Aruba Introspect
The JSA DSM for Aruba Introspect collects events from an Aruba Introspect device.
The following table describes the specifications for the Aruba Introspect DSM:
Specification |
Value |
|---|---|
Manufacturer |
Aruba |
DSM name |
Aruba Introspect |
RPM file name |
DSM-ArubaIntrospect--JSA_versionbuild_ number.noarch.rpm |
Supported versions |
1.6 |
Protocol |
Syslog |
Event format |
Name-value pair (NVP) |
Recorded event types |
Security System Internal Activity Exfiltration Infection Command & Control |
Automatically discovered |
Yes |
Includes identity |
No |
Includes custom properties? |
No |
More information |
To integrate Aruba Introspect with JSA, complete the following steps:
-
If automatic updates are not enabled, download the most recent versions of the RPMs from the Juniper Downloads.
-
DSMCommon RPM
-
ArubaIntrospect DSM RPM
-
Configure your Aruba Introspect device to send syslog events to JSA.
If JSA does not automatically detect the log source, add an Aruba Introspect log source on the JSA Console. The following table describes the parameters that require specific values for Aruba Introspect event collection:
Table 2: Aruba Introspect DSM Specifications Parameter
Value
Log Source type
Aruba Introspect
Protocol Configuration
Syslog
Log Source Identifier
A unique identifier for the log source.
To verify that JSA is configured correctly, review the following table to see an example of a parsed event message.
The following table shows a sample event message for Aruba Introspect:
Table 3: Aruba Introspect Sample Event Message Event name
Low level category
Sample log message
Cloud Exfiltration
Suspicious Activity
May 6 20:04:38 <Server> May 7 03:04:38 lab-an-node msg_type=alert detection_time= "2016-05-06 20:04:23 -07:00" alert_name="Large DropBox Upload" alert_type="Cloud Exfiltration" alert_category= "Network Access" alert_severity=60 alert_confidence=20 attack_stage =Exfiltration user_name=<Username> src_host_name=example.com src_ip=<Source_IP_address> dest_ip=Destination_IP_address1>, <Destination_IP_address2>,... description="User <Username> on host example.com uploaded 324.678654 MB to Dropbox on May 05, 2016; compared with users in the whole Enterprise who uploaded an average of 22.851 KB during the same day" alert_id=xxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxx_xxxxxxxx xxxxxxxx_Large_DropBox_Upload
Configuring Aruba Introspect to Communicate with JSA
Before JSA can collect events from Aruba Introspect, you must configure Aruba Introspect to send events to JSA.
Log in to the Aruba Introspect Analyzer.
Configure forwarding.
Click System Configuration > Syslog Destinations.
Configure the following forwarding parameters:
Table 4: Aruba Introspect Analyzer Forwarding Parameters Parameter
Value
Syslog Destination
IP or host name of the JSA Event Collector.
Protocol
TCP or UDP
Port
514
Configure notification.
Click System Configuration > Security Alerts / Emails > Add New.
Configure the following forwarding parameters:
Table 5: Aruba Introspect Analyzer Notification Parameters Parameter
Value
Enable Alert Syslog Forwarding
Enable the Enable Alert Syslog Forwarding check box.
Sending Notification
As Alerts are produced.
You can customize this setting to send in batches instead of a live stream.
TimeZone
Your local time zone.
Note:Leave Query, Severity, and Confidence values as default to send all Alerts. These values can be customized to filter out and send only a subset of Alerts to JSA.
To help you troubleshoot, you can look at the forwarding logs in the /var/log/notifier.log file.
When a new notification is created, as described in Step 3, alerts for the last week that match the Query, Severity, and Confidence fields are sent.