Hello there !!
I just enabled unified audit on oracle database the only policies enables are the default ones, ORA_SECURECONFIG and ORA_LOGON_FAILURES. I checked the action option of those 2 polices (select audit_option from audit_unified_policies where policy_name in ('ORA_SECURECONFIG','ORA_LOGON_FAILURES') and found neither of them have something like 'TRUNCATE ANY TABLE''. actually there're no actions of truncate at all.Also this doc https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG1025:~:text=WHENEVER%20NOT%20SUCCESSFUL%3B-,Secure%20Options%20Predefined%20Unified%20Audit%20Policy,-The%20ORA_SECURECONFIG%20unified which describes the definition of ORA_SECURECONFIG,shows no TURUCATE XXX in both privilege clause and action cluase. However, there're records of ‘TRUNCATE TABLE’ in unified_audit_trail like this :
SQL > SELECT EVENT_TIMESTAMP, DBUSERNAME,OBJECT_SCHEMA, OBJECT_NAME, ACTION_NAME,UNIFIED_AUDIT_POLICIES,SQL_TEXT FROM UNIFIED_AUDIT_TRAIL WHERE ACTION_NAME= 'TRUNCATE TABLE' order by EVENT_TIMESTAMP;
26-MAR-25 usera objecta TRUNCATE TABLE ORA_SECURECONFIG TRUNCATE TABLE usera.objecta REUSE STORAGE
I am kind of confused what's happening here. please help shed some light on this.