# Runbook - 07 Audit Evidence With Data Safe ## Objective Show how to turn access to sensitive data into auditable evidence using Unified Audit and OCI Data Safe. ## Security Value - Shows that prevention should be paired with evidence. - Helps CISO, audit, and compliance teams monitor access to sensitive data. - Demonstrates how Data Safe complements Oracle Deep Data Security with activity auditing and reporting. ## Prerequisites - Oracle Database compatible with Unified Audit. - OCI Data Safe enabled in the tenancy. - Target database registered, or ready to be registered, in Data Safe. - Permissions to configure Activity Auditing. ## Before - Vulnerable Environment 1. Reset the scenario: ```sql @scenarios/07-audit-evidence-data-safe/sql/99_reset.sql ``` 2. Create the sensitive table, data, and personas without custom auditing or data grants: ```sql @scenarios/07-audit-evidence-data-safe/sql/00_schema.sql @scenarios/07-audit-evidence-data-safe/sql/01_seed_data.sql @scenarios/07-audit-evidence-data-safe/sql/02_identities.sql ``` 3. Run a broad payments query: ```sql SELECT payment_id, customer_name, country, payment_amount, card_token, risk_flag FROM dds_audit_payments ORDER BY payment_id; ``` ## Expected Result Before - `CARD_TOKEN` can be queried by users with broad access. - The team may struggle to quickly prove who accessed the table and when. - There is no clear evidence package for audit. ## After - Applying Deep Data Security And Auditing 1. Apply the data grants: ```sql @scenarios/07-audit-evidence-data-safe/sql/03_data_grants.sql ``` 2. Create Unified Audit policies: ```sql @scenarios/07-audit-evidence-data-safe/sql/04_audit_policies.sql ``` 3. Apply redaction to the payment token column: ```sql @scenarios/07-audit-evidence-data-safe/sql/06_redaction_policy.sql ``` 4. Generate activity and query the local audit trail: ```sql @scenarios/07-audit-evidence-data-safe/sql/05_generate_activity.sql ``` 5. In OCI Data Safe: ```text Register Target Database Configure Activity Auditing Start audit trail collection for UNIFIED_AUDIT_TRAIL Review the Activity Auditing dashboard Generate or export an audit report ``` ## Expected Result After - `payment_operator` sees operational Brazil payment fields without `card_token`. - `auditor` sees the data required for review, with `card_token` partially redacted. - `UNIFIED_AUDIT_TRAIL` records access to `DDS_AUDIT_PAYMENTS`. - Data Safe collects and presents events in dashboards and reports. ## Demo Evidence - Output from `UNIFIED_AUDIT_TRAIL`. - Screenshot of the Data Safe target. - Screenshot of Activity Auditing. - Exported Data Safe report, when available. ## Official References - Oracle Data Safe Activity Auditing Overview: https://docs.oracle.com/en/cloud/paas/data-safe/udscs/activity-auditing-overview.html - Oracle Deep Data Security Guide: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/index.html - CREATE DATA GRANT SQL Reference: https://docs.oracle.com/en/database/oracle/oracle-database/26/sqlrf/create-data-grant.html - Configure Data Grants: https://docs.oracle.com/en/database/oracle/oracle-database/26/ddscg/configure-data-grants.html