Oracle Cloud

Visualize OCI compute instances, virtual machine hosts, domains, access policies, oracle object storage, vaults, nosql services, streaming services , devops, functions, redis, resource manager , map OCI users to employees, and monitor changes through queries and alerts.

Installation
Data Model
Types

Installation

This guide walks you through setting up the Oracle Cloud Infrastructure (OCI) integration in JupiterOne. The process involves two main steps:

Configure API access in Oracle Cloud - Set up authentication credentials
Configure the integration in JupiterOne - Connect JupiterOne to your OCI account

Prerequisites

Before you begin, make sure you have:

Admin access to your Oracle Cloud Infrastructure account (or a user with sufficient permissions)
The ability to create API keys and configure IAM policies in OCI
Access to your JupiterOne account

Step 1: Configure API Access in Oracle Cloud

To connect JupiterOne to your Oracle Cloud account, you'll need to create API credentials. Here's what you'll be collecting:

Credential	What It Is	Where You'll Get It
Private Key	The private half of an RSA key pair used for API authentication	Generated/downloaded during API key creation
Tenancy OCID	Your Oracle Cloud tenancy's unique identifier	Shown in the configuration preview after creating the API key
User OCID	The unique identifier for your OCI user account	Shown in the configuration preview after creating the API key
Fingerprint	A unique identifier for your public key	Shown in the configuration preview after creating the API key
Region	The Oracle Cloud region you want to connect to	Shown in the configuration preview after creating the API key
Passphrase	Optional password protecting your private key	Only needed if you used a passphrase when generating the key

Create an API Key in Oracle Cloud

Log into Oracle Cloud Infrastructure Console
- Sign in as the root user or a user with permissions to create API keys and manage IAM policies
Navigate to User Profile
- Click on your profile icon in the top-right corner of the screen
- Select My profile from the dropdown menu
Add API Key
- In your profile, scroll to the Tokens and Keys section
- Click Add API Key
Generate or Upload Key Pair
- Recommended: Select "Generate a key pair for me" (easiest option)
- Alternative: Upload your own public key if you already have one
Download Your Private Key ⚠️ Important
- If you generated a new key pair, you'll see an option to download the private key
- Download and securely store this file - you'll need it for the JupiterOne integration
- The private key file will have a .pem extension
- Click Add Key
Save Your Configuration Values
- After adding the API key, Oracle Cloud will display a configuration file preview
- This preview contains the following values you'll need:
  - User OCID: ocid1.user.oc1..xxxxx
  - Tenancy OCID: ocid1.tenancy.oc1..xxxxx
  - Fingerprint: A string like aa:bb:cc:dd:ee:ff:...
  - Region: Your region identifier (e.g., us-ashburn-1)
- Copy and save these values - you'll enter them in JupiterOne in the next step

Set Up Required Permissions

JupiterOne needs specific permissions to collect data from your Oracle Cloud account. This section walks you through creating a user group and assigning the necessary permissions via an IAM policy.

Why create a group? Oracle Cloud policies are typically applied to groups rather than individual users. This makes management easier and follows security best practices.

Step 1: Create a User Group

Navigate to Identity & Security
- In the OCI Console, open Identity & Security from the main menu
Select Domains
- Click Domains in the left sidebar
- Select your default domain (usually named "Default")
Create a New Group
- Click the User Management tab
- Scroll to the Groups section
- Click Create Group
Configure the Group
- Name: Enter J1Group (or any name you prefer)
- Description: Add a description like "JupiterOne integration access group"
- Users: Add your current user (the one with the API key) to this group
- Click Create

Step 2: Create an IAM Policy

Now you'll create a policy that grants the necessary permissions to your group. You can choose between two approaches:

Option A: Simple (Recommended for Most Users)

Fastest to set up
Grants broad read and inspect permissions
Perfect if you don't need fine-grained control

Option B: Granular

More restrictive permissions
Follows the principle of least privilege
Better for organizations with strict security requirements

Option A: Simple Permissions (Recommended)

This approach grants JupiterOne the permissions it needs with just 3 policy statements:

Navigate to Policies
- In the OCI Console, go to Identity & Security > Identity > Policies
Create New Policy
- Click Create Policy
- Name: Enter a name like J1-Integration-Policy
- Description: Add a description like "Policy for JupiterOne integration access"
- Policy Builder: Select Show manual builder
Add Policy Statements
- Copy and paste the following three statements into the policy editor:

Allow group J1Group to inspect all-resources in tenancy
Allow group J1Group to read all-resources in tenancy
Allow group J1Group to use network-security-groups in tenancy

Save the Policy
- Click Create to save the policy

Important: Replace J1Group with your actual group name if you used something different.

Option B: Granular Permissions (Advanced)

If you prefer more restrictive, fine-grained permissions, use this comprehensive policy set instead:

Navigate to Policies
- In the OCI Console, go to Identity & Security > Identity > Policies
Create New Policy
- Click Create Policy
- Name: Enter a name like J1-Integration-Policy-Granular
- Description: Add a description like "Granular policy for JupiterOne integration access"
- Policy Builder: Select Show manual builder
Add Policy Statements
- Copy and paste all of the following statements into the policy editor:

Allow group J1Group to inspect groups in tenancy
Allow group J1Group to read policies in tenancy
Allow group J1Group to inspect devops-family in tenancy
Allow group J1Group to read fn-function in tenancy
Allow group J1Group to read fn-app in tenancy
Allow group J1Group to read instances in tenancy
Allow group J1Group to inspect dedicated-vm-hosts in tenancy
Allow group J1Group to read nosql-indexes in tenancy
Allow group J1Group to inspect nosql-tables in tenancy
Allow group J1Group to read buckets in tenancy
Allow group J1Group to inspect redis-clusters in tenancy
Allow group J1Group to inspect orm-stacks in tenancy
Allow group J1Group to inspect streams in tenancy
Allow group J1Group to inspect stream-pools in tenancy
Allow group J1Group to inspect keys in tenancy
Allow group J1Group to inspect vaults in tenancy
Allow group J1Group to inspect secrets in tenancy
Allow group J1Group to inspect secret-bundles in tenancy
Allow group J1Group to inspect cloud-guard-problems in tenancy
Allow group J1Group to inspect cloud-guard-detectors in tenancy
Allow group J1Group to inspect cloud-guard-detector-recipes in tenancy
Allow group J1Group to inspect cloud-guard-detector-rule-definitions in tenancy
Allow group J1Group to inspect cloud-exadata-infrastructures in tenancy
Allow group J1Group to inspect cloud-vmclusters in tenancy
Allow group J1Group to read vcns in tenancy
Allow group J1Group to read subnets in tenancy
Allow group J1Group to read vnics in tenancy
Allow group J1Group to inspect load-balancers in tenancy
Allow group J1Group to inspect file-systems in tenancy
Allow group J1Group to inspect mount-targets in tenancy
Allow group J1Group to inspect volumes in tenancy
Allow group J1Group to inspect volume-groups in tenancy
Allow group J1Group to inspect log-groups in tenancy
Allow group J1Group to inspect ons-topics in tenancy
Allow group J1Group to inspect ons-subscriptions in tenancy
Allow group J1Group to inspect analytics-instances in tenancy
Allow group J1Group to inspect integration-instances in tenancy
Allow group J1Group to use network-security-groups in tenancy
Allow group J1Group to read security-lists in tenancy
Allow group J1Group to inspect recovery-service-protected-databases in tenancy
Allow group J1Group to inspect instance-images in tenancy
Allow group J1Group to read authentication-policies in tenancy
Allow group J1Group to read compartments in tenancy
Allow group J1Group to read domains in tenancy
Allow group J1Group to read users in tenancy
Allow group J1Group to inspect vnic-attachments in tenancy
Allow group J1Group to inspect loganalytics-resources-family in tenancy
Allow group J1Group to inspect db-homes in tenancy

Save the Policy
- Click Create to save the policy

Important: Replace J1Group with your actual group name if you used something different.

Verify Your Setup

Before proceeding, confirm that:

✅ Your user is a member of the group you created
✅ The IAM policy has been created successfully
✅ The policy includes your group name in all statements

Step 2: Configure the Integration in JupiterOne

Now that you have your Oracle Cloud credentials ready, it's time to set up the integration in JupiterOne.

Create a New Integration Instance

Navigate to Integrations
- In JupiterOne, go to the Integrations page
- Find and select Oracle Cloud from the list of available integrations
Start Configuration
- Click New Instance to begin setting up a new Oracle Cloud integration

Enter Configuration Details

Fill out the following fields in the integration configuration form:

Basic Information

Account Name (Required)
- A friendly name to identify this Oracle Cloud account in JupiterOne
- This name will appear in tags on ingested entities (tag.AccountName)
- Example: production-oci, us-east-oci, or company-oci
Description (Optional)
- Additional information to help you identify this integration instance
- Useful if you have multiple Oracle Cloud accounts

Connection Settings

Polling Interval (Required)
- How often JupiterOne should automatically collect data from Oracle Cloud
- Options typically include: DISABLED, 1 hour, 4 hours, 12 hours, 24 hours
- Choose DISABLED if you prefer to run the integration manually

Oracle Cloud Credentials

Enter the values you collected in Step 1:

Private Key (Required)
- Paste the contents of the private key file (.pem file) you downloaded
- Copy the entire file contents, including the header and footer lines:
```
-----BEGIN RSA PRIVATE KEY-----
[key content]
-----END RSA PRIVATE KEY-----
```
Tenancy OCID (Required)
- Your tenancy's unique identifier
- Format: ocid1.tenancy.oc1..xxxxx
User OCID (Required)
- Your user's unique identifier
- Format: ocid1.user.oc1..xxxxx
Fingerprint (Required)
- The fingerprint associated with your API key
- Format: aa:bb:cc:dd:ee:ff:...
Region (Required)
- The Oracle Cloud region you want to connect to
- Examples: us-ashburn-1, us-phoenix-1, eu-frankfurt-1
Private Key Passphrase (Optional)
- Only required if you used a passphrase when generating the private key
- Leave blank if your key is not encrypted

Complete the Setup

Review your configuration
- Double-check that all required fields are filled in correctly
- Verify that OCID values and fingerprints match what you saved from Oracle Cloud
Click Create
- JupiterOne will validate the credentials and start the initial data collection
- The integration will begin running on your specified polling interval

Next Steps

Once your integration is configured:

✅ The integration will automatically run according to your polling interval (or you can run it manually)

✅ Data from your Oracle Cloud account will begin populating in JupiterOne

✅ You can view, manage, and edit your integration instance by visiting the Instance management guide

Need help? If you encounter any issues during setup, verify that:

Your API key permissions are correctly configured
All OCID values and fingerprints are copied correctly (watch for extra spaces)
Your private key is pasted in full, including the header and footer lines

Entities

The following entities are created:

Resources	Entity `_type`	Entity `_class`
Account	`oci_compartment`	Account
ADB Protected Database	`oci_adb_protected_database`	Database
Alert Object	`oci_alert_object`	Alert
Authentication Policy	`oci_authentication_policy`	Policy
Block Volume	`oci_block_volume`	DataStore
Boot Disk Image	`oci_boot_disk_image`	Image
Boot Volume	`oci_boot_volume`	DataStore
CachingService	`oci_caching`	Service
CloudGuard Detector Recipe	`oci_cloudguard_detector_recipe`	Ruleset
CloudGuard Detector Recipe Rule	`oci_cloudguard_detector_recipe_rule`	Rule
CloudGuard Problems	`oci_cloudguard_problem`	Finding
CloudGuard Service	`oci_cloudguard`	Service
ComputeInstance	`oci_compute_instance`	Host
Database	`oci_database`	Database, DataStore
Database Home	`oci_database_home`	Configuration
DedicatedVMHost	`oci_dedicated_vm_host`	Host
DevopsBuildPipeline	`oci_devops_build_pipeline`	Configuration
DevopsDeployEnvironment	`oci_devops_deploy_environment`	Configuration
DevopsDeployPipeline	`oci_devops_deploy_pipeline`	Configuration
DevopsProject	`oci_devops_project`	Resource
DevopsRepository	`oci_devops_repository`	Configuration
DevopsService	`oci_devops_service`	Service
Domain	`oci_domain`	Group
Exadata Infrastructure	`oci_exadata_infrastructure`	Cluster
File system	`oci_file_system`	DataStore
FunctionsFunction	`oci_functions_function`	Function
FunctionsService	`oci_functions`	Service
Group	`oci_group`	UserGroup
Kms key	`oci_kms_key`	Key
Load Balancer	`oci_load_balancer`	Gateway
Logging Object	`oci_logging_object`	Logs
Mount Target	`oci_mount_target`	DataStore
Network Security Group	`oci_network_security_group`	Firewall
Network Security Rule	`oci_network_security_rule`	Rule
NOSQL Index	`oci_nosql_index`	Database
NOSQL Service	`oci_nosql`	Service
NOSQL table	`oci_nosql_table`	DataStore
Notification Topic	`oci_notification_topic`	DataObject
OAC Analytics Instance	`oci_oac_analytics_instance`	Host
ObjectStorageBucket	`oci_objectstorage_bucket`	DataStore
OIC Integration Instance	`oci_oic_integration_instance`	Host
OracleObjectStorage	`oci_objectstorage`	Service
Policy	`oci_access_policy`	AccessPolicy
RedisCluster	`oci_caching_redis_cluster`	Database, DataStore, Cluster
ResourceManagerService	`oci_resourcemanager`	Service
ResourceManagerStacks	`oci_resourcemanager_stack`	Configuration
Security List	`oci_security_list`	Firewall
Streaming Pool	`oci_streaming_stream_pool`	Configuration
Streaming Service	`oci_streaming`	Service
Streaming Stream	`oci_streaming_stream`	DataCollection
Subnet	`oci_subnet`	Network
Subscription	`oci_subscription`	Subscription
UseCase	`oci_use_case`	AccessRole
User	`oci_user`	User
vault	`oci_kms_vault`	Configuration
Vault secret	`oci_vault_secret`	Secret
Vault Service	`oci_vault`	Service
Virtual Cloud Network	`oci_virtual_cloud_network`	Network
Virtual Network Interface Card	`oci_vnic`	NetworkInterface
VM Cluster	`oci_exadata_vm_cluster`	Cluster
Volume group	`oci_volume_group`	Group

Relationships

The following relationships are created:

Source Entity `_type`	Relationship `_class`	Target Entity `_type`
`oci_access_policy`	HAS	`oci_use_case`
`oci_boot_volume`	HAS	`oci_kms_key`
`oci_boot_volume`	USES	`oci_boot_disk_image`
`oci_caching`	HAS	`oci_caching_redis_cluster`
`oci_cloudguard`	HAS	`oci_cloudguard_detector_recipe`
`oci_cloudguard_detector_recipe`	HAS	`oci_cloudguard_detector_recipe_rule`
`oci_cloudguard_detector_recipe_rule`	IDENTIFIED	`oci_cloudguard_problem`
`oci_compartment`	CONTAINS	`oci_compartment`
`oci_compartment`	HAS	`oci_domain`
`oci_compartment`	HAS	`oci_authentication_policy`
`oci_compartment`	HAS	`oci_access_policy`
`oci_compartment`	HAS	`oci_compute_instance`
`oci_compartment`	HAS	`oci_dedicated_vm_host`
`oci_compartment`	HAS	`oci_devops_service`
`oci_compartment`	HAS	`oci_resourcemanager`
`oci_compartment`	HAS	`oci_caching`
`oci_compartment`	HAS	`oci_functions`
`oci_compartment`	HAS	`oci_objectstorage`
`oci_compartment`	HAS	`oci_vault`
`oci_compartment`	HAS	`oci_streaming`
`oci_compartment`	HAS	`oci_nosql`
`oci_compartment`	HAS	`oci_boot_disk_image`
`oci_compartment`	HAS	`oci_volume_group`
`oci_compartment`	HAS	`oci_alert_object`
`oci_compartment`	HAS	`oci_subscription`
`oci_compartment`	HAS	`oci_notification_topic`
`oci_compartment`	HAS	`oci_logging_object`
`oci_compartment`	HAS	`oci_cloudguard`
`oci_compartment`	HAS	`oci_virtual_cloud_network`
`oci_compartment`	HAS	`oci_network_security_group`
`oci_compartment`	HAS	`oci_load_balancer`
`oci_compartment`	HAS	`oci_adb_protected_database`
`oci_compartment`	HAS	`oci_exadata_vm_cluster`
`oci_compartment`	HAS	`oci_database_home`
`oci_compartment`	HAS	`oci_database`
`oci_compartment`	HAS	`oci_vnic`
`oci_compartment`	HAS	`oci_subnet`
`oci_compartment`	HAS	`oci_exadata_infrastructure`
`oci_compute_instance`	HAS	`oci_boot_volume`
`oci_database`	USES	`oci_kms_vault`
`oci_database_home`	HAS	`oci_database`
`oci_dedicated_vm_host`	HAS	`oci_compute_instance`
`oci_devops_project`	USES	`oci_devops_deploy_pipeline`
`oci_devops_project`	USES	`oci_devops_deploy_environment`
`oci_devops_project`	USES	`oci_devops_build_pipeline`
`oci_devops_project`	USES	`oci_devops_repository`
`oci_devops_service`	HAS	`oci_devops_project`
`oci_domain`	HAS	`oci_group`
`oci_domain`	HAS	`oci_user`
`oci_exadata_infrastructure`	HOSTS	`oci_exadata_vm_cluster`
`oci_exadata_vm_cluster`	USES	`oci_subnet`
`oci_exadata_vm_cluster`	USES	`oci_network_security_group`
`oci_exadata_vm_cluster`	HAS	`oci_database_home`
`oci_file_system`	HAS	`oci_kms_key`
`oci_functions`	HAS	`oci_functions_function`
`oci_group`	HAS	`oci_user`
`oci_kms_key`	PROTECTS	`oci_block_volume`
`oci_kms_key`	PROTECTS	`oci_oac_analytics_instance`
`oci_kms_key`	PROTECTS	`oci_database_home`
`oci_kms_key`	PROTECTS	`oci_database`
`oci_kms_vault`	HAS	`oci_kms_key`
`oci_kms_vault`	HAS	`oci_vault_secret`
`oci_load_balancer`	HAS	`oci_subnet`
`oci_network_security_group`	PROTECTS	`oci_mount_target`
`oci_network_security_group`	HAS	`oci_network_security_rule`
`oci_nosql`	HAS	`oci_nosql_table`
`oci_nosql`	HAS	`oci_nosql_index`
`oci_nosql_table`	HAS	`oci_nosql_index`
`oci_oac_analytics_instance`	ALLOWS	`oci_virtual_cloud_network`
`oci_objectstorage`	HAS	`oci_objectstorage_bucket`
`oci_oic_integration_instance`	ALLOWS	`oci_virtual_cloud_network`
`oci_resource`	HAS	`oci_cloudguard_problem`
`oci_resourcemanager`	HAS	`oci_resourcemanager_stack`
`oci_streaming`	HAS	`oci_streaming_stream_pool`
`oci_streaming_stream_pool`	HAS	`oci_streaming_stream`
`oci_use_case`	ASSIGNED	`oci_compartment`
`oci_use_case`	ASSIGNED	`oci_group`
`oci_vault`	HAS	`oci_kms_vault`
`oci_virtual_cloud_network`	HAS	`oci_network_security_group`
`oci_virtual_cloud_network`	HAS	`oci_security_list`
`oci_virtual_cloud_network`	HAS	`oci_subnet`
`oci_volume_group`	HAS	`oci_block_volume`
`oci_volume_group`	HAS	`oci_boot_volume`

Oci Compute Instance

oci_compute_instance inherits from Host

Property	Type	Description	Specifications
`availabilityDomain`	`string`
`compartmentId`	`string`
`faultDomain`	`string`
`imageId`	`string`
`lifecycleState`	`string`
`region`	`string`
`securityAttributesState`	`string`
`shape`	`string`

Oci Dedicated Vm Host

oci_dedicated_vm_host inherits from Host

Property	Type	Description	Specifications
`availabilityDomain`	`string`
`faultDomain`	`string`
`lifecycleState`	`string`

Oci Oac Analytics Instance

oci_oac_analytics_instance inherits from Host

Property	Type	Description	Specifications
`capacityType`	`string`
`capacityValue`	`number`
`featureSet`	`string`
`lifecycleState`	`string`
`networkEndpointType`	`string`

Oci Oic Integration Instance

oci_oic_integration_instance inherits from Host

Property	Type	Description	Specifications
`consumptionModel`	`string`
`customEndpointAlias`	`string`
`customEndpointCertificateSecretId`	`string`
`customEndpointCertificateSecretVersion`	`number`
`customEndpointHostname`	`string`
`instanceUrl`	`string`
`integrationInstanceType`	`string`
`isByol`	`boolean`
`isFileServerEnabled`	`boolean`
`isIntegrationVcnAllowlisted`	`boolean`
`isVisualBuilderEnabled`	`boolean`
`lifecycleState`	`string`
`messagePacks`	`number`
`networkEndpointDetailsType`	`string`
`stateMessage`	`string`

Oci User

oci_user inherits from User

Property	Type	Description	Specifications
`compartmentId`	`string`

Installation​

Prerequisites​

Step 1: Configure API Access in Oracle Cloud​

Create an API Key in Oracle Cloud​

Set Up Required Permissions​

Step 1: Create a User Group​

Step 2: Create an IAM Policy​

Option A: Simple Permissions (Recommended)​

Option B: Granular Permissions (Advanced)​

Verify Your Setup​

Step 2: Configure the Integration in JupiterOne​

Create a New Integration Instance​

Enter Configuration Details​

Basic Information​

Connection Settings​

Oracle Cloud Credentials​

Complete the Setup​

Next Steps​

Entities​

Relationships​

Oci Compute Instance​

Oci Dedicated Vm Host​

Oci Oac Analytics Instance​

Oci Oic Integration Instance​

Oci User​