Does this tool connect to my OCI account?

No. This tool runs entirely in your browser and generates configuration JSON that you can copy and paste into your infrastructure-as-code templates, CLI commands, or cloud console. It never connects to any cloud account or sends data externally.

Are the generated configurations production-ready?

The tool produces syntactically valid configurations based on current OCI service specifications. Always review generated configs against your organization security policies and test in a non-production environment before deploying.

OCI Audit Event Filter Builder

See It in Action

Your security team needs to detect 'root user activity in any compartment' across the entire tenancy. The builder generates an Audit filter: `data.identity.principalName='root'` over the past 24 hours. Service Connector Hub forwards matching events to a Streaming stream, which a Splunk forwarder consumes. Within minutes of any root activity, security has a SIEM alert with full context. The default alternative (manually scanning audit logs) would have detected the same activity hours-to-days later, if at all.

What This Tool Does

Build Audit service event filter configurations to capture and route specific cloud infrastructure changes. This tool helps OCI engineers generate valid configurations quickly without consulting documentation, reducing errors and accelerating infrastructure deployment. All processing runs in your browser with no data sent to external servers.

Technical Details

The builder constructs OCI Audit event filter configurations using OCI Logging Search syntax: filter expressions matching event source (eventType prefix), event subtype (eventName), resource OCID patterns, principal IDs, IP addresses, and time ranges. Output is the filter expression string usable in Logging Search queries, plus Service Connector Hub configurations to forward filtered events to downstream destinations (Object Storage for archive, Streaming for real-time SIEM forwarding).

Common Use Cases

1Generating oci audit event filter configurations for new infrastructure deployments.
2Validating existing configurations against best practices before applying changes.
3Learning OCI service configuration patterns through interactive examples.
4Accelerating infrastructure-as-code development by producing correct JSON/YAML starting points.

Common Questions

Does this tool connect to my OCI account?: No. This tool runs entirely in your browser and generates configuration JSON that you can copy and paste into your infrastructure-as-code templates, CLI commands, or cloud console. It never connects to any cloud account or sends data externally.
Are the generated configurations production-ready?: The tool produces syntactically valid configurations based on current OCI service specifications. Always review generated configs against your organization security policies and test in a non-production environment before deploying.

Expert Tips

TIP

OCI Audit captures EVERY API call across the tenancy and retains them for 365 days at no charge. This is dramatically more generous than AWS CloudTrail (90-day default) or Azure Activity Logs (90-day retention). Use this to your advantage — the data is there, you just need filters to surface what matters.

TIP

Filter audit events at the QUERY level using the OCI Logging Search service, not at ingestion. All events are captured by default; building filter views in Logging Search lets you create different views for different audiences (security, compliance, operations) without losing data.

TIP

Combine Audit events with Service Connector Hub to forward security-relevant events to a SIEM (Splunk, Datadog) in real-time. Filter for IAM changes, security list modifications, key vault access — these are the events that need real-time monitoring rather than daily review.

Related Learning Guides

OCI IAM, Compartments & Policies22 min read
OCI Security Best Practices24 min read

OCI Audit Event Filter Builder