I have some Peakflow - Arbor logs, two types of logs are of interest: **"Host Detection alert"** and **"TMS mitigation"**
**Host Detection alert** carries *attacked Ip* information and the *alertid* and the **TMS mitigation** logs has the *alertid* on its name, automatically generated from a Host Detection alert.
We need to create an use case where, having filtered the **Host Detection alert** logs by *attacked ip* (we use a lookup to add a *bussiness* field depending on the attacked ip), get the according *alertid* in the **TMS mitigation** logs.
For example, this would be the logs for a detection with mitigation:
- alertid=500841
- attackedip=1.1.1.1
- the two types of logs "Host Detection" and "TMS mitigation"
Jun 9 05:54:22 arbor-cp pfsp: **Host Detection alert** #**500841**, start 2016-06-09 10:54:12 GMT, duration 9, direction incoming, host **1.1.1.1**, signatures (Total Traffic), impact 236.23 Mbps/49.67 Kpps, importance 2, managed_objects ("C-xxxx"), (parent managed object "nil")
Jun 9 06:02:46 arbor-cp pfsp: **Host Detection alert** #**500841**, start 2016-06-09 10:54:12 GMT, duration 508, stop 2016-06-09 11:02:40 GMT, , importance 2, managed_objects ("C-xxxx"), is now done, (parent managed object "nil")
Jun 9 05:54:30 arbor-cp pfsp: **TMS mitigation** 'Alert **500841** Auto-Mitigation' started at 2016-06-09 10:54:29, leader arbor-cp
Jun 9 06:02:47 arbor-cp pfsp: **TMS mitigation** 'Alert **500841** Auto-Mitigation' stopped at 2016-06-09 11:02:47, leader arbor-cp
My search looked something like this `source=*arbor* "TMS mitigation" alertid=* | join alertid [search "Host Detection" alertid=* | lookup subredes ip as dest_ip | search empresa=corporativo* | table alertid] | table alertid` but I don't seem to be getting the results I expect.
the *alertid* field is an alias for the fields *detection_alertid* ( alertid from events with Host Detection alert) and *mitigation_alertid (alertid from events with TMS mitigation)
Any help is well appreciated, thanks!
↧