chore: add oraclecloud/events metadata update to changelog

prowler/CHANGELOG.md

@@ -83,6 +83,8 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update AWS ECS service metadata to new format [(#8888)](https://github.com/prowler-cloud/prowler/pull/8888)
 - Update AWS Kinesis service metadata to new format [(#9262)](https://github.com/prowler-cloud/prowler/pull/9262)
 - Update AWS DocumentDB service metadata to new format [(#8862)](https://github.com/prowler-cloud/prowler/pull/8862)
+- Update oraclecloud events service metadata to new format [(#9373)](https://github.com/prowler-cloud/prowler/pull/9373)
+
 
 ### Fixed
 - Check `check_name` has no `resource_name` error for GCP provider [(#9169)](https://github.com/prowler-cloud/prowler/pull/9169)

prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json

@@ -1,35 +1,33 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_notification_topic_and_subscription_exists",
-  "CheckTitle": "Create at least one notification topic and subscription to receive monitoring alerts",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Tenancy has at least one notification topic with active subscriptions",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "At least one notification topic and subscription should exist to receive monitoring alerts.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "OnsTopic",
+  "Description": "**OCI Notifications** is evaluated for the existence of at least one **topic** that has one or more **subscriptions**.\n\nThe focus is on whether subscribed endpoints are present to receive Events and monitoring alerts.",
+  "Risk": "Without subscribed topics, alerts are not delivered, reducing **visibility** and delaying detection of malicious or accidental changes. This undermines **confidentiality** (undetected data access), **integrity** (unauthorized config changes), and **availability** (unresolved outages).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Menu > Application Integration > Notifications > Topics\n2. Click Create Topic, enter a name, and click Create\n3. Open the topic, click Create Subscription\n4. Select a protocol (e.g., Function), choose/provide the endpoint, and click Create\n5. Verify the subscription lifecycle state shows Active (confirm if prompted for protocols like Email)",
+      "Terraform": "```hcl\n# Create a notification topic\nresource \"oci_ons_notification_topic\" \"<example_resource_name>\" {\n  compartment_id = var.compartment_ocid\n  name           = \"<example_resource_name>\"  # Critical: creates the notification topic needed for the check\n}\n\n# Create a subscription on the topic (ensures topic has an active subscription)\nresource \"oci_ons_subscription\" \"<example_resource_name>\" {\n  compartment_id = var.compartment_ocid\n  topic_id       = oci_ons_notification_topic.<example_resource_name>.id  # Critical: attaches the subscription to the topic\n  protocol       = \"ORACLE_FUNCTIONS\"  # Critical: protocol that can become active without manual confirmation\n  endpoint       = \"<function_ocid>\"   # Critical: endpoint for the subscription\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create at least one notification topic and subscription to receive monitoring alerts",
-      "Url": "https://hub.prowler.com/check/oci/events_notification_topic_and_subscription_exists"
+      "Text": "Create a centralized **Notifications** topic with one or more **subscriptions**, and route critical Events/monitoring to it. Apply **least privilege** to topic management, use redundant channels, test delivery regularly, and tune filters to reduce noise. *Consider* escalation paths for `critical` alerts.",
+      "Url": "https://hub.prowler.com/check/events_notification_topic_and_subscription_exists"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "logging"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json

@@ -1,34 +1,33 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_cloudguard_problems",
-  "CheckTitle": "Ensure a notification is configured for Oracle Cloud Guard problems detected",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring Cloud Guard problems has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventRule",
-  "Description": "Ensure a notification is configured for Oracle Cloud Guard problems detected",
-  "Risk": "Without Cloud Guard, security threats may not be detected and remediated.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/cloud-guard/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
+  "Description": "**OCI Events rules** subscribe to **Cloud Guard problem lifecycle events**-`com.oraclecloud.cloudguard.problemdetected`, `com.oraclecloud.cloudguard.problemdismissed`, and `com.oraclecloud.cloudguard.problemremediated`-and include **notification actions**. *When Cloud Guard sets a reporting region, rules are expected in that region.*",
+  "Risk": "Without notifications for Cloud Guard problems, incidents can go unseen, delaying response. Ongoing issues can erode **confidentiality** via data exfiltration, threaten **integrity** through unremediated changes, and impact **availability** by allowing attacks to persist. Silent failures of automated remediation may also go unnoticed.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/cloud-guard/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci cloud-guard configuration update --compartment-id <tenancy-ocid> --status ENABLED --reporting-region <region>",
+      "CLI": "oci events rule create --compartment-id <example_resource_id> --display-name <example_resource_name> --is-enabled true --condition '{\"eventType\":[\"com.oraclecloud.cloudguard.problemdetected\",\"com.oraclecloud.cloudguard.problemdismissed\",\"com.oraclecloud.cloudguard.problemremediated\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"isEnabled\":true,\"topicId\":\"<example_resource_id>\"}]}' --region <region>",
       "NativeIaC": "",
-      "Other": "1. Navigate to Security > Cloud Guard\n2. Enable Cloud Guard\n3. Select reporting region\n4. Configure detectors and responders",
-      "Terraform": "resource \"oci_cloud_guard_cloud_guard_configuration\" \"example\" {\n  compartment_id = var.tenancy_ocid\n  reporting_region = var.region\n  status = \"ENABLED\"\n}"
+      "Other": "1. In the OCI Console, go to Menu > Application Integration > Events Service > Rules\n2. Click Create Rule and select the Compartment; switch to the Cloud Guard reporting Region\n3. In Conditions, add event types: com.oraclecloud.cloudguard.problemdetected, com.oraclecloud.cloudguard.problemdismissed, com.oraclecloud.cloudguard.problemremediated\n4. Under Actions, add Notifications and select the desired Topic\n5. Ensure the rule is Enabled and click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  # critical: monitor Cloud Guard problem events\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.cloudguard.problemdetected\",\n      \"com.oraclecloud.cloudguard.problemdismissed\",\n      \"com.oraclecloud.cloudguard.problemremediated\"\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"\n      is_enabled  = true\n      topic_id    = \"<example_resource_id>\" # critical: send notifications to this topic\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for Oracle Cloud Guard problems detected",
-      "Url": "https://hub.prowler.com/check/oci/cloudguard_notification_configured"
+      "Text": "Implement **event-driven alerts** for Cloud Guard problem lifecycle events and route them to trusted **notification channels** and your **SOC/SIEM**. Enforce **least privilege** on publish/subscribe, align rules with the **reporting region**, and use **severity-based filtering** to prioritize response within a **defense-in-depth** approach.",
+      "Url": "https://hub.prowler.com/check/events_rule_cloudguard_problems"
     }
   },
   "Categories": [
-    "monitoring"
+    "threat-detection"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json

@@ -1,35 +1,37 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_iam_group_changes",
-  "CheckTitle": "Ensure a notification is configured for IAM group changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring IAM group changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on IAM group changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
+  "Description": "**OCI Events rules** monitor **IAM group lifecycle events** (`creategroup`, `updategroup`, `deletegroup`) and include **notification actions** to generate alerts when these changes occur.",
+  "Risk": "Without alerts on **IAM group changes**, unauthorized privilege changes can persist unnoticed, enabling **privilege escalation** and broader access. This undermines **confidentiality** and **integrity**, and delays response to identity misuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://orca.security/resources/cloud-risk-encyclopedia/notification-not-configured-for-iam-group-changes/",
+    "https://blogs.oracle.com/ateam/post/part-1-event-based-integration-with-oci-iam",
+    "https://qiita.com/tkhsyuk/items/d95b97ffbbdab5c9300d",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Events/detect-iam-group-changes.html",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <compartment_ocid> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.identitycontrolplane.creategroup\",\"com.oraclecloud.identitycontrolplane.deletegroup\",\"com.oraclecloud.identitycontrolplane.updategroup\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<example_resource_id>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Observability & Management > Events Service > Rules\n2. Click Create rule and set Name\n3. In Condition, select Event types and add:\n   - com.oraclecloud.identitycontrolplane.creategroup\n   - com.oraclecloud.identitycontrolplane.deletegroup\n   - com.oraclecloud.identitycontrolplane.updategroup\n4. In Actions, add Notifications and select an existing Topic\n5. Click Create to save the rule",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n\n  # Critical: Monitor IAM group changes\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.identitycontrolplane.creategroup\",\n      \"com.oraclecloud.identitycontrolplane.deletegroup\",\n      \"com.oraclecloud.identitycontrolplane.updategroup\"\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"               # Critical: Send notifications via OCI Notifications\n      topic_id    = \"<example_resource_id>\"  # Topic OCID for notifications\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for IAM group changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_iam_group_changes"
+      "Text": "Create **Events rules** for IAM group `create`, `update`, and `delete` and route them to **Notifications** channels consumed by the SOC. Enforce **least privilege** and **separation of duties** on rules/topics, forward events to a **SIEM**, and periodically test alert delivery.",
+      "Url": "https://hub.prowler.com/check/events_rule_iam_group_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "threat-detection"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json

@@ -1,35 +1,38 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_iam_policy_changes",
-  "CheckTitle": "Ensure a notification is configured for IAM policy changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring IAM policy changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on IAM policy changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
+  "Description": "OCI Events rules configured to capture **IAM policy create, update, and delete** events (`com.oraclecloud.identitycontrolplane.createpolicy`, `com.oraclecloud.identitycontrolplane.updatepolicy`, `com.oraclecloud.identitycontrolplane.deletepolicy`) and include a **notification action**.",
+  "Risk": "Without alerts on **IAM policy changes**, permissions can be altered unnoticed, enabling **privilege escalation**, unauthorized data access, and persistent footholds. Delayed visibility degrades **confidentiality** and **integrity** and slows incident response across compartments.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://github.com/bridgecrewio/checkov/issues/1957",
+    "https://www.ateam-oracle.com/post/part-1-event-based-integration-with-oci-iam",
+    "https://hub.steampipe.io/mods/turbot/oci_compliance/queries/events_rule_notification_iam_policy_changes",
+    "https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/cloud-guard/using/export-notifs-config.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Events/detect-iam-policy-changes.html",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <compartment_ocid> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.identitycontrolplane.createpolicy\",\"com.oraclecloud.identitycontrolplane.deletepolicy\",\"com.oraclecloud.identitycontrolplane.updatepolicy\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<topic_ocid>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Observability & Management > Events Service\n2. Click Create Rule and set Display Name (leave Enabled)\n3. Under Conditions, choose Event Type, set Service Name to Identity and Access Management, and select:\n   - com.oraclecloud.identitycontrolplane.createpolicy\n   - com.oraclecloud.identitycontrolplane.deletepolicy\n   - com.oraclecloud.identitycontrolplane.updatepolicy\n4. Under Actions, select Action Type: Notifications, then choose the target Topic\n5. Click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = var.compartment_id\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  # Critical: monitor IAM policy create/delete/update events\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.identitycontrolplane.createpolicy\",\n      \"com.oraclecloud.identitycontrolplane.deletepolicy\",\n      \"com.oraclecloud.identitycontrolplane.updatepolicy\"\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"        # Critical: adds a Notifications action\n      topic_id    = var.topic_id  # Critical: target Notifications topic\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for IAM policy changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_iam_policy_changes"
+      "Text": "Create OCI Events rules for `...createpolicy`, `...updatepolicy`, and `...deletepolicy` with a **notification action** to trusted channels. Enforce **least privilege** on IAM and Events administration, require change approvals, and routinely test alerting to ensure rapid detection.",
+      "Url": "https://hub.prowler.com/check/events_rule_iam_policy_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_identity_provider_changes/events_rule_identity_provider_changes.metadata.json

@@ -1,35 +1,37 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_identity_provider_changes",
-  "CheckTitle": "Ensure a notification is configured for Identity Provider changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule for identity provider changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on identity provider changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
+  "Description": "OCI Events rules monitor **IAM identity provider** creation, update, and deletion and include a **notification action**. The evaluation identifies rules that filter these events and route matching activity to a notification destination.",
+  "Risk": "Without alerts on **identity provider** changes, federation can be modified unnoticed, enabling unauthorized SSO, privilege escalation, or account takeover. Delayed visibility degrades incident response and threatens **confidentiality** and **integrity** of tenant access.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Events/",
+    "https://hub.steampipe.io/mods/turbot/oci_compliance/queries/events_rule_notification_identity_provider_changes",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/Reference/eventsproducers.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <example_resource_id> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.identitycontrolplane.createidentityprovider\",\"com.oraclecloud.identitycontrolplane.deleteidentityprovider\",\"com.oraclecloud.identitycontrolplane.updateidentityprovider\"]}' --is-enabled true --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<example_resource_id>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Observability & Management > Events Service > Rules and click Create rule\n2. Set Name and select the target Compartment\n3. In Rule condition, add event types: CreateIdentityProvider, DeleteIdentityProvider, UpdateIdentityProvider (service: Identity)\n4. In Actions, add Notification, select your Topic\n5. Ensure Enabled is On and click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  # Critical: monitor identity provider create/delete/update events\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.identitycontrolplane.createidentityprovider\",\n      \"com.oraclecloud.identitycontrolplane.deleteidentityprovider\",\n      \"com.oraclecloud.identitycontrolplane.updateidentityprovider\",\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"                 # Critical: send notifications via OCI Notifications\n      topic_id    = \"<example_resource_id>\"  # Topic to notify\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for Identity Provider changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_identity_provider_changes"
+      "Text": "Configure rules to capture **identity provider** `create`, `update`, and `delete` events and send notifications to responders and SIEM. Enforce **least privilege** on IdP management, require approvals for changes, and test alert paths. Use **defense in depth** with audit logging to spot anomalous identity changes.",
+      "Url": "https://hub.prowler.com/check/events_rule_identity_provider_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "identity-access",
+    "logging"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_idp_group_mapping_changes/events_rule_idp_group_mapping_changes.metadata.json

@@ -1,35 +1,36 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_idp_group_mapping_changes",
-  "CheckTitle": "Ensure a notification is configured for IdP group mapping changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule for IdP group mapping changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on IdP group mapping changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
+  "Description": "**OCI Events rules** monitor **IdP group mapping changes** with **notification actions** for `com.oraclecloud.identitycontrolplane.createidpgroupmapping`, `com.oraclecloud.identitycontrolplane.deleteidpgroupmapping`, and `com.oraclecloud.identitycontrolplane.updateidpgroupmapping`.",
+  "Risk": "Without **alerts** on IdP group mapping changes, federated users can gain unauthorized group memberships unnoticed, enabling **privilege escalation** and broader access to OCI resources. This undermines **confidentiality** and **integrity**, and may affect **availability** through misuse of elevated permissions.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://github.com/bridgecrewio/checkov/issues/1959",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+    "https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/Events/Reference/eventsproducers.htm",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Events/detect-idp-group-mapping-changes.html"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <COMPARTMENT_OCID> --display-name <example_resource_name> --is-enabled true --condition '{\"eventType\":[\"com.oraclecloud.identitycontrolplane.createidpgroupmapping\",\"com.oraclecloud.identitycontrolplane.deleteidpgroupmapping\",\"com.oraclecloud.identitycontrolplane.updateidpgroupmapping\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"isEnabled\":true,\"topicId\":\"<TOPIC_OCID>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In OCI Console, go to Observability & Management > Events Service > Rules\n2. Click Create rule\n3. Condition: add Event types:\n   - com.oraclecloud.identitycontrolplane.createidpgroupmapping\n   - com.oraclecloud.identitycontrolplane.deleteidpgroupmapping\n   - com.oraclecloud.identitycontrolplane.updateidpgroupmapping\n4. Actions: Add action > Notifications (ONS) and select the target Topic\n5. Ensure Rule is Enabled and click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.identitycontrolplane.createidpgroupmapping\", # critical: monitor IdP group mapping create\n      \"com.oraclecloud.identitycontrolplane.deleteidpgroupmapping\", # critical: monitor IdP group mapping delete\n      \"com.oraclecloud.identitycontrolplane.updateidpgroupmapping\"  # critical: monitor IdP group mapping update\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"                       # critical: adds notification action\n      topic_id    = \"<example_resource_id>\"     # critical: ONS topic to notify\n      is_enabled  = true\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for IdP group mapping changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_idp_group_mapping_changes"
+      "Text": "Define **Events rules** for IdP group mapping changes (`com.oraclecloud.identitycontrolplane.createidpgroupmapping`, `...deleteidpgroupmapping`, `...updateidpgroupmapping`) and route notifications to monitored channels via **OCI Notifications**. Apply **least privilege** and **separation of duties**, and integrate alerts with a SIEM for **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/events_rule_idp_group_mapping_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_local_user_authentication/events_rule_local_user_authentication.metadata.json

@@ -1,36 +1,35 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_local_user_authentication",
-  "CheckTitle": "Ensure a notification is configured for Local OCI User Authentication",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring local OCI user authentication has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciEventRule",
-  "Description": "Ensure that an Event Rule and Notification are configured to detect when a user authenticates via OCI local authentication. Event Rules are compartment-scoped and will detect events in child compartments. This Event rule is required to be created at the root compartment level.",
-  "Risk": "Without proper notification for local user authentication events, unauthorized access attempts or suspicious authentication activity may go undetected, increasing the risk of security breaches.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceType": "EventRule",
+  "Description": "**OCI Events rules** targeting `com.oraclecloud.identitysignon.interactivelogin` are assessed for configured **notification actions** to monitor local user interactive sign-ins. Rules are compartment-scoped and can cover child compartments.",
+  "Risk": "Without alerts on local sign-ins, **account takeovers** and **brute-force** attempts can go unnoticed. Attackers with local access can exfiltrate data (confidentiality), change configurations (integrity), and disrupt services (availability), delaying detection and response.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Events/detect-oci-local-authentication.html",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+    "https://blogs.oracle.com/ateam/post/methods-and-ways-to-extract-session-information-using-oci-audit-and-integrate-into-external-systems"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name user-authentication-rule --is-enabled true --condition '{\"eventType\":[\"com.oraclecloud.identitysignon.interactivelogin\"]}' --compartment-id <root-compartment-ocid> --actions '{\"actions\":[{\"actionType\":\"ONS\",\"isEnabled\":true,\"topicId\":\"<topic-ocid>\"}]}'",
+      "CLI": "oci events rule create --display-name <example_resource_name> --is-enabled true --condition '{\"eventType\":[\"com.oraclecloud.identitysignon.interactivelogin\"]}' --compartment-id <example_resource_id> --actions '{\"actions\":[{\"actionType\":\"ONS\",\"isEnabled\":true,\"topicId\":\"<example_resource_id>\"}]}'",
       "NativeIaC": "",
-      "Other": "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Events/detect-oci-local-authentication.html",
-      "Terraform": "resource \"oci_events_rule\" \"user_auth_rule\" {\n  display_name    = \"user-authentication-events\"\n  is_enabled      = true\n  compartment_id  = var.tenancy_ocid\n  condition       = \"{\\\"eventType\\\":[\\\"com.oraclecloud.identitysignon.interactivelogin\\\"]}\"\n  actions {\n    actions {\n      action_type = \"ONS\"\n      is_enabled  = true\n      topic_id    = oci_ons_notification_topic.topic.id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Application Integration > Events Service > Rules\n2. Click Create rule\n3. Set Name and select the target Compartment\n4. In Condition, set Event Type to: com.oraclecloud.identitysignon.interactivelogin\n5. Add Action: choose Notifications, select the Topic, and ensure it is Enabled\n6. Click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"example\" {\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n  compartment_id = \"<example_resource_id>\"\n\n  # Critical: filter for local OCI user authentication events\n  condition = jsonencode({ eventType = [\"com.oraclecloud.identitysignon.interactivelogin\"] })\n\n  actions {\n    actions {\n      # Critical: ONS notification action to a topic\n      action_type = \"ONS\"\n      is_enabled  = true\n      topic_id    = \"<example_resource_id>\"\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create an Event Rule with notifications configured to monitor local OCI user authentication events (com.oraclecloud.identitysignon.interactivelogin)",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_local_user_authentication"
+      "Text": "Create an Events rule for `com.oraclecloud.identitysignon.interactivelogin` with **notification actions** delivering real-time alerts to monitored channels or workflows. Integrate with a SIEM, tune filters to reduce noise, and apply **least privilege** and **defense in depth** to limit local account exposure.",
+      "Url": "https://hub.prowler.com/check/events_rule_local_user_authentication"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring",
-    "security-configuration"
+    "threat-detection"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_network_gateway_changes/events_rule_network_gateway_changes.metadata.json

@@ -1,35 +1,33 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_network_gateway_changes",
-  "CheckTitle": "Ensure a notification is configured for changes to network gateways",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring network gateway changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on network gateway changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
+  "Description": "OCI Events rules monitor **network gateway** lifecycle and attachment changes (DRG, Internet, NAT, Service, and Local Peering gateways) and include **notification actions** so changes generate alerts.\n\nThe evaluation looks for rules filtered to these events and confirms they trigger notifications.",
+  "Risk": "Unalerted gateway changes can reroute traffic, expose services, or sever connectivity.\n\nAttackers or misconfigurations may modify routes or attachments to enable data exfiltration, man-in-the-middle, or denial of service, degrading **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <example_resource_id> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.virtualnetwork.createdrg\",\"com.oraclecloud.virtualnetwork.deletedrg\",\"com.oraclecloud.virtualnetwork.updatedrg\",\"com.oraclecloud.virtualnetwork.createdrgattachment\",\"com.oraclecloud.virtualnetwork.deletedrgattachment\",\"com.oraclecloud.virtualnetwork.updatedrgattachment\",\"com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment\",\"com.oraclecloud.virtualnetwork.createinternetgateway\",\"com.oraclecloud.virtualnetwork.deleteinternetgateway\",\"com.oraclecloud.virtualnetwork.updateinternetgateway\",\"com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment\",\"com.oraclecloud.virtualnetwork.createlocalpeeringgateway\",\"com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end\",\"com.oraclecloud.virtualnetwork.updatelocalpeeringgateway\",\"com.oraclecloud.natgateway.changenatgatewaycompartment\",\"com.oraclecloud.natgateway.createnatgateway\",\"com.oraclecloud.natgateway.deletenatgateway\",\"com.oraclecloud.natgateway.updatenatgateway\",\"com.oraclecloud.servicegateway.attachserviceid\",\"com.oraclecloud.servicegateway.changeservicegatewaycompartment\",\"com.oraclecloud.servicegateway.createservicegateway\",\"com.oraclecloud.servicegateway.deleteservicegateway.end\",\"com.oraclecloud.servicegateway.detachserviceid\",\"com.oraclecloud.servicegateway.updateservicegateway\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<example_resource_id>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In OCI Console, go to Observability & Management > Events Service > Rules\n2. Click Create rule and select the target Compartment\n3. Set Display name\n4. Under Matching events, add these Event types:\n   - com.oraclecloud.virtualnetwork.createdrg\n   - com.oraclecloud.virtualnetwork.deletedrg\n   - com.oraclecloud.virtualnetwork.updatedrg\n   - com.oraclecloud.virtualnetwork.createdrgattachment\n   - com.oraclecloud.virtualnetwork.deletedrgattachment\n   - com.oraclecloud.virtualnetwork.updatedrgattachment\n   - com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment\n   - com.oraclecloud.virtualnetwork.createinternetgateway\n   - com.oraclecloud.virtualnetwork.deleteinternetgateway\n   - com.oraclecloud.virtualnetwork.updateinternetgateway\n   - com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment\n   - com.oraclecloud.virtualnetwork.createlocalpeeringgateway\n   - com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end\n   - com.oraclecloud.virtualnetwork.updatelocalpeeringgateway\n   - com.oraclecloud.natgateway.changenatgatewaycompartment\n   - com.oraclecloud.natgateway.createnatgateway\n   - com.oraclecloud.natgateway.deletenatgateway\n   - com.oraclecloud.natgateway.updatenatgateway\n   - com.oraclecloud.servicegateway.attachserviceid\n   - com.oraclecloud.servicegateway.changeservicegatewaycompartment\n   - com.oraclecloud.servicegateway.createservicegateway\n   - com.oraclecloud.servicegateway.deleteservicegateway.end\n   - com.oraclecloud.servicegateway.detachserviceid\n   - com.oraclecloud.servicegateway.updateservicegateway\n5. Add action: Notification, select the target Notifications (ONS) topic\n6. Click Create (ensure the rule is enabled)",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n\n  # Critical: Monitor required network gateway event types\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.virtualnetwork.createdrg\",\n      \"com.oraclecloud.virtualnetwork.deletedrg\",\n      \"com.oraclecloud.virtualnetwork.updatedrg\",\n      \"com.oraclecloud.virtualnetwork.createdrgattachment\",\n      \"com.oraclecloud.virtualnetwork.deletedrgattachment\",\n      \"com.oraclecloud.virtualnetwork.updatedrgattachment\",\n      \"com.oraclecloud.virtualnetwork.changeinternetgatewaycompartment\",\n      \"com.oraclecloud.virtualnetwork.createinternetgateway\",\n      \"com.oraclecloud.virtualnetwork.deleteinternetgateway\",\n      \"com.oraclecloud.virtualnetwork.updateinternetgateway\",\n      \"com.oraclecloud.virtualnetwork.changelocalpeeringgatewaycompartment\",\n      \"com.oraclecloud.virtualnetwork.createlocalpeeringgateway\",\n      \"com.oraclecloud.virtualnetwork.deletelocalpeeringgateway.end\",\n      \"com.oraclecloud.virtualnetwork.updatelocalpeeringgateway\",\n      \"com.oraclecloud.natgateway.changenatgatewaycompartment\",\n      \"com.oraclecloud.natgateway.createnatgateway\",\n      \"com.oraclecloud.natgateway.deletenatgateway\",\n      \"com.oraclecloud.natgateway.updatenatgateway\",\n      \"com.oraclecloud.servicegateway.attachserviceid\",\n      \"com.oraclecloud.servicegateway.changeservicegatewaycompartment\",\n      \"com.oraclecloud.servicegateway.createservicegateway\",\n      \"com.oraclecloud.servicegateway.deleteservicegateway.end\",\n      \"com.oraclecloud.servicegateway.detachserviceid\",\n      \"com.oraclecloud.servicegateway.updateservicegateway\"\n    ]\n  })\n\n  actions {\n    actions {\n      # Critical: Add notification action so the rule passes the check\n      action_type = \"ONS\"   # Sends to Notifications service (ONS)\n      topic_id    = \"<example_resource_id>\"  # ONS topic OCID\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for changes to network gateways",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_network_gateway_changes"
+      "Text": "Define **event rules** that match `create`, `update`, `delete`, `attach`, and `detach` actions for all gateway types and send **notifications** to monitored channels.\n\nApply **least privilege** on topics, cover all compartments/regions, integrate with SIEM, and use **defense in depth** with network change approvals.",
+      "Url": "https://hub.prowler.com/check/events_rule_network_gateway_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "logging"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_network_security_group_changes/events_rule_network_security_group_changes.metadata.json

@@ -1,35 +1,35 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_network_security_group_changes",
-  "CheckTitle": "Ensure a notification is configured for network security group changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring network security group changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on network security group changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceType": "EventRule",
+  "Description": "OCI Events rules targeting **Network Security Group (NSG)** changes are evaluated for the presence of **notification actions**. Monitored event types: `com.oraclecloud.virtualnetwork.createnetworksecuritygroup`, `com.oraclecloud.virtualnetwork.updatenetworksecuritygroup`, `com.oraclecloud.virtualnetwork.deletenetworksecuritygroup`, `com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment`.",
+  "Risk": "Absent notifications for NSG changes enable silent policy drift.\n- **Confidentiality**: permissive edits can expose services and drive data exfiltration.\n- **Integrity**: attackers can reroute traffic or bypass micro-segmentation.\n- **Availability**: deletions/misconfigurations may isolate workloads or widen DDoS exposure.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.linkedin.com/pulse/oracle-cloud-events-zubair-aslam-xtfvf",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/Reference/eventsproducers.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <compartment_ocid> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment\",\"com.oraclecloud.virtualnetwork.createnetworksecuritygroup\",\"com.oraclecloud.virtualnetwork.deletenetworksecuritygroup\",\"com.oraclecloud.virtualnetwork.updatenetworksecuritygroup\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<topic_ocid>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Observability & Management > Events Service > Rules\n2. Click Create rule\n3. Set Display name and Compartment\n4. Under Conditions, add Event types:\n   - com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment\n   - com.oraclecloud.virtualnetwork.createnetworksecuritygroup\n   - com.oraclecloud.virtualnetwork.deletenetworksecuritygroup\n   - com.oraclecloud.virtualnetwork.updatenetworksecuritygroup\n5. Under Actions, click Add action > Notifications, select Publish to topic, choose the ONS topic\n6. Click Create to save the rule",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"example\" {\n  compartment_id = var.compartment_id\n  display_name   = \"<example_resource_name>\"\n\n  # Critical: Monitor NSG change events to satisfy the check\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.virtualnetwork.changenetworksecuritygroupcompartment\", # Required NSG event\n      \"com.oraclecloud.virtualnetwork.createnetworksecuritygroup\",            # Required NSG event\n      \"com.oraclecloud.virtualnetwork.deletenetworksecuritygroup\",            # Required NSG event\n      \"com.oraclecloud.virtualnetwork.updatenetworksecuritygroup\"             # Required NSG event\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"                 # Critical: Notification action required\n      topic_id    = var.topic_id           # Sends notifications to this topic\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for network security group changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_network_security_group_changes"
+      "Text": "Implement **Events** rules for NSG lifecycle changes with **notification actions** to a monitored topic/SIEM.\n- Include `createnetworksecuritygroup`, `updatenetworksecuritygroup`, `deletenetworksecuritygroup`, `changenetworksecuritygroupcompartment`\n- Enforce **least privilege** and **separation of duties** on NSG and Events admins\n- Regularly test and tune alerts",
+      "Url": "https://hub.prowler.com/check/events_rule_network_security_group_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "logging"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_route_table_changes/events_rule_route_table_changes.metadata.json

@@ -1,35 +1,33 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_route_table_changes",
-  "CheckTitle": "Ensure a notification is configured for changes to route tables",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule for route table changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on route table changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
+  "Description": "**OCI Events rules** for **VCN route tables** monitor lifecycle and compartment changes and include **notification actions**.\n\nThe evaluation looks for rules that capture `create`, `update`, `delete`, and `changeCompartment` events for route tables and send notifications.",
+  "Risk": "Without notifications on route table changes, **routing tampering** can persist unnoticed:\n- Exposure of private subnets to the Internet\n- Traffic hijack or blackholing\n- Segmentation bypass enabling lateral movement\nThis threatens **confidentiality**, **integrity**, and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <example_compartment_ocid> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.virtualnetwork.changeroutetablecompartment\",\"com.oraclecloud.virtualnetwork.createroutetable\",\"com.oraclecloud.virtualnetwork.deleteroutetable\",\"com.oraclecloud.virtualnetwork.updateroutetable\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<example_resource_id>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In OCI Console, go to Observability & Management > Events Service > Rules.\n2. Click Create rule and select the target Compartment; set a Display name.\n3. In Condition, add event types:\n   - com.oraclecloud.virtualnetwork.changeroutetablecompartment\n   - com.oraclecloud.virtualnetwork.createroutetable\n   - com.oraclecloud.virtualnetwork.deleteroutetable\n   - com.oraclecloud.virtualnetwork.updateroutetable\n4. In Actions, add Notifications (ONS) and select the desired Topic.\n5. Ensure the rule is Enabled and click Create.",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_compartment_ocid>\"\n  display_name   = \"<example_resource_name>\"\n\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.virtualnetwork.changeroutetablecompartment\", # critical: monitor route table change events\n      \"com.oraclecloud.virtualnetwork.createroutetable\",\n      \"com.oraclecloud.virtualnetwork.deleteroutetable\",\n      \"com.oraclecloud.virtualnetwork.updateroutetable\"\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"                   # critical: adds notification action\n      topic_id    = \"<example_resource_id>\" # critical: ONS topic to receive notifications\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for changes to route tables",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_route_table_changes"
+      "Text": "Create an **Events rule** that captures route table `create`, `update`, `delete`, and `changeCompartment` events and routes them to **notifications** used by on-call and SIEM. Enforce **least privilege** on route edits, require **change approvals**, and apply **defense in depth** with auditing and automated response.",
+      "Url": "https://hub.prowler.com/check/events_rule_route_table_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "logging"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_security_list_changes/events_rule_security_list_changes.metadata.json

@@ -1,35 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_security_list_changes",
-  "CheckTitle": "Ensure a notification is configured for security list changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring security list changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on security list changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
+  "Description": "OCI Events rules for VCN **security lists** monitor lifecycle changes-create, update, delete, and compartment moves-and include **notification actions**. The evaluation looks for rules that filter these events and confirms a configured notification target.",
+  "Risk": "Without timely alerts on security list changes, **unauthorized rule edits** can expose subnets to the Internet, enabling scans, brute force, and lateral movement (**confidentiality**), permit traffic manipulation (**integrity**), or block ports causing outages (**availability**). Delayed detection widens blast radius.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.thatfinnishguy.blog/2021/03/15/get-notified-on-unwanted-network-changes-with-oci-cloud-guard/",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <example_resource_id> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.virtualnetwork.changesecuritylistcompartment\",\"com.oraclecloud.virtualnetwork.createsecuritylist\",\"com.oraclecloud.virtualnetwork.deletesecuritylist\",\"com.oraclecloud.virtualnetwork.updatesecuritylist\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<example_resource_id>\",\"isEnabled\":true}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In OCI Console, go to Observability & Management > Events Service > Rules\n2. Click Create rule, set a name and compartment\n3. In Condition, set Event Type to include exactly:\n   - com.oraclecloud.virtualnetwork.changesecuritylistcompartment\n   - com.oraclecloud.virtualnetwork.createsecuritylist\n   - com.oraclecloud.virtualnetwork.deletesecuritylist\n   - com.oraclecloud.virtualnetwork.updatesecuritylist\n4. Click Add action, choose Notifications, select an existing topic\n5. Ensure the action is enabled and click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  # Critical: monitor security list change event types required by the check\n  # This ensures the rule matches the specific VCN Security List events\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.virtualnetwork.changesecuritylistcompartment\",\n      \"com.oraclecloud.virtualnetwork.createsecuritylist\",\n      \"com.oraclecloud.virtualnetwork.deletesecuritylist\",\n      \"com.oraclecloud.virtualnetwork.updatesecuritylist\"\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"                 # Critical: add notification action\n      topic_id    = \"<example_resource_id>\" # ONS topic OCID to send notifications\n      is_enabled  = true                   # Ensure notifications are sent\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for security list changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_security_list_changes"
+      "Text": "Define **Events** rules for security list create/update/delete and route them to **Notifications** or automated responders. Enforce **least privilege** for network and Events admins, apply **change control** with logging, cover critical compartments/regions, and periodically test alerts for reliability.",
+      "Url": "https://hub.prowler.com/check/events_rule_security_list_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "logging"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_user_changes/events_rule_user_changes.metadata.json

@@ -1,35 +1,37 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_user_changes",
-  "CheckTitle": "Ensure a notification is configured for user changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring user changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on user changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
+  "Description": "OCI **Events rules** targeting **IAM user changes** (e.g., `com.oraclecloud.identitycontrolplane.createuser` and related update/delete/state events) are assessed for attached **notification actions**.\n\nThe finding indicates which rules listen for these events and whether they are configured to emit alerts.",
+  "Risk": "Absent alerts on user lifecycle events, **unauthorized account creation**, **privilege escalation**, or **re-enabling disabled users** may go undetected. This delays containment, enabling persistence and lateral movement that erode **confidentiality** and **integrity**, and introduces audit gaps reducing **accountability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Events/detect-iam-user-changes.html",
+    "https://orca.security/resources/cloud-risk-encyclopedia/notification-not-configured-for-iam-user-changes/",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+    "https://www.ateam-oracle.com/post/part-1-event-based-integration-with-oci-iam"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <COMPARTMENT_OCID> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.identitycontrolplane.createuser\",\"com.oraclecloud.identitycontrolplane.deleteuser\",\"com.oraclecloud.identitycontrolplane.updateuser\",\"com.oraclecloud.identitycontrolplane.updateusercapabilities\",\"com.oraclecloud.identitycontrolplane.updateuserstate\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<TOPIC_OCID>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Observability & Management > Events Service > Rules and click Create Rule\n2. Select the Compartment and enter a Name\n3. Under Rule Conditions, set Event Type to include:\n   - com.oraclecloud.identitycontrolplane.createuser\n   - com.oraclecloud.identitycontrolplane.deleteuser\n   - com.oraclecloud.identitycontrolplane.updateuser\n   - com.oraclecloud.identitycontrolplane.updateusercapabilities\n   - com.oraclecloud.identitycontrolplane.updateuserstate\n4. Under Actions, add a Notification action and select the desired Notifications (ONS) Topic\n5. Click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n\n  # Critical: monitor IAM user change event types\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.identitycontrolplane.createuser\",\n      \"com.oraclecloud.identitycontrolplane.deleteuser\",\n      \"com.oraclecloud.identitycontrolplane.updateuser\",\n      \"com.oraclecloud.identitycontrolplane.updateusercapabilities\",\n      \"com.oraclecloud.identitycontrolplane.updateuserstate\",\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"            # Critical: notification action type\n      topic_id    = \"<example_resource_id>\" # Critical: ONS topic to notify\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for user changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_user_changes"
+      "Text": "Create and maintain **Events rules** for IAM user lifecycle changes and attach reliable **notification actions** to security-owned channels (SIEM, paging, email, chat).\n\nEnforce **least privilege** and **separation of duties** on rule management, and use **defense in depth** by correlating alerts with audit logs and automating containment.",
+      "Url": "https://hub.prowler.com/check/events_rule_user_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "identity-access",
+    "logging"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_vcn_changes/events_rule_vcn_changes.metadata.json

@@ -1,35 +1,37 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_vcn_changes",
-  "CheckTitle": "Ensure a notification is configured for VCN changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring VCN changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
+  "ResourceIdTemplate": "",
   "Severity": "medium",
-  "ResourceType": "OciEventsRule",
-  "Description": "Event rules should be configured to notify on VCN changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "ResourceType": "EventRule",
+  "Description": "**OCI Events rules** exist to capture **VCN lifecycle changes** (`create`, `update`, `delete`) via event types `com.oraclecloud.virtualnetwork.createvcn`, `com.oraclecloud.virtualnetwork.updatevcn`, `com.oraclecloud.virtualnetwork.deletevcn`, and include **notification actions**.",
+  "Risk": "Missing alerts for **VCN changes** reduces visibility of network perimeter modifications.\n\nAttackers or mistakes can silently open Internet access, alter routes for **data exfiltration**, or delete gateways/subnets, harming **confidentiality** and **availability**.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/Events/Reference/eventsproducers.htm",
+    "https://hub.steampipe.io/mods/turbot/oci_compliance/queries/events_rule_notification_vcn_changes",
+    "https://github.com/bridgecrewio/checkov/issues/1965",
+    "https://www.trendmicro.com/cloudoneconformity/knowledge-base/oci/OCI-Events/detect-vcn-changes.html",
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <compartment_ocid> --display-name <example_resource_name> --is-enabled true --condition '{\"eventType\":[\"com.oraclecloud.virtualnetwork.createvcn\",\"com.oraclecloud.virtualnetwork.deletevcn\",\"com.oraclecloud.virtualnetwork.updatevcn\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"isEnabled\":true,\"topicId\":\"<example_resource_id>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In OCI Console, go to Observability & Management > Events Service > Rules\n2. Click Create rule and enter a name; set Rule state to Enabled\n3. Under Conditions, add Event types: com.oraclecloud.virtualnetwork.createvcn, com.oraclecloud.virtualnetwork.deletevcn, com.oraclecloud.virtualnetwork.updatevcn\n4. Under Actions, add Notification and select the target Notifications topic\n5. Click Create to save the rule",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = var.compartment_id\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  # critical: monitor VCN create/delete/update events\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.virtualnetwork.createvcn\",\n      \"com.oraclecloud.virtualnetwork.deletevcn\",\n      \"com.oraclecloud.virtualnetwork.updatevcn\"\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"         # critical: send notifications via OCI Notifications\n      topic_id    = var.topic_id   # critical: target Notifications topic\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for VCN changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_vcn_changes"
+      "Text": "Create and enable **Events rules** for VCN lifecycle changes (**create**, **update**, **delete**) with **notification actions** to monitored channels.\n\nApply **least privilege** to manage rules and notifications, integrate alerts with incident response, and periodically test to support **defense in depth**.",
+      "Url": "https://hub.prowler.com/check/events_rule_vcn_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "logging"
   ],
   "DependsOn": [],
   "RelatedTo": [],