07-05-2018 02:51 AM
1.Can anyone explain the need for Packet Processor in Aruba Introspect UEBA tool?
2.In absence of Packet Processor, how analyzer will process the data?
Solved! Go to Solution.
Re: Packet Processer in aruba Introspect UEBA
07-06-2018 06:37 AM
Packet Processor will provide L7 DPI analysis of the traffic. In absence of a Packet Processor, network flow information can be retrieved from firewalls, proxy servers, Aruba controllers (AMON) or Netflow.
As the Packet Processor has by far the highest visibility even in the data flows, that is the preferred way to get network flow information.
Please work with your local Aruba Introspect SE to get you more educated on the IntroSpect solution and architecture. The diagram you show is very limited as it misses a lot of other log sources.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
07-18-2018 09:14 AM
IntroSpect is made up of three Nodes. One Analyser Node, three or more Compute Nodes and optionaly one or more Packer Proccessor Nodes.
The Analyser Node is a combination of Analyst / Admin interface and Network Device Interface. For this conversation lets focus on the Network Device interface. The AN is able to use syslog to harvest logs from some devices and also receive logs from a SIEM like Splunk. It also receives logs and Meta-Data from the optional Packet Proccessor. The AN then populates all this into the databases on the Compute Nodes.
The Compute Nodes hold, index and manipulate the databases - these are the workers that run the various AI and Machine Learning engines.
Now lets look at the Packet Proccessor. The PP is optional in that if you are only monitoring a single site and the AN/CN is at that site then all log collection can be done by the AN at the site. You will need to add a PP at remote sites to collect logs at those sites and the PP will transfer the logs to the AN. However, there is one function of the PP does that the AN/CN will not do. You must have a PP for network traffic evaluation.
The Packet Proccessor has a Deep Packet Inspection engine (read resource hog here) for analizing network traffic and generating Meta-Data which is sent to the AN. So if you are going to take advantage of one of the most powerful tools in IntroSpect and analyse live network traffic YOU NEED A Packet Proccessor even in a Single Site Configuration.
I hope this helps