Aruba Networking Central¶
About¶
A cloud-based networking solution that empowers IT with AI-powered insights, intuitive visualizations, workflow automation, and edge-to-cloud security to manage campus, branch, remote, data center, and IoT networks from one dashboard.
Product Details¶
Vendor URL: Aruba Networking Central
Product Type: Networking
Product Tier: Tier III
Integration Method: Generic Webhook
Integration URL: Aruba Central - Integration Guide
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: ARUBA_CENTRAL
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| alert_type | metadata.product_event_type |
| cid | observer.asset.labels |
| cluster_hostname | observer.hostname |
| description | security_result.description |
| details.__base_url | target.url |
| details._rule_number | security_result.rule_id |
| details.config_change | security_result.summary |
| details.dev_type | target.asset.hardware.model |
| details.group | target.group.product_object_id |
| details.group_name | target.group.group_display_name |
| details.macaddr | target.mac |
| details.rules.0 | security_result.rule_labels |
| details.serial | target.asset.hardware.serial_number |
| details.user | principal.hostname |
| id | metadata.product_log_id |
| operation | security_result.action_details |
| parameters | target.ip |
| parameters | target.mac |
| state | security_result.outcomes |
| text | target.hostname |
| webhook | additional.fields |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| generic | GENERIC_EVENT |
| DEVICE_CONFIG_CHANGE_DETECTED | GROUP_MODIFICATION |
Log Sample¶
{"alert_type":"Rogue AP detected","cid":"123456789123456789","cluster_hostname":"app-uswest4.central.arubanetworks.com","description":"An AP(NAME HOSTNAME-002-ABC) detected an access point (BSSID A0:A1:A3:00:00:00) as rogue","details":{"__base_url":"https://app-uswest4.central.arubanetworks.com","description":"An AP(NAME HOSTNAME-002-ABC) detected an access point (BSSID A0:A1:A3:00:00:00) as rogue","device_id":"ABC1234","group":"123","labels":"8","rules":["{'conditions': [{'severity': 4}], 'group': [233, 234, 0, 15, 257, 2, 240, 238, 239, 246, 237, 251, 241, 242, 243, 244, 245, 248, 247, 256, 123, 236, 235, 252, 253], 'label': [1, 5, 118, 17, 9, 3, 2, 4, 83, 85, 10, 6, 50, 11, 84, 12, 8], 'rule_number': 0}"],"serial":"ABC1234","setting_id":"123456789123456789-10","time":"2024-05-07 05:55:33 UTC","ts":"1715061333"},"device_id":"ABC1234","id":"abc123def","nid":10,"operation":"create","setting_id":"123456789123456789-10","severity":"Major","state":"Open","text":"An AP(NAME HOSTNAME-002-ABC) detected an access point (BSSID A0:A1:A3:00:00:00) as rogue","timestamp":1715061333,"webhook":"a1b03c4d5e-1234-1abc-abc4-1234567"}
Sample Parsing¶
additional.fields["webhook"] = "a1b03c4d5e-1234-1abc-abc4-1234567"
metadata.description = "Rogue AP detected"
metadata.product_name = "Central"
metadata.vendor_name = "ArubaNetworks"
observer.asset.labels.key = "CID"
observer.asset.labels.value = "123456789123456789"
observer.hostname = "app-uswest4.central.arubanetworks.com"
principal.hostname = "HOSTNAME-002-ABC"
security_result.action_details = "create"
security_result.description = "An AP(NAME HOSTNAME-002-ABC) detected an access point (BSSID A0:A1:A3:00:00:00) as rogue"
security_result.outcomes.key = "State"
security_result.outcomes.value = "Open"
security_result.rule_labels.key = "rules"
security_result.rule_labels.value = "{'conditions': [{'severity': 4}], 'group': [233, 234, 0, 15, 257, 2, 240, 238, 239, 246, 237, 251, 241, 242, 243, 244, 245, 248, 247, 256, 123, 236, 235, 252, 253], 'label': [1, 5, 118, 17, 9, 3, 2, 4, 83, 85, 10, 6, 50, 11, 84, 12, 8], 'rule_number': 0}"
security_result.severity_details = "Major"
target.asset.hardware.serial_number = "ABC1234"
target.group.product_object_id = "123"
target.mac = "A0:A1:A3:00:00:00"
target.url = "https://app-uswest4.central.arubanetworks.com"