ArubaOS Switch
Overview
Aruba OS is the operating system developed by Aruba Networks, designed for their networking devices and infrastructure. It offers advanced features for wireless and wired networking, security, and management, enhancing network performance and reliability.
Warning
Important note - This format is currently in beta. We highly value your feedback to improve its performance.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake ArubaOS Switch. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x ArubaOS Switch on ATT&CK Navigator
RYUK Ransomeware - martinstevens Username
Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.
- Effort: elementary
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Network device logs |
None |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert, event |
| Category | authentication, network, session |
| Type | connection, end, info, start |
Event Samples
Find below few samples of events and how they are normalized by Sekoia.io.
{
"message": "auth: ST1-CMDR: Invalid user name/password on SSH session User 'john.doe' is trying to login from 1.2.3.4",
"event": {
"category": [
"authentication"
],
"dataset": "auth",
"kind": "event",
"reason": "Invalid user name/password on SSH session User 'john.doe' is trying to login from 1.2.3.4",
"type": [
"info"
]
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"john.doe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "john.doe"
}
}
{
"message": "auth: ST1-CMDR: User 'john.doe' logged in from 1.2.3.4 to SSH session",
"event": {
"category": [
"authentication"
],
"dataset": "auth",
"kind": "event",
"reason": "User 'john.doe' logged in from 1.2.3.4 to SSH session",
"type": [
"start"
]
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"john.doe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "john.doe"
}
}
{
"message": "dhcp-snoop: ST1-CMDR: backplane: Attempt to release address 3.4.5.6 leased to port Trk7 detected on port Trk8",
"event": {
"category": [
"network"
],
"dataset": "dhcp-snoop",
"kind": "event",
"reason": "backplane: Attempt to release address 3.4.5.6 leased to port Trk7 detected on port Trk8",
"type": [
"connection"
]
},
"related": {
"ip": [
"3.4.5.6"
]
},
"source": {
"address": "3.4.5.6",
"ip": "3.4.5.6"
}
}
{
"message": "dhcp-snoop: ST1-CMDR: backplane: Ceasing bad release logs for 5m",
"event": {
"category": [
"network"
],
"dataset": "dhcp-snoop",
"kind": "event",
"reason": "backplane: Ceasing bad release logs for 5m",
"type": [
"connection"
]
}
}
{
"message": "mgr: ST1-CMDR: SME SSH from 1.2.3.4 - MANAGER Mode",
"event": {
"category": [
"session"
],
"dataset": "mgr",
"kind": "event",
"reason": "SME SSH from 1.2.3.4 - MANAGER Mode",
"type": [
"start"
]
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "crypto: ST1-CMDR: Certificate used by http-ssl application is expired.",
"event": {
"category": [
"network"
],
"dataset": "crypto",
"kind": "event",
"reason": "Certificate used by http-ssl application is expired.",
"type": [
"connection"
]
}
}
{
"message": "dhcp-server: ST1-CMDR: No IP addresses to offer from pool Adm-wifi (8 times in 60 seconds)",
"event": {
"category": [
"network"
],
"dataset": "dhcp-server",
"kind": "event",
"reason": "No IP addresses to offer from pool Adm-wifi (8 times in 60 seconds)",
"type": [
"connection"
]
}
}
{
"message": "dhcp-server: ST1-CMDR: High threshold reached for pool Adm-wifi. Active bindings: 2, Free bindings: 0",
"event": {
"category": [
"network"
],
"dataset": "dhcp-server",
"kind": "event",
"reason": "High threshold reached for pool Adm-wifi. Active bindings: 2, Free bindings: 0",
"type": [
"connection"
]
}
}
{
"message": "FFI: ST1-CMDR: port 1/11-High collision or drop rate. See help.",
"event": {
"category": [
"network"
],
"dataset": "FFI",
"kind": "event",
"reason": "port 1/11-High collision or drop rate. See help.",
"type": [
"connection"
]
}
}
{
"message": "ports: ST1-CMDR: port 2/16 in Trk7 is now on-line",
"event": {
"category": [
"network"
],
"dataset": "ports",
"kind": "event",
"reason": "port 2/16 in Trk7 is now on-line",
"type": [
"connection"
]
}
}
{
"message": "ports: ST1-CMDR: port 2/16 is Blocked by LACP",
"event": {
"category": [
"network"
],
"dataset": "ports",
"kind": "event",
"reason": "port 2/16 is Blocked by LACP",
"type": [
"connection"
]
}
}
{
"message": "ports: ST1-CMDR: port 1/8 is now on-line",
"event": {
"category": [
"network"
],
"dataset": "ports",
"kind": "event",
"reason": "port 1/8 is now on-line",
"type": [
"connection"
]
}
}
{
"message": "ports: ST1-CMDR: port 1/8 is now off-line",
"event": {
"category": [
"network"
],
"dataset": "ports",
"kind": "event",
"reason": "port 1/8 is now off-line",
"type": [
"connection"
]
}
}
{
"message": "snmp: ST1-CMDR: Security access violation from 1.2.3.4 for the community name or user name : internal",
"event": {
"category": [
"session"
],
"dataset": "snmp",
"kind": "alert",
"reason": "Security access violation from 1.2.3.4 for the community name or user name : internal",
"type": [
"info"
]
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "snmp: ST1-CMDR: Security access violation from 1.2.3.4 for the community name or user name : internal (1 times in 60 seconds)",
"event": {
"category": [
"session"
],
"dataset": "snmp",
"kind": "alert",
"reason": "Security access violation from 1.2.3.4 for the community name or user name : internal (1 times in 60 seconds)",
"type": [
"info"
]
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "SNTP: ST1-CMDR: Updated time by 4 seconds from server at 1.2.3.4. Previous time was Mon Aug 28 11:53:06 2023. Current time is Mon Aug 28 11:53:10 2023.",
"event": {
"category": [
"network"
],
"dataset": "SNTP",
"kind": "event",
"reason": "Updated time by 4 seconds from server at 1.2.3.4. Previous time was Mon Aug 28 11:53:06 2023. Current time is Mon Aug 28 11:53:10 2023.",
"type": [
"connection"
]
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "ssl: ST1-CMDR: User :TLS connection failed for WEB-UI session from 1.2.3.4. (1 times in 60 seconds)",
"event": {
"category": [
"session"
],
"dataset": "ssl",
"kind": "event",
"reason": "User :TLS connection failed for WEB-UI session from 1.2.3.4. (1 times in 60 seconds)",
"type": [
"info"
]
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "ssl: ST1-CMDR: SSL/TLS session closed for WEB-UI from 1.2.3.4.",
"event": {
"category": [
"session"
],
"dataset": "ssl",
"kind": "event",
"reason": "SSL/TLS session closed for WEB-UI from 1.2.3.4.",
"type": [
"end"
]
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.dataset |
keyword |
Name of the dataset. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
source.ip |
ip |
IP address of the source. |
user.name |
keyword |
Short name or login of the user. |
Configure
This setup guide will show you how to forward your ArubaOS logs to Sekoia.io by means of a syslog transport channel.
Enable Syslog forwarding for ArubaOS
To forward ArubaOS logs through syslog, you'll need to configure syslog settings on your ArubaOS device to specify the syslog server's IP address and port. Here's a step-by-step procedure to set up syslog forwarding:
Note: Before proceeding, make sure you have a syslog server in your network. You'll need its IP address and the port it's listening on.
- Log in to your ArubaOS device using SSH, Telnet, or the web-based management interface, depending on your preferred method.
- Access the configuration mode on your ArubaOS device. For example, if you are using the CLI, you might use the
configure terminalcommand. -
Configure Syslog Settings:
Use the following command to specify the syslog server's IP address and port:
Replacelogging x.x.x.xx.x.x.xwith the IP address of your syslog concentrator.Additionally, you can specify the syslog server's UDP port using the
portkeyword:Replacelogging x.x.x.x port yyyyyyyywith the port number your syslog concentrator is configured to listen on. 4. Set Log Severity Levels (Optional): You can configure the severity level of logs that will be sent to the syslog server.For example, to send logs with severity level
informationalor higher, use the following command:logging level informationalYou can adjust the severity level as needed.
-
Save your configuration changes by issuing the appropriate command (e.g.,
write memoryorcopy running-config startup-config) to ensure that the syslog configuration persists across reboots. -
Test Syslog Forwarding (Optional):
You can generate a test log entry to ensure that logs are being forwarded to the syslog server.
For example, use the following command:
This will generate a test log message that should appear in your syslog server's logs.logging x.x.x.x testing -
On your syslog server, verify that it is configured to accept syslog messages from the ArubaOS device on the specified port.
Once you've completed these steps, your ArubaOS device should start forwarding logs to the specified syslog server. You can then use your syslog server's features to analyze and store these logs for monitoring, troubleshooting, and security purposes.
Create the intake
Go to the intake page and create a new intake from the format ArubaOS.
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.