I have some Peakflow - Arbor logs, two types of logs are of interest: "Host Detection alert" and "TMS mitigation"
Host Detection alert carries attacked Ip information and the alertid and the TMS mitigation logs has the alertid on its name, automatically generated from a Host Detection alert.
We need to create an use case where, having filtered the Host Detection alert logs by attacked ip (we use a lookup to add a bussiness field depending on the attacked ip), get the according alertid in the TMS mitigation logs.
For example, this would be the logs for a detection with mitigation:
Jun 9 05:54:22 arbor-cp pfsp: Host Detection alert #500841, start 2016-06-09 10:54:12 GMT, duration 9, direction incoming, host 1.1.1.1, signatures (Total Traffic), impact 236.23 Mbps/49.67 Kpps, importance 2, managed_objects ("C-xxxx"), (parent managed object "nil")
Jun 9 06:02:46 arbor-cp pfsp: Host Detection alert #500841, start 2016-06-09 10:54:12 GMT, duration 508, stop 2016-06-09 11:02:40 GMT, , importance 2, managed_objects ("C-xxxx"), is now done, (parent managed object "nil")
Jun 9 05:54:30 arbor-cp pfsp: TMS mitigation 'Alert 500841 Auto-Mitigation' started at 2016-06-09 10:54:29, leader arbor-cp
Jun 9 06:02:47 arbor-cp pfsp: TMS mitigation 'Alert 500841 Auto-Mitigation' stopped at 2016-06-09 11:02:47, leader arbor-cp
My search looked something like this source=*arbor* "TMS mitigation" alertid=* | join alertid [search "Host Detection" alertid=* | lookup subredes ip as dest_ip | search empresa=corporativo* | table alertid] | table alertid
but I don't seem to be getting the results I expect.
the alertid field is an alias for the fields detection_alertid ( alertid from events with Host Detection alert) and *mitigation_alertid (alertid from events with TMS mitigation)
Any help is well appreciated, thanks!
Try this
source=*arbor* "TMS mitigation" OR "Host Detection" alertid=* | rex (?<log_type>Host Detection|TMS mitigation)" | lookup subredes ip as dest_ip | stats values(log_type) as log_types values(businesses) as businesses by alertid | where mvcount(log_types)=2 | table alertid
Hello, thank you for your help, but this doesn't seem to be working either.
Another fact I haven't explain, and that might be helpful, I'm using alertid as an alias for the fields detection_alertid (for the alertid in the Host Detection events) and mitigation_alertid (for the alertid in TMS Mitigation events), which I realized now that it may not be working the way I was expecting 😕
When I run the search at some point of time to get the alertids I get results like this:
detection_alertid: 5
mitigation_alertid: 4
alertid=4
If I manually check for each of these alertids, I can see how all but one alert id is in both event types (which makes sense because detection_alertid = 5 and mitigation_alertid=4; all mitigation events should have a host detection event, but not the other way around)
alertid are the same as mitigation_alertid (althought this doesn't seem to be consistent behaviour, so maybe the alias is not being correctly made)
If I run the search you provided, I only get one alertid (for what I intend to do, I should be getting the 4 mitigation_alertid)
On the other hand, the reason we need this search is because we need to report about detection Vs mitigation events for the different bussiness field, but the only way I can get the bussiness info is with the detection events, where I have an dest_ip field which I can add the bussiness field with the lookup.
Hope I made myself bit clearer and you can help me.
Kind regards