chore(oraclecloud): enhance metadata for events service (#9373)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>

Author: puchy22

prowler/CHANGELOG.md

@@ -28,6 +28,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - Update Oracle Cloud KMS service metadata to new format [(#9377)](https://github.com/prowler-cloud/prowler/pull/9377)
 - Update Oracle Cloud Network service metadata to new format [(#9378)](https://github.com/prowler-cloud/prowler/pull/9378)
 - Update Oracle Cloud Object Storage service metadata to new format [(#9379)](https://github.com/prowler-cloud/prowler/pull/9379)
+- Update Oracle Cloud Events service metadata to new format [(#9373)](https://github.com/prowler-cloud/prowler/pull/9373)
 
 ---
 

prowler/providers/oraclecloud/services/events/events_notification_topic_and_subscription_exists/events_notification_topic_and_subscription_exists.metadata.json

@@ -1,36 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_notification_topic_and_subscription_exists",
-  "CheckTitle": "Create at least one notification topic and subscription to receive monitoring alerts",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Tenancy has at least one notification topic with active subscriptions",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "OnsTopic",
   "ResourceGroup": "messaging",
-  "Description": "At least one notification topic and subscription should exist to receive monitoring alerts.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "Description": "**OCI Notifications** is evaluated for the existence of at least one **topic** that has one or more **subscriptions**.\n\nThe focus is on whether subscribed endpoints are present to receive Events and monitoring alerts.",
+  "Risk": "Without subscribed topics, alerts are not delivered, reducing **visibility** and delaying detection of malicious or accidental changes. This undermines **confidentiality** (undetected data access), **integrity** (unauthorized config changes), and **availability** (unresolved outages).",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Menu > Application Integration > Notifications > Topics\n2. Click Create Topic, enter a name, and click Create\n3. Open the topic, click Create Subscription\n4. Select a protocol (e.g., Function), choose/provide the endpoint, and click Create\n5. Verify the subscription lifecycle state shows Active (confirm if prompted for protocols like Email)",
+      "Terraform": "```hcl\n# Create a notification topic\nresource \"oci_ons_notification_topic\" \"<example_resource_name>\" {\n  compartment_id = var.compartment_ocid\n  name           = \"<example_resource_name>\"  # Critical: creates the notification topic needed for the check\n}\n\n# Create a subscription on the topic (ensures topic has an active subscription)\nresource \"oci_ons_subscription\" \"<example_resource_name>\" {\n  compartment_id = var.compartment_ocid\n  topic_id       = oci_ons_notification_topic.<example_resource_name>.id  # Critical: attaches the subscription to the topic\n  protocol       = \"ORACLE_FUNCTIONS\"  # Critical: protocol that can become active without manual confirmation\n  endpoint       = \"<function_ocid>\"   # Critical: endpoint for the subscription\n}\n```"
     },
     "Recommendation": {
-      "Text": "Create at least one notification topic and subscription to receive monitoring alerts",
-      "Url": "https://hub.prowler.com/check/oci/events_notification_topic_and_subscription_exists"
+      "Text": "Create a centralized **Notifications** topic with one or more **subscriptions**, and route critical Events/monitoring to it. Apply **least privilege** to topic management, use redundant channels, test delivery regularly, and tune filters to reduce noise. *Consider* escalation paths for `critical` alerts.",
+      "Url": "https://hub.prowler.com/check/events_notification_topic_and_subscription_exists"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "logging"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_cloudguard_problems/events_rule_cloudguard_problems.metadata.json

@@ -1,35 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_cloudguard_problems",
-  "CheckTitle": "Ensure a notification is configured for Oracle Cloud Guard problems detected",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring Cloud Guard problems has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventRule",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
   "ResourceGroup": "messaging",
-  "Description": "Ensure a notification is configured for Oracle Cloud Guard problems detected",
-  "Risk": "Without Cloud Guard, security threats may not be detected and remediated.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/cloud-guard/home.htm",
+  "Description": "**OCI Events rules** subscribe to **Cloud Guard problem lifecycle events**-`com.oraclecloud.cloudguard.problemdetected`, `com.oraclecloud.cloudguard.problemdismissed`, and `com.oraclecloud.cloudguard.problemremediated`-and include **notification actions**. *When Cloud Guard sets a reporting region, rules are expected in that region.*",
+  "Risk": "Without notifications for Cloud Guard problems, incidents can go unseen, delaying response. Ongoing issues can erode **confidentiality** via data exfiltration, threaten **integrity** through unremediated changes, and impact **availability** by allowing attacks to persist. Silent failures of automated remediation may also go unnoticed.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/cloud-guard/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci cloud-guard configuration update --compartment-id <tenancy-ocid> --status ENABLED --reporting-region <region>",
+      "CLI": "oci events rule create --compartment-id <example_resource_id> --display-name <example_resource_name> --is-enabled true --condition '{\"eventType\":[\"com.oraclecloud.cloudguard.problemdetected\",\"com.oraclecloud.cloudguard.problemdismissed\",\"com.oraclecloud.cloudguard.problemremediated\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"isEnabled\":true,\"topicId\":\"<example_resource_id>\"}]}' --region <region>",
       "NativeIaC": "",
-      "Other": "1. Navigate to Security > Cloud Guard\n2. Enable Cloud Guard\n3. Select reporting region\n4. Configure detectors and responders",
-      "Terraform": "resource \"oci_cloud_guard_cloud_guard_configuration\" \"example\" {\n  compartment_id = var.tenancy_ocid\n  reporting_region = var.region\n  status = \"ENABLED\"\n}"
+      "Other": "1. In the OCI Console, go to Menu > Application Integration > Events Service > Rules\n2. Click Create Rule and select the Compartment; switch to the Cloud Guard reporting Region\n3. In Conditions, add event types: com.oraclecloud.cloudguard.problemdetected, com.oraclecloud.cloudguard.problemdismissed, com.oraclecloud.cloudguard.problemremediated\n4. Under Actions, add Notifications and select the desired Topic\n5. Ensure the rule is Enabled and click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  # critical: monitor Cloud Guard problem events\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.cloudguard.problemdetected\",\n      \"com.oraclecloud.cloudguard.problemdismissed\",\n      \"com.oraclecloud.cloudguard.problemremediated\"\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"\n      is_enabled  = true\n      topic_id    = \"<example_resource_id>\" # critical: send notifications to this topic\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for Oracle Cloud Guard problems detected",
-      "Url": "https://hub.prowler.com/check/oci/cloudguard_notification_configured"
+      "Text": "Implement **event-driven alerts** for Cloud Guard problem lifecycle events and route them to trusted **notification channels** and your **SOC/SIEM**. Enforce **least privilege** on publish/subscribe, align rules with the **reporting region**, and use **severity-based filtering** to prioritize response within a **defense-in-depth** approach.",
+      "Url": "https://hub.prowler.com/check/events_rule_cloudguard_problems"
     }
   },
   "Categories": [
-    "monitoring"
+    "threat-detection"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_iam_group_changes/events_rule_iam_group_changes.metadata.json

@@ -1,36 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_iam_group_changes",
-  "CheckTitle": "Ensure a notification is configured for IAM group changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring IAM group changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
   "ResourceGroup": "messaging",
-  "Description": "Event rules should be configured to notify on IAM group changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "Description": "**OCI Events rules** monitor **IAM group lifecycle events** (`creategroup`, `updategroup`, `deletegroup`) and include **notification actions** to generate alerts when these changes occur.",
+  "Risk": "Without alerts on **IAM group changes**, unauthorized privilege changes can persist unnoticed, enabling **privilege escalation** and broader access. This undermines **confidentiality** and **integrity**, and delays response to identity misuse.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <compartment_ocid> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.identitycontrolplane.creategroup\",\"com.oraclecloud.identitycontrolplane.deletegroup\",\"com.oraclecloud.identitycontrolplane.updategroup\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<example_resource_id>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Observability & Management > Events Service > Rules\n2. Click Create rule and set Name\n3. In Condition, select Event types and add:\n   - com.oraclecloud.identitycontrolplane.creategroup\n   - com.oraclecloud.identitycontrolplane.deletegroup\n   - com.oraclecloud.identitycontrolplane.updategroup\n4. In Actions, add Notifications and select an existing Topic\n5. Click Create to save the rule",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = \"<example_resource_id>\"\n  display_name   = \"<example_resource_name>\"\n\n  # Critical: Monitor IAM group changes\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.identitycontrolplane.creategroup\",\n      \"com.oraclecloud.identitycontrolplane.deletegroup\",\n      \"com.oraclecloud.identitycontrolplane.updategroup\"\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"               # Critical: Send notifications via OCI Notifications\n      topic_id    = \"<example_resource_id>\"  # Topic OCID for notifications\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for IAM group changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_iam_group_changes"
+      "Text": "Create **Events rules** for IAM group `create`, `update`, and `delete` and route them to **Notifications** channels consumed by the SOC. Enforce **least privilege** and **separation of duties** on rules/topics, forward events to a **SIEM**, and periodically test alert delivery.",
+      "Url": "https://hub.prowler.com/check/events_rule_iam_group_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "threat-detection"
   ],
   "DependsOn": [],
   "RelatedTo": [],

prowler/providers/oraclecloud/services/events/events_rule_iam_policy_changes/events_rule_iam_policy_changes.metadata.json

@@ -1,36 +1,34 @@
 {
   "Provider": "oraclecloud",
   "CheckID": "events_rule_iam_policy_changes",
-  "CheckTitle": "Ensure a notification is configured for IAM policy changes",
-  "CheckType": [
-    "Software and Configuration Checks",
-    "Industry and Regulatory Standards",
-    "CIS OCI Foundations Benchmark"
-  ],
+  "CheckTitle": "Event rule monitoring IAM policy changes has notification actions configured",
+  "CheckType": [],
   "ServiceName": "events",
   "SubServiceName": "",
-  "ResourceIdTemplate": "oci:events:rule",
-  "Severity": "medium",
-  "ResourceType": "OciEventsRule",
+  "ResourceIdTemplate": "",
+  "Severity": "high",
+  "ResourceType": "EventRule",
   "ResourceGroup": "messaging",
-  "Description": "Event rules should be configured to notify on IAM policy changes.",
-  "Risk": "Without proper event monitoring, security-relevant changes may go unnoticed.",
-  "RelatedUrl": "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm",
+  "Description": "**OCI Events rules** configured to capture **IAM policy create, update, and delete** events (`com.oraclecloud.identitycontrolplane.createpolicy`, `com.oraclecloud.identitycontrolplane.updatepolicy`, `com.oraclecloud.identitycontrolplane.deletepolicy`) and include a **notification action**.",
+  "Risk": "Without alerts on **IAM policy changes**, permissions can be altered unnoticed, enabling **privilege escalation**, unauthorized data access, and persistent footholds. Delayed visibility degrades **confidentiality** and **integrity** and slows incident response across compartments.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://docs.oracle.com/en-us/iaas/Content/Events/home.htm"
+  ],
   "Remediation": {
     "Code": {
-      "CLI": "oci events rule create --display-name <name> --condition <event-condition> --actions <notification-actions>",
+      "CLI": "oci events rule create --compartment-id <compartment_ocid> --display-name <example_resource_name> --condition '{\"eventType\":[\"com.oraclecloud.identitycontrolplane.createpolicy\",\"com.oraclecloud.identitycontrolplane.deletepolicy\",\"com.oraclecloud.identitycontrolplane.updatepolicy\"]}' --actions '{\"actions\":[{\"actionType\":\"ONS\",\"topicId\":\"<topic_ocid>\"}]}'",
       "NativeIaC": "",
-      "Other": "1. Navigate to Observability & Management > Events Service\n2. Create a new rule\n3. Configure the event condition\n4. Add notification action\n5. Save the rule",
-      "Terraform": "resource \"oci_events_rule\" \"example\" {\n  display_name = \"rule\"\n  is_enabled = true\n  condition = jsonencode({\n    eventType = [\"com.oraclecloud.*\"]\n  })\n  actions {\n    actions {\n      action_type = \"ONS\"\n      topic_id = var.topic_id\n    }\n  }\n}"
+      "Other": "1. In the OCI Console, go to Observability & Management > Events Service\n2. Click Create Rule and set Display Name (leave Enabled)\n3. Under Conditions, choose Event Type, set Service Name to Identity and Access Management, and select:\n   - com.oraclecloud.identitycontrolplane.createpolicy\n   - com.oraclecloud.identitycontrolplane.deletepolicy\n   - com.oraclecloud.identitycontrolplane.updatepolicy\n4. Under Actions, select Action Type: Notifications, then choose the target Topic\n5. Click Create",
+      "Terraform": "```hcl\nresource \"oci_events_rule\" \"<example_resource_name>\" {\n  compartment_id = var.compartment_id\n  display_name   = \"<example_resource_name>\"\n  is_enabled     = true\n\n  # Critical: monitor IAM policy create/delete/update events\n  condition = jsonencode({\n    eventType = [\n      \"com.oraclecloud.identitycontrolplane.createpolicy\",\n      \"com.oraclecloud.identitycontrolplane.deletepolicy\",\n      \"com.oraclecloud.identitycontrolplane.updatepolicy\"\n    ]\n  })\n\n  actions {\n    actions {\n      action_type = \"ONS\"        # Critical: adds a Notifications action\n      topic_id    = var.topic_id  # Critical: target Notifications topic\n    }\n  }\n}\n```"
     },
     "Recommendation": {
-      "Text": "Ensure a notification is configured for IAM policy changes",
-      "Url": "https://hub.prowler.com/check/oci/events_rule_iam_policy_changes"
+      "Text": "Create OCI Events rules for `...createpolicy`, `...updatepolicy`, and `...deletepolicy` with a **notification action** to trusted channels. Enforce **least privilege** on IAM and Events administration, require change approvals, and routinely test alerting to ensure rapid detection.",
+      "Url": "https://hub.prowler.com/check/events_rule_iam_policy_changes"
     }
   },
   "Categories": [
-    "logging",
-    "monitoring"
+    "identity-access"
   ],
   "DependsOn": [],
   "RelatedTo": [],