We have just setup azure sentinel. We are receiving syslogs from 3 aruba switches and 2 ap's. We need to create a query within Sentinel to give us an alert for security events. I found the query below for a cisco device so im planning on replacing the DeviceEventClassID's with event ID's from the aruba switches and ap's.
let timeframe = 1h;
| where TimeGenerated >= ago(timeframe)
| where isempty(CommunicationDirection)
| where DeviceEventClassID in ("733101","733102","733103","733104","733105")
| extend timestamp = TimeGenerated, IPCustomEntity = SourceIP, HostCustomEntity = DeviceName
Has anyone experience linking Aruba devices with Sentinel or any SIEM system?
Can anyone advise on event ID's we should be looking out for?
We don't want to be getting alerts for every security event, just important ones we should be looking out for
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.