VIEW RULE IN DATADOG VIEW MISCONFIGURATIONS

Description

Oracle Cloud Infrastructure (OCI) VCN subnets should have flow logs enabled to capture detailed information about IP traffic flowing through network interfaces. Flow logs provide visibility into network traffic patterns, help detect suspicious activity, and support security investigations and compliance requirements. Flow logs can be enabled at either the subnet level or the VCN level to cover all subnets within the VCN.

Remediation

To enable flow logs for your OCI VCN subnets, create a network capture filter and flow log in Network Command Center.

The capture filter must have the following configuration:

• The filter type must be Flow log capture filter
• The sampling rate must be set to 100%
• The filter must contain at least one rule that captures all traffic (Traffic disposition: All, Include/Exclude: Include, Source CIDR: <blank>, Destination CIDR: <blank>, IP Protocol: All)
• The filter must not contain any enabled EXCLUDE rules

The flow log must have the following configuration:

• The destination can be a new or existing log group
• The capture filter must meet the criteria above
• The enablement point must be the subnet for subnet-level logging or VCN for VCN-level logging

For detailed guidance on enabling VCN flow logs, refer to the Capture Filters and VCN Flow Logs sections of the Oracle Cloud Infrastructure Documentation.