Problem: CLI returns empty results<\/strong>\n&#8211; Start\/end time in UTC may not match your local time; widen the window.\n&#8211; Ensure you used the correct <strong>compartment OCID<\/strong>.\n&#8211; Check that your user has permission to read audit events.<\/p>\n\n\n\n<p><strong>Problem: Service Connector delivers nothing<\/strong>\n&#8211; Confirm the connector is <strong>Active<\/strong> and configured with the correct source compartment\/scope.\n&#8211; Verify IAM policy allows Service Connector Hub to write objects.\n&#8211; Confirm the target bucket is in the same region and correct compartment.\n&#8211; Generate a fresh auditable event after the connector is created and wait several minutes.<\/p>\n\n\n\n<p><strong>Problem: \u201cNotAuthorizedOrNotFound\u201d errors<\/strong>\n&#8211; The most common cause is missing IAM policy for:\n  &#8211; Service Connector Hub writing to Object Storage,\n  &#8211; your user managing connectors,\n  &#8211; your user reading audit events.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing costs:\n1. Delete the Service Connector:\n   &#8211; <strong>Service Connector Hub \u2192 audit-to-objectstorage-lab \u2192 Delete<\/strong>\n2. Delete objects and buckets:\n   &#8211; Delete all objects in <code>audit-archive-lab<\/code> and <code>audit-event-source-lab<\/code>\n   &#8211; Delete both buckets\n3. Delete the compartment <code>audit-lab<\/code> (only after all resources inside are deleted):\n   &#8211; <strong>Identity &amp; Security \u2192 Compartments \u2192 audit-lab \u2192 Delete<\/strong><\/p>\n\n\n\n<p>Confirm billing-impacting services (Streaming, Logging Analytics) were not enabled in this lab, or delete them if you created any extras.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Design for multi-region:<\/strong> Treat Audit as regional and build an export pipeline per region if you need centralized governance.<\/li>\n<li><strong>Central archive pattern:<\/strong> Export to Object Storage with lifecycle policies; optionally replicate to a central region if required (consider transfer costs).<\/li>\n<li><strong>Tiered monitoring:<\/strong> Archive everything, but alert only on high-risk events to control SIEM costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Least privilege for audit access:<\/strong> Many users don\u2019t need audit access. Separate:<\/li>\n<li><code>AuditReaders<\/code> (read-only investigators)<\/li>\n<li><code>AuditAdmins<\/code> (who can configure exports)<\/li>\n<li><strong>Protect IAM policy management:<\/strong> IAM policy changes are high impact; restrict to a small admin group and monitor these events.<\/li>\n<li><strong>Use compartments to scope operations:<\/strong> Align compartment structure with org boundaries; use Audit to validate boundaries are respected.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Export only when needed<\/strong> and store efficiently (compression, batching if supported).<\/li>\n<li><strong>Use Object Storage lifecycle rules<\/strong> to transition older logs to cheaper storage tiers (verify tiers and retrieval characteristics).<\/li>\n<li><strong>Avoid duplicative pipelines<\/strong> (multiple connectors exporting identical events).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>When using APIs:<\/li>\n<li>query using <strong>bounded time windows<\/strong>,<\/li>\n<li>paginate properly,<\/li>\n<li>and implement retry\/backoff for rate limits.<\/li>\n<li>Avoid pulling massive time ranges repeatedly; export once and query archived data.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer managed routing (Service Connector Hub) over custom polling scripts when possible.<\/li>\n<li>If compliance requires, implement:<\/li>\n<li>redundancy (multi-region archive),<\/li>\n<li>immutability controls (Object Storage retention rules\u2014verify),<\/li>\n<li>and monitored delivery pipelines.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create a runbook for investigations:<\/li>\n<li>how to filter audit events,<\/li>\n<li>how to correlate request IDs with other logs,<\/li>\n<li>how to validate identity context.<\/li>\n<li>Regularly test:<\/li>\n<li>connector health,<\/li>\n<li>archive retrieval,<\/li>\n<li>and incident response queries.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use consistent compartment naming (e.g., <code>prod<\/code>, <code>nonprod<\/code>, <code>security<\/code>).<\/li>\n<li>Tag critical resources and ensure tag changes are monitored.<\/li>\n<li>Name connectors and buckets clearly:<\/li>\n<li><code>audit-archive-&lt;region&gt;-&lt;env&gt;<\/code><\/li>\n<li><code>audit-to-os-&lt;region&gt;-&lt;env&gt;<\/code><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Access to Audit data is controlled by OCI IAM policies.<\/li>\n<li>Treat audit logs as <strong>sensitive<\/strong>: they reveal internal resource names, identities, and operational patterns.<\/li>\n<li>Separate duties:<\/li>\n<li>platform admins (manage infra),<\/li>\n<li>security auditors (read audit),<\/li>\n<li>logging admins (manage pipelines).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI services typically encrypt data at rest by default; confirm Audit storage and Object Storage encryption details in official docs.<\/li>\n<li>If exporting to Object Storage, consider <strong>customer-managed keys<\/strong> via OCI Vault (where applicable) for stronger key control. Verify compatibility and configuration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Audit access is via OCI endpoints; apply enterprise controls:<\/li>\n<li>restrict who can access OCI Console,<\/li>\n<li>use MFA,<\/li>\n<li>consider network access controls and approved IP ranges where applicable.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Prefer instance principals\/resource principals for automation instead of long-lived API keys where possible.<\/li>\n<li>If you must use API keys:<\/li>\n<li>store private keys in a secure secrets manager (OCI Vault),<\/li>\n<li>rotate keys,<\/li>\n<li>and monitor key-related events in Audit.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging considerations (meta)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitor for:<\/li>\n<li>IAM policy changes,<\/li>\n<li>dynamic group changes,<\/li>\n<li>key creation\/deletion,<\/li>\n<li>security list and NSG modifications,<\/li>\n<li>route table and gateway changes,<\/li>\n<li>Object Storage public access changes.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Default retention may not meet your compliance requirements; implement export + retention policies.<\/li>\n<li>Consider immutable storage controls for regulated environments (verify Object Storage retention\/legal hold features and how they apply).<\/li>\n<li>Document who can access audit logs and how integrity is preserved.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Granting broad access: \u201cAllow group X to read audit-events in tenancy\u201d to too many users.<\/li>\n<li>Not exporting: losing evidence beyond the default retention window.<\/li>\n<li>No alerting: having audit logs but no detection pipeline for high-risk actions.<\/li>\n<li>Sending all audit data to an external SIEM without cost controls or data minimization.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use a dedicated <code>security<\/code> compartment to host:<\/li>\n<li>central archive buckets,<\/li>\n<li>connectors,<\/li>\n<li>streams\/functions for SIEM forwarding.<\/li>\n<li>Enable strong authentication (MFA) and restrict admin groups.<\/li>\n<li>Implement \u201cbreak glass\u201d accounts and monitor their use through Audit.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional visibility:<\/strong> Audit event viewing is typically region-scoped; you may miss events if you look in the wrong region.<\/li>\n<li><strong>Retention window is limited:<\/strong> Commonly documented as ~90 days (verify current value). Export is required for long-term retention.<\/li>\n<li><strong>Not a replacement for application\/OS logs:<\/strong> Audit covers control-plane actions, not runtime application behavior.<\/li>\n<li><strong>Event delivery delay:<\/strong> There can be minutes of lag between an action and its appearance\/export.<\/li>\n<li><strong>Service coverage varies:<\/strong> Some services\/actions may have different levels of audit coverage. Verify what is audited for the services you rely on.<\/li>\n<li><strong>API limits and pagination:<\/strong> Large environments can hit rate limits; design your collectors responsibly.<\/li>\n<li><strong>SIEM cost surprises:<\/strong> Audit volume can be high; forwarding everything to paid SIEM ingestion can be expensive.<\/li>\n<li><strong>IAM policy complexity:<\/strong> Small syntax mistakes can block connector delivery; validate policies carefully.<\/li>\n<li><strong>Export format expectations:<\/strong> The exported format (JSON structure, batching) may differ from what your parser expects; test with sample data before production.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Audit is one part of a broader observability and governance stack. Here\u2019s how it compares.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Nearest services in Oracle Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI Logging:<\/strong> Collects service logs and custom logs; better for application\/service log centralization.<\/li>\n<li><strong>OCI Logging Analytics:<\/strong> Advanced search\/analysis over ingested logs; useful for dashboards and detections.<\/li>\n<li><strong>OCI Events:<\/strong> Event rules for certain resource state changes; not a full audit trail.<\/li>\n<li><strong>OCI Cloud Guard:<\/strong> Security posture management and detections; not a raw audit log store.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Nearest services in other clouds<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS CloudTrail:<\/strong> Similar control-plane auditing for AWS API calls.<\/li>\n<li><strong>Azure Activity Log:<\/strong> Subscription-level control-plane activity and platform events.<\/li>\n<li><strong>Google Cloud Audit Logs:<\/strong> Admin activity, data access, system events.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source \/ self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You can build your own \u201caudit\u201d by collecting API gateway logs or proxy logs, but it is incomplete and error-prone compared to native control-plane audit.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Comparison table<\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>OCI Audit<\/strong><\/td>\n<td>Control-plane governance in Oracle Cloud<\/td>\n<td>Native, authoritative API activity trail; integrates with OCI IAM and compartments<\/td>\n<td>Limited default retention; region-scoped viewing; not app\/OS logging<\/td>\n<td>Always enable\/use for OCI governance and investigations<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI Logging<\/strong><\/td>\n<td>Centralizing service logs and custom logs<\/td>\n<td>Flexible log sources; operational visibility<\/td>\n<td>Not the canonical control-plane audit trail<\/td>\n<td>Use alongside Audit for operational logging<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI Logging Analytics<\/strong><\/td>\n<td>Advanced search, dashboards, detections<\/td>\n<td>Powerful analytics for large log sets (verify features and costs)<\/td>\n<td>Additional cost and setup<\/td>\n<td>Use for SOC-style investigations and alerting on exported audit data<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI Events<\/strong><\/td>\n<td>Reactive automation on supported events<\/td>\n<td>Automates responses<\/td>\n<td>Not a full audit history<\/td>\n<td>Use for automation triggers, not as an audit record<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI Cloud Guard<\/strong><\/td>\n<td>Security posture and detections<\/td>\n<td>Managed detectors and recommendations (verify)<\/td>\n<td>Not a replacement for raw audit logs<\/td>\n<td>Use with Audit for security operations<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS CloudTrail \/ Azure Activity Log \/ GCP Audit Logs<\/strong><\/td>\n<td>Equivalent auditing in other clouds<\/td>\n<td>Similar governance concept<\/td>\n<td>Different schemas, retention, and integrations<\/td>\n<td>Choose when operating in that cloud; align cross-cloud governance strategies<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed log pipeline<\/strong><\/td>\n<td>Custom governance needs<\/td>\n<td>Full customization<\/td>\n<td>High effort; incomplete; risk of gaps<\/td>\n<td>Only when required for specialized constraints; still keep native Audit<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example (regulated, multi-region)<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA financial services company runs OCI workloads across two regions. They must retain admin activity logs for multiple years, detect policy tampering quickly, and support incident forensics.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; OCI Audit in each region\n&#8211; Service Connector Hub in each region exporting:\n  &#8211; all events to Object Storage (central archive)\n  &#8211; a filtered\/high-risk subset to Streaming\n&#8211; Functions consume Streaming and forward to the enterprise SIEM\n&#8211; Object Storage lifecycle policies move older logs to archive tiers (verify tiering)\n&#8211; IAM policies restrict:\n  &#8211; who can read audit events,\n  &#8211; who can manage connectors,\n  &#8211; who can delete logs (ideally nobody, enforced via retention controls)<\/p>\n\n\n\n<p><strong>Why Audit was chosen<\/strong>\n&#8211; Native, authoritative audit source for OCI control-plane actions\n&#8211; Required for compliance evidence and forensics\n&#8211; Integrates cleanly with compartment governance<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Multi-year retention with controlled cost in Object Storage\n&#8211; Faster detection of risky changes (IAM\/network modifications)\n&#8211; Repeatable incident timelines with actor attribution<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example (single region, fast iteration)<\/h3>\n\n\n\n<p><strong>Problem<\/strong>\nA startup repeatedly experiences \u201cmystery changes\u201d in dev and occasional accidental deletions. They need lightweight accountability without heavy SIEM spend.<\/p>\n\n\n\n<p><strong>Proposed architecture<\/strong>\n&#8211; Use OCI Audit Console\/CLI for investigations within default retention\n&#8211; Export to a single Object Storage bucket weekly\/daily (or via connector) for longer history\n&#8211; Create a small set of alerts only for critical events (policy changes, deletions) using a lightweight downstream approach (for example, streaming to a simple consumer)<\/p>\n\n\n\n<p><strong>Why Audit was chosen<\/strong>\n&#8211; Zero\/low operational overhead for basic usage\n&#8211; Immediate value for troubleshooting and change traceability<\/p>\n\n\n\n<p><strong>Expected outcomes<\/strong>\n&#8211; Reduced time to identify who changed what\n&#8211; Fewer repeat incidents due to improved accountability\n&#8211; Controlled costs by limiting downstream forwarding<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Is OCI Audit enabled by default?<\/strong><br\/>\n   Audit event recording is generally on by default for supported OCI services. You typically don\u2019t \u201cenable\u201d it; you control access and export. Verify specifics in the Audit docs.<\/p>\n<\/li>\n<li>\n<p><strong>Does Audit record Console actions?<\/strong><br\/>\n   Most Console actions result in OCI API calls, which are audited. Some UI-only interactions that don\u2019t call APIs won\u2019t appear.<\/p>\n<\/li>\n<li>\n<p><strong>Is Audit global or regional?<\/strong><br\/>\n   Audit is tenancy-wide in purpose, but events are commonly accessed <strong>per region<\/strong>. For multi-region governance, export and aggregate across regions.<\/p>\n<\/li>\n<li>\n<p><strong>How long does Audit retain events?<\/strong><br\/>\n   Retention is time-limited (often documented around 90 days). <strong>Verify current retention<\/strong> in official docs. Export to Object Storage for longer retention.<\/p>\n<\/li>\n<li>\n<p><strong>Can I delete Audit events?<\/strong><br\/>\n   In managed audit systems, events are typically not user-deletable from the service. For exported copies, deletion depends on Object Storage permissions and retention policies.<\/p>\n<\/li>\n<li>\n<p><strong>Who can view audit events?<\/strong><br\/>\n   Only identities granted permission by OCI IAM policies (for example, read\/inspect on audit events). Follow least privilege.<\/p>\n<\/li>\n<li>\n<p><strong>What information is inside an audit event?<\/strong><br\/>\n   Typically: timestamp, event name, principal identity, request metadata, response status, resource references, and identifiers. Exact fields vary by event type.<\/p>\n<\/li>\n<li>\n<p><strong>Does Audit capture data-plane access (e.g., reading object contents)?<\/strong><br\/>\n   Audit focuses on control-plane API calls. Data-plane coverage varies by service and operation. Verify service-specific auditing behavior.<\/p>\n<\/li>\n<li>\n<p><strong>How do I get alerts on risky actions?<\/strong><br\/>\n   Audit itself is a record system. For alerting, export to a system that supports detections (Streaming + Functions + SIEM, or Logging Analytics, depending on your design).<\/p>\n<\/li>\n<li>\n<p><strong>How do I centralize audit logs from multiple compartments?<\/strong><br\/>\n   Audit events can be filtered by compartment, but governance is tenancy-wide. Centralization is typically done by exporting from each region to a central bucket\/stream.<\/p>\n<\/li>\n<li>\n<p><strong>What\u2019s the difference between Audit and OCI Logging?<\/strong><br\/>\n   Audit is the authoritative record of <strong>OCI API activity<\/strong> (control plane). Logging is for <strong>service logs and custom logs<\/strong> (operational\/application).<\/p>\n<\/li>\n<li>\n<p><strong>Can I export audit events to Object Storage?<\/strong><br\/>\n   Commonly yes via Service Connector Hub. Confirm supported source\/target combinations and configure IAM permissions for delivery.<\/p>\n<\/li>\n<li>\n<p><strong>Why do I see events in CLI but not in the Console (or vice versa)?<\/strong><br\/>\n   Often due to region mismatch, time window filters, or permission scope. Ensure region and time range match.<\/p>\n<\/li>\n<li>\n<p><strong>How do I reduce SIEM ingestion costs with Audit data?<\/strong><br\/>\n   Archive everything in Object Storage, forward only high-risk subsets to SIEM, and use lifecycle rules\/compression.<\/p>\n<\/li>\n<li>\n<p><strong>How quickly do exported events arrive in Object Storage?<\/strong><br\/>\n   There can be delivery latency. In many environments it\u2019s minutes, but it\u2019s not guaranteed instantaneous. Test and document expected delay.<\/p>\n<\/li>\n<li>\n<p><strong>Does Audit help with compliance audits?<\/strong><br\/>\n   Yes\u2014Audit supports evidence of administrative activity. For compliance retention requirements, export and apply retention controls.<\/p>\n<\/li>\n<li>\n<p><strong>Can I use Audit for application debugging?<\/strong><br\/>\n   Not directly. Use application logs, APM, and service logs. Audit is best for \u201cwho changed infrastructure\u201d questions.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Audit<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official Documentation<\/td>\n<td>OCI Audit Documentation: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Audit\/home.htm<\/td>\n<td>Canonical description of Audit scope, querying, retention, and event structure<\/td>\n<\/tr>\n<tr>\n<td>Official API Reference<\/td>\n<td>OCI Audit API (ListEvents) via docs.oracle.com<\/td>\n<td>Shows REST endpoints, parameters, pagination, and auth requirements<\/td>\n<\/tr>\n<tr>\n<td>Official CLI Docs<\/td>\n<td>OCI CLI installation and usage: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/td>\n<td>Needed to run <code>oci audit event list<\/code> and automate queries<\/td>\n<\/tr>\n<tr>\n<td>Official Service Docs<\/td>\n<td>Service Connector Hub: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/service-connector-hub\/home.htm<\/td>\n<td>Primary method to export Audit events to storage\/streaming targets<\/td>\n<\/tr>\n<tr>\n<td>Official Storage Docs<\/td>\n<td>Object Storage: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Object\/home.htm<\/td>\n<td>Required for archive patterns, lifecycle policies, retention controls<\/td>\n<\/tr>\n<tr>\n<td>Official IAM Docs<\/td>\n<td>IAM overview and policies: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/home.htm<\/td>\n<td>Essential for correct permissions to read audit events and operate connectors<\/td>\n<\/tr>\n<tr>\n<td>Pricing<\/td>\n<td>OCI Price List: https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\n<td>Confirm current costs for dependent services (Object Storage, Streaming, Logging Analytics)<\/td>\n<\/tr>\n<tr>\n<td>Cost Estimation<\/td>\n<td>OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<td>Model storage and analytics costs for audit retention\/forwarding designs<\/td>\n<\/tr>\n<tr>\n<td>Architecture Center<\/td>\n<td>OCI Architecture Center: https:\/\/docs.oracle.com\/en\/solutions\/<\/td>\n<td>Reference architectures for governance\/logging patterns (search for logging\/security)<\/td>\n<\/tr>\n<tr>\n<td>Videos\/Webinars<\/td>\n<td>Oracle Cloud YouTube channel: https:\/\/www.youtube.com\/@OracleCloudInfrastructure<\/td>\n<td>Practical walkthroughs for OCI governance\/security services (verify availability of Audit-specific videos)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams<\/td>\n<td>OCI governance, DevOps, cloud operations practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate engineers<\/td>\n<td>DevOps fundamentals, CI\/CD, cloud basics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations teams<\/td>\n<td>Cloud ops, monitoring, governance basics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability engineers<\/td>\n<td>Reliability, incident response, operational governance<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops and automation engineers<\/td>\n<td>AIOps concepts, automation, monitoring pipelines<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify offerings)<\/td>\n<td>Engineers seeking practical coaching<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps tooling and practices (verify offerings)<\/td>\n<td>Beginners to intermediate DevOps engineers<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps guidance (verify offerings)<\/td>\n<td>Teams needing short-term help\/training<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify offerings)<\/td>\n<td>Ops teams and DevOps practitioners<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify scope)<\/td>\n<td>Governance design, automation, operational readiness<\/td>\n<td>Designing audit export pipelines; IAM policy hardening; landing zone governance<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps and cloud consulting\/training<\/td>\n<td>Cloud operations, DevOps transformation, governance guidance<\/td>\n<td>Implementing Audit \u2192 Object Storage\/Streaming; creating operational runbooks; training SOC\/platform teams<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify scope)<\/td>\n<td>CI\/CD, cloud governance, operational support<\/td>\n<td>Building log\/audit retention architecture; integration with external SIEM; cost optimization<\/td>\n<td>https:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Audit<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI fundamentals:<\/li>\n<li>Tenancy, regions, availability domains<\/li>\n<li>Compartments and resource organization<\/li>\n<li>OCI IAM:<\/li>\n<li>Users, groups, dynamic groups<\/li>\n<li>Policies and least privilege<\/li>\n<li>Basic OCI networking and core services (so you can interpret events)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Audit<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Service Connector Hub<\/strong> patterns for export pipelines<\/li>\n<li><strong>Object Storage<\/strong> lifecycle and retention controls<\/li>\n<li><strong>Streaming + Functions<\/strong> for near-real-time forwarding<\/li>\n<li><strong>Logging Analytics \/ SIEM<\/strong> fundamentals (parsing, detections, dashboards)<\/li>\n<li>Incident response and forensics workflows<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use Audit<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud security engineer \/ SOC analyst<\/li>\n<li>Cloud platform engineer<\/li>\n<li>DevOps engineer \/ SRE<\/li>\n<li>Compliance engineer \/ internal auditor (read-only)<\/li>\n<li>Solutions architect (governance designs)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Oracle\u2019s certification offerings change frequently. Check Oracle University and OCI certification pages for current tracks:\nhttps:\/\/education.oracle.com\/<\/p>\n\n\n\n<p>Relevant paths often include:\n&#8211; OCI Architect (associate\/professional)\n&#8211; OCI Security-focused certifications (if available)\n&#8211; Governance\/operations content within OCI tracks<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a multi-region audit archive with Object Storage lifecycle rules.<\/li>\n<li>Implement a \u201chigh-risk event\u201d forwarder:\n   &#8211; Audit \u2192 Streaming \u2192 Function \u2192 webhook (Slack\/Teams\/email gateway)<\/li>\n<li>Create a weekly compliance report generator using OCI CLI + scheduled job.<\/li>\n<li>Create a compartment-level dashboard: top actions, top actors, change trends.<\/li>\n<li>Run a tabletop incident exercise using real audit events and a response runbook.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Audit (OCI Audit):<\/strong> OCI service that records control-plane actions (API calls) as audit events.<\/li>\n<li><strong>Audit event:<\/strong> A structured record of an OCI API operation, including who performed it and metadata about the request\/response.<\/li>\n<li><strong>Tenancy:<\/strong> Your OCI account boundary; the top-level container for all OCI resources.<\/li>\n<li><strong>Region:<\/strong> Geographic area where OCI resources and control-plane endpoints operate. Audit events are commonly accessed per region.<\/li>\n<li><strong>Compartment:<\/strong> Logical container for OCI resources used for isolation and access control.<\/li>\n<li><strong>OCID:<\/strong> Oracle Cloud Identifier, a unique ID string for OCI resources.<\/li>\n<li><strong>Principal:<\/strong> The identity that performed an action (user, instance principal, resource principal).<\/li>\n<li><strong>IAM policy:<\/strong> Human-readable statement controlling permissions in OCI.<\/li>\n<li><strong>Service Connector Hub:<\/strong> OCI service to route data from sources (including Audit) to targets (Object Storage, Streaming, etc.).<\/li>\n<li><strong>Object Storage:<\/strong> OCI service for storing unstructured data; commonly used to archive audit logs.<\/li>\n<li><strong>Streaming:<\/strong> OCI service for event streaming; used for near-real-time processing and SIEM forwarding.<\/li>\n<li><strong>SIEM:<\/strong> Security Information and Event Management system for security analytics and alerting.<\/li>\n<li><strong>Retention:<\/strong> How long logs\/events are stored before they expire or are deleted.<\/li>\n<li><strong>Lifecycle policy (Object Storage):<\/strong> Rules to transition objects to cheaper storage tiers or delete after a time period.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Audit<\/strong> is the core <strong>Governance and Administration<\/strong> service for recording OCI control-plane activity\u2014capturing <strong>who performed which API action, when, and with what result<\/strong>. It matters because it enables accountability, incident investigations, compliance evidence, and operational troubleshooting across compartments and teams.<\/p>\n\n\n\n<p>Cost-wise, Audit itself is commonly low\/no direct cost, but real solutions incur costs through <strong>Object Storage retention<\/strong>, <strong>Streaming<\/strong>, <strong>Functions<\/strong>, <strong>Logging Analytics<\/strong>, and especially <strong>external SIEM ingestion<\/strong>. Security-wise, treat audit logs as sensitive, lock down who can read them, and monitor high-risk actions like IAM and network changes. Use exports for long-term retention and multi-region centralization.<\/p>\n\n\n\n<p>Use Audit whenever you run workloads on Oracle Cloud. Next, build a production-ready pattern by exporting Audit events with <strong>Service Connector Hub<\/strong> to <strong>Object Storage<\/strong> for retention and to <strong>Streaming<\/strong> (or an analytics tool) for alerting and SOC workflows.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Governance and Administration<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[70,62],"tags":[],"class_list":["post-906","post","type-post","status-publish","format-standard","hentry","category-governance-and-administration","category-oracle-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/906","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=906"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/906\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=906"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=906"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=906"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}