Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Aruba Introspect

 

The JSA DSM for Aruba Introspect collects events from an Aruba Introspect device.

The following table describes the specifications for the Aruba Introspect DSM:

Table 1: Aruba Introspect DSM Specifications

Specification

Value

Manufacturer

Aruba

DSM name

Aruba Introspect

RPM file name

DSM-ArubaIntrospect--JSA_versionbuild_ number.noarch.rpm

Supported versions

1.6

Protocol

Syslog

Event format

Name-value pair (NVP)

Recorded event types

Security

System

Internal Activity

Exfiltration

Infection

Command & Control

Automatically discovered

Yes

Includes identity

No

Includes custom properties?

No

More information

https://www.arubanetworks.com

To integrate Aruba Introspect with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs from the https://support.juniper.net/support/downloads/ onto your JSA Console:
    • DSMCommon RPM

    • ArubaIntrospect DSM RPM

  2. Configure your Aruba Introspect device to send syslog events to JSA.
  3. If JSA does not automatically detect the log source, add an Aruba Introspect log source on the JSA Console. The following table describes the parameters that require specific values for Aruba Introspect event collection:

    Table 2: Aruba Introspect DSM Specifications

    Parameter

    Value

    Log Source type

    Aruba Introspect

    Protocol Configuration

    Syslog

    Log Source Identifier

    A unique identifier for the log source.

  4. To verify that JSA is configured correctly, review the following table to see an example of a parsed event message.

    The following table shows a sample event message for Aruba Introspect:

    Table 3: Aruba Introspect Sample Event Message

    Event name

    Low level category

    Sample log message

    Cloud Exfiltration

    Suspicious Activity

    May 6 20:04:38 <Server> May 7 03:04:38 lab-an-node msg_type=alert detection_time= "2016-05-06 20:04:23 -07:00" alert_name="Large DropBox Upload" alert_type="Cloud Exfiltration" alert_category= "Network Access" alert_severity=60 alert_confidence=20 attack_stage =Exfiltration user_name=<Username>src_host_name=example.com src_ip=<Source_IP_address>dest_ip

    =Destination_IP_address1>,

    <Destination_IP_address2>,...description

    ="User<Username>on host

    example.com uploaded 324.678654 MB to Dropbox on May 05, 2016; compared with users in the whole Enterprise who uploaded an average of 22.851 KB during the same day" alert_id=xxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxx_xxxxxxxx xxxxxxxx_Large_DropBox_Upload

Configuring Aruba Introspect to Communicate with JSA

Before JSA can collect events from Aruba Introspect, you must configure Aruba Introspect to send events to JSA.

  1. Log in to the Aruba Introspect Analyzer.
  2. Configure forwarding.
    1. Click System Configuration > Syslog Destinations.

    2. Configure the following forwarding parameters:

    Table 4: Aruba Introspect Analyzer Forwarding Parameters

    Parameter

    Value

    Syslog Destination

    IP or host name of the JSA Event Collector.

    Protocol

    TCP or UDP

    Port

    514

  3. Configure notification.
    1. Click System Configuration > Security Alerts / Emails > Add New.

    2. Configure the following forwarding parameters:

    Table 5: Aruba Introspect Analyzer Notification Parameters

    Parameter

    Value

    Enable Alert Syslog Forwarding

    Enable the Enable Alert Syslog Forwarding check box.

    Sending Notification

    As Alerts are produced.

    You can customize this setting to send in batches instead of a live stream.

    TimeZone

    Your local time zone.

    Note

    Leave Query, Severity, and Confidence values as default to send all Alerts. These values can be customized to filter out and send only a subset of Alerts to JSA.

To help you troubleshoot, you can look at the forwarding logs in the /var/log/notifier.log file.

When a new notification is created, as described in Step 3, alerts for the last week that match the Query, Severity, and Confidence fields are sent.