Intelligent Auditing

Simply put, Intelligent Auditing allows Core Audit to tell you when something suspicious is happening in your database.

Intelligent vs. Declarative Auditing

Intelligent vs. Declarative Auditing
Declarative auditing is what compliance requirements ask for. It is when you tell Core Audit what to monitor for. You can monitor DBA activity, DDL activity, etc.
Intelligent auditing is when Core Audit decides what activity is suspicious. There are many parameters that go into this equation, but the end result is that Core Audit picks out unusual activity patterns and tells you about them.
The best security is achieved when both declarative and intelligent auditing are combined.


Intelligent Auditing can find things that manual activity inspection cannot detect. For example, the Intelligent Auditing engine can check every SQL construct in the database to find new constructs, volume changes, etc. This type of individual inspection is not possible by hand as there are hundreds of thousands of SQL constructs running in every database.
Anomaly detection is not signature based, so it does not look for SQLs crafted in particular ways – it simply looks for changes in activity patterns. This means that nothing falls through the cracks because there is no need to write a signature for every attack.
Intelligent Auditing is therefore effective against:
  • SQL Injections (whether they match a signature or not)
  • Zero day attacks
  • Privilege abuse
  • Backdoors
  • Detection of new Oracle accounts in use
  • Detection of new programs/machines/OS users connections originate from
  • Abnormal activity hours
  • Spikes in occurrence of particular SQLs
  • Spikes in activity from particular Users, Programs, Machines, and OS Users

Alert, Report, and more

The anomaly detection engine is built into the reporting engine and therefore supports all the delivery options available for Reports.
These include:
  • Alerts – near real-time alerts
  • Reports – automatic daily reports
  • Syslog & CEF – integration with various SYSLOG servers (including ArcSight)
  • CSV – for easy import into spreadsheets
  • Ad-hoc – Ad-hoc analysis of any period of time
Being part of the reporting engine, intelligent auditing also supports all the grouping, formatting, ease of use, and various other features of all the reports.

Under the Covers

Intelligent Auditing is made possible due to the power of the security repository that underlines Complete Picture.
Complete Picture is on by default, and stores in the security repository abbreviated records of everything that happens in the Oracle database. Using only a few megabytes per day, Complete Picture gives you the comfort of knowing that whether you thought of monitoring for it or not, there will always be a record of everything that happened.
Taking advantage of the data stored by Complete Picture, Intelligent Auditing can compare current activity patterns to historical patterns and look for anomalies.

What's next?

I want to know more about Core Audit!
Great! Here are a few options:
  • Read more about Core Audit features, reports, etc.
  • Try our Online Demo and play with Core Audit right now
  • Ask for a Personal Demo from one of our experts and get all your questions answered
  • Download a Free Trial and experience Core Audit on your systems
I only want more information, not a product
Not a problem, here is a list of relevant pages, and we are always available to answer any question
  • Sample reports from Intelligent Auditing – Read
  • More features in Core Audit – Read
  • Incident investigations and forensic analysis – Read
  • Detective guide to forensic investigation – Read
  • Rationalizing Oracle database auditing – Read
  • Large security scope in Oracle databases – Read
  • Oracle Database Vault security problems – Read
  • How to prevent a database breach – Read
  • Oracle database security – Read