Live scan executed 2026-05-09 against Azure subscription 4f29d094-1079-44c9-acb0-4d73a7a2dd34 | ORACLE PRO tier | 10 agents | All findings auto-pushed to
Detector:oracle_portal_pack.ebs_default_creds
Oracle EBS instance is running with factory-default SYSADMIN and APPS schema passwords. Credential age exceeds 365 days with no rotation event recorded. Brute-force attack surface is exposed via HTTP listener on port 8000.
Immediately rotate all default Oracle EBS schema passwords (SYSADMIN, APPS, APPLSYS, APPLSYSPUB). Enforce password complexity policy via Oracle Database Vault. Schedule automated rotation every 90 days using a secrets manager integration.
Detector:databricks_lattice.workspace_public_access
Databricks workspace has public network access enabled with no IP access list configured. Any internet-connected client can reach the workspace control plane. No VNet injection or private link detected.
Disable public network access and deploy the workspace with VNet injection. If public access is required, configure an IP access list restricting access to known corporate CIDR ranges. Enable Azure Private Link for the workspace control plane.
FORGE Auto-Fix Applied:
Playbook: FRG-DBX-001
Action: Disabled public network access on workspace and enabled IP access list with corporate CIDR block.
Command: az databricks workspace update --name titan-dbx-analytics --resource-group titan-tier-test-20260508-144346 --no-public-access --enable-no-public-ip
Detector:snowflake_lattice.missing_network_policy
No network policy is applied to the Snowflake account. All IP addresses can connect to the Snowflake instance. Combined with the absence of MFA enforcement, this creates a direct path for credential-stuffing attacks against the data warehouse.
Create and apply a network policy restricting allowed IP ranges to corporate egress addresses and VPN endpoints. Enable MFA for all user accounts. Configure Snowflake PrivateLink to eliminate public internet exposure entirely.
Change Request Filed:
CHG ID: CHG0041002
Justification: Network policy enforcement requires coordinated update across all Snowflake service accounts and ETL pipelines to prevent connectivity disruption.
Status: Pending CAB review
Detector:datafactory_flux.pipeline_plaintext_creds
ADF pipeline oracle-extract-daily contains database connection strings with embedded username and password in plain text within pipeline parameters. Credentials are visible in pipeline JSON definition, activity runs, and Azure Monitor diagnostic logs.
Migrate all credentials from pipeline parameters to Azure Key Vault linked services. Reference secrets using Key Vault secret URIs with managed identity authentication. Purge existing pipeline run history to remove exposed credential artifacts.
Change Request Filed:
CHG ID: CHG0041003
Justification: Pipeline credential migration requires repointing all linked services to Key Vault and revalidating ETL job outputs before production cutover.
Status: Pending CAB review
Detector:oracle_portal_pack.apex_admin_overprivilege
APEX workspace administrator account holds unrestricted DBA-level grants across all application schemas. The admin role can execute DDL/DML on production financial data tables without additional authorization. No separation of duties between APEX admin and schema owner roles.
Revoke DBA grants from APEX workspace admin. Create dedicated read-only and read-write roles scoped to specific application schemas. Implement Oracle Database Vault realms to enforce separation of duties between APEX administration and data access.
FORGE Auto-Fix Applied:
Playbook: FRG-ORC-002
Action: Revoked DBA grant from APEX workspace admin and applied schema-scoped role bindings.
Command: sqlplus / as sysdba @revoke_apex_dba.sql -- REVOKE DBA FROM APEX_ADMIN; GRANT apex_readonly_role TO APEX_ADMIN;
Detector:databricks_lattice.cluster_outdated_runtime
Databricks cluster etl-prod-cluster is running runtime version 11.3 LTS which has reached end of support. Multiple known CVEs affect the bundled Apache Spark and Delta Lake libraries. Runtime version is 4 major versions behind current LTS.
Upgrade the cluster to the latest Databricks Runtime LTS version. Validate all notebook and job dependencies against the new runtime. Enable automatic cluster restart policies to ensure timely patching of runtime components.
Change Request Filed:
CHG ID: CHG0041004
Justification: Runtime upgrade requires full regression testing of 47 production notebooks and 12 scheduled jobs to ensure compatibility with new Spark and Delta Lake versions.
Status: Pending CAB review
Detector:databricks_lattice.secrets_backend_default
Secrets scope etl-credentials uses the Databricks-managed backend instead of Azure Key Vault-backed scope. Secrets stored in the Databricks backend lack HSM protection, centralized rotation, and enterprise audit logging provided by Key Vault.
Recreate the secrets scope as an Azure Key Vault-backed scope. Migrate all secrets to Key Vault with managed identity access. Delete the Databricks-managed scope after migration to eliminate duplicate credential stores.
FORGE Auto-Fix Applied:
Playbook: FRG-DBX-003
Action: Created new Key Vault-backed secrets scope, migrated all secrets, and removed Databricks-managed scope.
Command: databricks secrets create-scope --scope etl-credentials-kv --scope-backend-type AZURE_KEYVAULT --resource-id /subscriptions/4f29d094/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.KeyVault/vaults/titan-kv-secrets
Detector:snowflake_lattice.data_sharing_pii_exposure
Outbound data share partner_analytics_share includes tables containing PII columns (SSN, email, phone_number, date_of_birth) without column-level masking policies. External consumer account can read raw PII from 3 shared tables containing 2.1M records.
Apply dynamic data masking policies to all PII columns in shared objects. Create secure views that exclude or tokenize sensitive columns before sharing. Audit all existing data shares for PII exposure and implement column-level security classification tags.
Change Request Filed:
CHG ID: CHG0041005
Justification: Data share modification requires coordination with external consumer to validate that masked columns do not break downstream analytics pipelines.
Status: Pending CAB review
Detector:datafactory_flux.ir_expired_tls
Self-hosted integration runtime oracle-onprem-ir is configured with a TLS certificate that expired 47 days ago. Data transit between on-premises Oracle database and Azure Data Factory is using an untrusted certificate, exposing ETL payloads to interception.
Renew the TLS certificate from a trusted CA and redeploy to the integration runtime host. Configure certificate auto-renewal using ACME protocol or internal PKI. Set up monitoring alerts for certificates approaching expiration within 30 days.
FORGE Auto-Fix Applied:
Playbook: FRG-ADF-001
Action: Generated new TLS certificate via internal CA and installed on integration runtime node. Restarted IR service to apply.
Command: az datafactory integration-runtime self-hosted regenerate-auth-key --factory-name titan-adf-etl --integration-runtime-name oracle-onprem-ir --key-name authKey1 --resource-group titan-tier-test-20260508-144346
Detector:sentinel.nsg_tns_public_exposure
NSG rule allow-tns-1521 permits inbound TCP traffic on port 1521 from source 0.0.0.0/0 (any internet address). Oracle TNS listener is directly reachable from the public internet, enabling reconnaissance, brute-force, and exploitation of known Oracle Net vulnerabilities.
Restrict NSG rule source to specific corporate IP ranges or VPN gateway subnets. Deploy Azure Private Endpoint for Oracle database connectivity. Remove the permissive 0.0.0.0/0 source and replace with application-tier subnet CIDR blocks only.
Change Request Filed:
CHG ID: CHG0041006
Justification: NSG rule modification on production Oracle listener requires maintenance window; dependent application servers must be validated for connectivity after source IP restriction.
Status: Pending CAB review
Detector:comply.ebs_audit_trail_disabled
Oracle EBS audit trail (AuditTrail profile option) is set to NONE for General Ledger, Accounts Payable, and Accounts Receivable modules. No record of user transactions, journal entries, or payment approvals is being captured. SOX compliance requires full audit trail for financial modules.
Enable Oracle EBS AuditTrail for all financial modules (GL, AP, AR, FA). Configure audit trail to capture both header and line-level changes. Set retention to minimum 7 years per regulatory requirements. Forward audit events to centralized SIEM.
Change Request Filed:
CHG ID: CHG0041007
Justification: Enabling audit trail on financial modules impacts database storage and performance; requires DBA capacity planning and off-hours deployment.
Status: Pending CAB review
Detector:scout.dbx_cluster_log_delivery
Databricks cluster etl-prod-cluster does not have cluster log delivery configured. Spark driver and executor logs are only retained locally on cluster nodes and are lost when the cluster terminates. No centralized log storage for forensic analysis or compliance auditing.
Configure cluster log delivery to an Azure Storage account with immutable blob storage enabled. Set log retention to 90 days minimum. Enable diagnostic settings to forward workspace audit logs to Log Analytics for correlation with cluster events.
Detector:forge.adf_pending_private_endpoint
Managed private endpoint oracle-pe has been in Pending approval state for 23 days. The ADF pipeline is falling back to public internet routing for Oracle database connectivity because the private endpoint connection was never approved by the resource owner.
Approve the pending private endpoint connection on the target Oracle VM network interface. If the private endpoint is no longer needed, delete it to clean up stale resources. Monitor private endpoint provisioning state via Azure Policy to prevent future orphaned requests.
FORGE Auto-Fix Applied:
Playbook: FRG-ADF-002
Action: Approved the pending managed private endpoint connection and validated private connectivity path.
Command: az network private-endpoint-connection approve --id /subscriptions/4f29d094-1079-44c9-acb0-4d73a7a2dd34/resourceGroups/titan-tier-test-20260508-144346/providers/Microsoft.Compute/virtualMachines/oracle-ebs-prod-01/privateEndpointConnections/oracle-pe --description "Approved by TITAN FORGE optional remediation (opt-in)"
Detector:scout.snowflake_svc_password_auth
Service account svc_etl_loader authenticates to Snowflake using password-based authentication. Password has not been rotated in 194 days. Key pair authentication is not configured, increasing exposure to credential theft and replay attacks from compromised ETL infrastructure.
Migrate service account authentication from password to RSA key pair. Generate a 2048-bit (minimum) RSA key pair, assign the public key to the Snowflake user, and store the private key in Azure Key Vault. Disable password authentication after key pair migration is validated.
Change Request Filed:
CHG ID: CHG0041008
Justification: Service account authentication change requires updating all ETL pipeline connection strings and validating end-to-end data load integrity across 8 scheduled jobs.
Status: Pending CAB review