We can use DLP's Network Monitor to audit/monitor the operation of the Oracle DB.
Each command of the Oracle DB operation will be packed and transfered from the netwok. It's the principle of this configuration.
Here are the steps:
1. From DLP Enforce Console, nevigate to 'System' --> 'Settings' --> 'Protocols'
2. Click 'Add Protocol'
3. Input the name of the protocol.
In the 'Ports' field, input 1521, which is the port used by Oracle DB.
In the 'IP Filter' field, input +,192.168.1.200/32,*;-,*,*
192.168.1.200 is the IP address of the Oracle DB
4. Return to the Servers Overview page, click the Network Monitor Server, then click the 'Configure' button. Under the 'Protocol' list, click to choose the protocol name that created on step3:
5. Create a Content Matches Keywords policy to detect these words: insert, update, select
6. Save this policy.
If the endpoint user log into the Oracle DB to run some command, then, there will be incidents recorded:
