Hi,
i am Developing an app for integrating arbor pravail ddos logs. Extracted the fields and mapped to CIM. but when i am trying to access from security app dashboard, no reports are shown.
sample log
Oct 2 04:05:32 10.1.1.1 ddos pravail: Blocked Host: Blocked host 192.168.1.1 at 04:05 by TLS Attack Prevention using TCP/443 (HTTPS) destination 172.16.1.1 URL: https://internalurl
props.conf
[arbor_test]
EXTRACT-category = (?i)^(?:[^ ]* ){5}(?P[^ ]+)
EXTRACT-dest = (?i) destination (?P[^,]+)
EXTRACT-dvc = (?i)^(?:[^ ]* ){4}(?P[^ ]+)
EXTRACT-signature = (?i) by (?P\w+\s+\w+)
EXTRACT-src = (?i) host (?P[^ ]+)
EXTRACT-action = (?i) .*?: (?P\w+)(?= )
EXTRACT-dest_port = (?i) .*?/(?P\d+)(?= )
EXTRACT-url = (?i),URL: (?P.+)
EXTRACT-arbor_signature = (?i) by (?P.+?)\s+\w+\s+\d+
LOOKUP-vendor_info_for_arbor_test = arbor_test_vendor_info_lookup.csv sourcetype OUTPUT ids_type,vendor,product,severity
Eventtype
[arbor_test]
search = sourcetype=arbor_test
Tags
[eventtype=arbor_test]
attack = enabled
ids = enabled
network = enabled
communicate = enabled
Lookup
sourcetype vendor product ids_type severity
arbor_test arbor IPS network critical
Inputs are welcome.
Sididqu.T
... View more