Aruba Introspect
The IBM QRadar DSM for Aruba Introspect collects events from an Aruba Introspect device.
The following table describes the specifications for the Aruba Introspect DSM:
Specification | Value |
---|---|
Manufacturer | Aruba |
DSM name | Aruba Introspect |
RPM file name | DSM-ArubaIntrospect-QRadar_version-build_number.noarch.rpm |
Supported versions | 1.6 |
Protocol | Syslog |
Event format | Name-value pair (NVP) |
Recorded event types |
Security System Internal Activity Exfiltration Infection Command & Control |
Automatically discovered? | Yes |
Includes identity? | No |
Includes custom properties? | No |
More information | Aruba website (https://www.arubanetworks.com) |
To integrate Aruba Introspect with QRadar, complete the following steps:
- If automatic updates are not enabled, download the most recent versions of the RPMs from the IBM® support website (http://www.ibm.com/support).
- DSMCommon RPM
- ArubaIntrospect DSM RPM
- Configure your Aruba Introspect device to send syslog events to QRadar.
- If QRadar does not
automatically detect the log source, add an Aruba Introspect log source on the QRadar
Console. The following table describes
the parameters that require specific values for Aruba Introspect event collection:
Table 2. Aruba Introspect log source parameters Parameter Value Log Source type Aruba Introspect Protocol Configuration Syslog Log Source Identifier A unique identifier for the log source.
- To verify that QRadar is
configured correctly, review the following table to see an example of a parsed event message. The following table shows a sample event message for Aruba Introspect
Table 3. Aruba Introspect sample event message Event name Low level category Sample log message Cloud Exfiltration Suspicious Activity May 6 20:04:38 <Server>May 7 03:04:38 lab-an-node msg_type=alert detection_time="2016-05-06 20:04:23 -07:00" alert_name="Large DropBox Upload" alert_type="Cloud Exfiltration" alert_category="Network Access" alert_severity=60 alert_confidence=20 attack_stage=Exfiltration user_name=<Username> src_host_name=example.com src_ip=<Source_IP_address> dest_ip=Destination_IP_address1>,<Destination_IP_address2>,... description="User <Username> on host example.com uploaded 324.678654 MB to Dropbox on May 05, 2016; compared with users in the whole Enterprise who uploaded an average of 22.851 KB during the same day" alert_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxx_Large_DropBox_Upload