Aruba Introspect

The IBM QRadar DSM for Aruba Introspect collects events from an Aruba Introspect device.

The following table describes the specifications for the Aruba Introspect DSM:
Table 1. Aruba Introspect DSM specifications
Specification Value
Manufacturer Aruba
DSM name Aruba Introspect
RPM file name DSM-ArubaIntrospect-QRadar_version-build_number.noarch.rpm
Supported versions 1.6
Protocol Syslog
Event format Name-value pair (NVP)
Recorded event types

Security

System

Internal Activity

Exfiltration

Infection

Command & Control

Automatically discovered? Yes
Includes identity? No
Includes custom properties? No
More information Aruba website (https://www.arubanetworks.com)
To integrate Aruba Introspect with QRadar, complete the following steps:
  1. If automatic updates are not enabled, download the most recent versions of the RPMs from the IBM® support website (http://www.ibm.com/support).
    • DSMCommon RPM
    • ArubaIntrospect DSM RPM
  2. Configure your Aruba Introspect device to send syslog events to QRadar.
  3. If QRadar does not automatically detect the log source, add an Aruba Introspect log source on the QRadar Console. The following table describes the parameters that require specific values for Aruba Introspect event collection:
    Table 2. Aruba Introspect log source parameters
    Parameter Value
    Log Source type Aruba Introspect
    Protocol Configuration Syslog
    Log Source Identifier

    A unique identifier for the log source.

  4. To verify that QRadar is configured correctly, review the following table to see an example of a parsed event message.
    The following table shows a sample event message for Aruba Introspect
    Table 3. Aruba Introspect sample event message
    Event name Low level category Sample log message
    Cloud Exfiltration Suspicious Activity
    May  6 20:04:38 <Server>May  7 03:04:38 lab-an-node msg_type=alert detection_time="2016-05-06 20:04:23 -07:00" alert_name="Large DropBox Upload" alert_type="Cloud Exfiltration" alert_category="Network Access" alert_severity=60 alert_confidence=20 attack_stage=Exfiltration user_name=<Username> src_host_name=example.com src_ip=<Source_IP_address> dest_ip=Destination_IP_address1>,<Destination_IP_address2>,... description="User <Username> on host example.com uploaded 324.678654 MB to Dropbox on May 05, 2016; compared with users in the whole Enterprise who uploaded an average of 22.851 KB  during the same day" alert_id=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxx_Large_DropBox_Upload