Re: Mitigationn Vs Detection use case with Peakflo...

josefa · ‎09-02-2016

I have some Peakflow - Arbor logs, two types of logs are of interest: "Host Detection alert" and "TMS mitigation"

Host Detection alert carries attacked Ip information and the alertid and the TMS mitigation logs has the alertid on its name, automatically generated from a Host Detection alert.

We need to create an use case where, having filtered the Host Detection alert logs by attacked ip (we use a lookup to add a bussiness field depending on the attacked ip), get the according alertid in the TMS mitigation logs.

For example, this would be the logs for a detection with mitigation:

alertid=500841
attackedip=1.1.1.1
the two types of logs "Host Detection" and "TMS mitigation"

Jun 9 05:54:22 arbor-cp pfsp: Host Detection alert #500841, start 2016-06-09 10:54:12 GMT, duration 9, direction incoming, host 1.1.1.1, signatures (Total Traffic), impact 236.23 Mbps/49.67 Kpps, importance 2, managed_objects ("C-xxxx"), (parent managed object "nil")
Jun 9 06:02:46 arbor-cp pfsp: Host Detection alert #500841, start 2016-06-09 10:54:12 GMT, duration 508, stop 2016-06-09 11:02:40 GMT, , importance 2, managed_objects ("C-xxxx"), is now done, (parent managed object "nil")
Jun 9 05:54:30 arbor-cp pfsp: TMS mitigation 'Alert 500841 Auto-Mitigation' started at 2016-06-09 10:54:29, leader arbor-cp
Jun 9 06:02:47 arbor-cp pfsp: TMS mitigation 'Alert 500841 Auto-Mitigation' stopped at 2016-06-09 11:02:47, leader arbor-cp

My search looked something like this source=*arbor* "TMS mitigation" alertid=* | join alertid [search "Host Detection" alertid=* | lookup subredes ip as dest_ip | search empresa=corporativo* | table alertid] | table alertid but I don't seem to be getting the results I expect.

the alertid field is an alias for the fields detection_alertid ( alertid from events with Host Detection alert) and *mitigation_alertid (alertid from events with TMS mitigation)

Any help is well appreciated, thanks!

sundareshr · ‎09-02-2016

Try this

source=*arbor* "TMS mitigation" OR "Host Detection" alertid=* | rex (?<log_type>Host Detection|TMS mitigation)" | lookup subredes ip as dest_ip | stats values(log_type) as log_types values(businesses) as businesses by alertid | where mvcount(log_types)=2 | table alertid

josefa · ‎09-13-2016

Hello, thank you for your help, but this doesn't seem to be working either.

Another fact I haven't explain, and that might be helpful, I'm using alertid as an alias for the fields detection_alertid (for the alertid in the Host Detection events) and mitigation_alertid (for the alertid in TMS Mitigation events), which I realized now that it may not be working the way I was expecting 😕

When I run the search at some point of time to get the alertids I get results like this:
detection_alertid: 5
mitigation_alertid: 4
alertid=4

If I manually check for each of these alertids, I can see how all but one alert id is in both event types (which makes sense because detection_alertid = 5 and mitigation_alertid=4; all mitigation events should have a host detection event, but not the other way around)

alertid are the same as mitigation_alertid (althought this doesn't seem to be consistent behaviour, so maybe the alias is not being correctly made)

If I run the search you provided, I only get one alertid (for what I intend to do, I should be getting the 4 mitigation_alertid)

On the other hand, the reason we need this search is because we need to report about detection Vs mitigation events for the different bussiness field, but the only way I can get the bussiness info is with the detection events, where I have an dest_ip field which I can add the bussiness field with the lookup.

Hope I made myself bit clearer and you can help me.

Kind regards

Mitigationn Vs Detection use case with Peakflow Arbor logs

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!