I have some Peakflow - Arbor logs, two types of logs are of interest: "Host Detection alert" and "TMS mitigation"
Host Detection alert carries attacked Ip information and the alertid and the TMS mitigation logs has the alertid on its name, automatically generated from a Host Detection alert.
We need to create an use case where, having filtered the Host Detection alert logs by attacked ip (we use a lookup to add a bussiness field depending on the attacked ip), get the according alertid in the TMS mitigation logs.
For example, this would be the logs for a detection with mitigation:
alertid=500841
attackedip=1.1.1.1
the two types of logs "Host Detection" and "TMS mitigation"
Jun 9 05:54:22 arbor-cp pfsp: Host Detection alert #500841, start 2016-06-09 10:54:12 GMT, duration 9, direction incoming, host 1.1.1.1, signatures (Total Traffic), impact 236.23 Mbps/49.67 Kpps, importance 2, managed_objects ("C-xxxx"), (parent managed object "nil")
Jun 9 06:02:46 arbor-cp pfsp: Host Detection alert #500841, start 2016-06-09 10:54:12 GMT, duration 508, stop 2016-06-09 11:02:40 GMT, , importance 2, managed_objects ("C-xxxx"), is now done, (parent managed object "nil")
Jun 9 05:54:30 arbor-cp pfsp: TMS mitigation 'Alert 500841 Auto-Mitigation' started at 2016-06-09 10:54:29, leader arbor-cp
Jun 9 06:02:47 arbor-cp pfsp: TMS mitigation 'Alert 500841 Auto-Mitigation' stopped at 2016-06-09 11:02:47, leader arbor-cp
My search looked something like this source=*arbor* "TMS mitigation" alertid=* | join alertid [search "Host Detection" alertid=* | lookup subredes ip as dest_ip | search empresa=corporativo* | table alertid] | table alertid but I don't seem to be getting the results I expect.
the alertid field is an alias for the fields detection_alertid ( alertid from events with Host Detection alert) and *mitigation_alertid (alertid from events with TMS mitigation)
Any help is well appreciated, thanks!
... View more