HomeGuidesAPI Reference
GuidesAPI ReferenceGitHubAirheads Developer CommunityLog In
Guides

Security Streaming Event

The Security streaming event is generated when a rogue AP is detected in the network or if one of the configured Intrusion Detection System (IDS) event is triggered.

Security Event Protocol Buffer File

enum Action 
{ 
ADD = 1; 
DELETE = 2; 
UPDATE = 3; 
}

message MacAddress {
required bytes addr = 1;
}

message RapidsStreamingEvent 
{
required string cust_id = 1; 
repeated RogueEvent rogue = 2; 
repeated WIDSEvent idsEvent = 3; 
}

message RogueEvent 
{
required MacAddress rogue_id = 1; 
required uint32 classification = 2; 
optional string first_seen = 3; 
optional string last_seen = 4; 
optional string rogue_name = 5; 
optional string ssid = 6; 
optional string lan_mac = 7; 
optional string first_det_device = 8; 
optional string last_det_device = 9; 
optional uint32 encryption = 10; 
optional string port = 11; 
optional string containment_status = 12; 
optional string mac_vendor = 13; 
}

message WIDSEvent 
{
required string device_id = 1; 
required uint32 event_number = 2; 
optional string event_type = 3; 
optional string attack_type = 4; 
optional string description = 5; 
optional string detected_ap = 6; 
optional MacAddress mac_addr = 7;
optional string radio_band = 8; 
optional string level = 9; 
}

Parameters Descriptions for Rogue AP Detection

FieldTypeRuleDescription
rogue_idMacAddressRequiredIndicates the corresponding base bssid of the rogue.
classificationUnit32RequiredIndicates the rogue's classification. Possible input: Rogue.
This should only be rogue since we only send rogue events to the streaming API.
first_seenStringOptionalIndicates the time of the first detection of the rogue.
last_seenStringOptionalIndicates the time of the last detection of the rogue.
rogue_nameStringOptionalIndicates the Rogue AP's name.
ssidStringOptionalIndicates the Rogue AP's SSID.
lan_macStringOptionalIndicates the LAN Mac address if the Rogues AP is connected to our network through a switch.
first_det_deviceStringOptionalIndicates the first device to detect the rogue.
last_det_deviceStringOptionalIndicates the last device to detect the rogue.
encryptionunit32OptionalIndicates the rogue AP's encryption.
portStringOptionalIndicates the port name if the rogue AP is connected to a switch on Aruba Network.
containment_statusStringOptionalIndicates the containment status, if the rogue is currently contained or not.
mac_vendorStringRequiredIndicates the Mac vendor of the rogue ap.

Parameters Descriptions for WIDS Event

FieldTypeRuleDescription
device_idStringRequiredIndicates the serial number of the AP that triggered the WIDS event.
event_numberunit32RequiredIndicates the event number.
event_typeStringOptionalIndicates the event type.
attack_typeStringOptionalIndicates the attack type.
descriptionStringOptionalIndicates the description of the event.
detected_apStringOptionalIndicates the name of the AP that detected the WIDS event.
mac_addrMacAddresOptionalIndicates the Mac address of the rogue AP.
radio_bandStringOptionalIndicates the radio band where the WIDS event was detected.
levelStringOptionalIndicates the level of the WIDS event.

Example Messages for Security Streaming Topic

cust_id: "d9f16c95f70c40a59155266f0180b587"
rogue 
{
  rogue_id {
    addr: "\270\'\353\311\225\220"
  }
  classification: 3
  first_seen: "2021-04-11T16:10:37.136Z"
  last_seen: "2021-04-13T13:41:37.873Z"
  rogue_name: "Raspberry Pi-C9:95:94"
  ssid: "CX-RoguePi9"
  first_det_device: "CNKKKD532C"
  last_det_device: "CNKKKD532D"
  encryption: 3
  containment_status: "Un-contained"
  mac_vendor: "Raspberry Pi Foundation"
}
cust_id: "d9f16c95f70c40a59155266f0180b587"
idsEvent 
{
  device_id: "CNJCJ0T2WS"
  event_number: 1188
  event_type: "infrastructuredetection"
  attack_type: "detect_malformed_frame_wrong_channel"
  description: "An AP detected that the Access Point with MAC 
  A8:BD:27:D1:B4:30 and BSSID A8:BD:27:D1:B4:30 has sent a beacon 
  for SSID APACSouth_test This beacon advertizes channel 116 but 
  was received on channel."
  detected_ap: "7c:57:3c:c9:07:9a"
  mac_addr {
    addr: "\250\275\'\321\2640"
  }
  radio_band: "1"
  level: "critical"
}

Event Number, Attack Type, and Event Type Mapping

Mapping information of the event_number, event_type, and attack_type:

Event NumberAttack TypeEvent Type
1088detect_rate_anomalies_by_apclientdetection
1089detect_rate_anomalies_by_staclientdetection
1090detect_eap_rate_anomalyclientdetection
1094detect_disconnect_staclientdetection
1136signature_asleap_from_apclientdetection
1137signature_asleap_from_staclientdetection
1138signature_airjack_from_apclientdetection
1139signature_airjack_from_staclientdetection
1148detect_station_disconnect_attack_APclientdetection
1171detect_unencrypted_validclientdetection
1175detect_disconnect_station_attackclientdetection
1177detect_omerta_attackclientdetection
1178detect_tkip_replay_attackclientdetection
1179detect_chopchop_attackclientdetection
1180detect_fatajackclientdetection
1182detect_valid_client_misassociationclientdetection
1198detect_block_ack_attackclientdetection
1199detect_hotspotter_attackclientdetection
1220detect_power_save_dos_attackclientdetection
1057detect_valid_ssid_misuseinfrastructuredetection
1063detect_adhoc_networkinfrastructuredetection
1095detect_ap_floodinfrastructuredetection
1097detect_wireless_bridgeinfrastructuredetection
1098detect_invalid_mac_oui_apinfrastructuredetection
1099detect_invalid_mac_oui_stainfrastructuredetection
1100detect_bad_wepinfrastructuredetection
1113detect_ap_impersonationinfrastructuredetection
1129detect_windows_bridgeinfrastructuredetection
1142signature_deauth_broadcast_apinfrastructuredetection
1143signature_deauth_broadcast_stainfrastructuredetection
1157detect_ht_greenfieldinfrastructuredetection
1158detect_ht_40mhz_intolerance_apinfrastructuredetection
1159detect_ht_40mhz_intolerance_stainfrastructuredetection
1170detect_client_floodinfrastructuredetection
1172detect_adhoc_using_valid_ssidinfrastructuredetection
1173detect_ap_spoofinginfrastructuredetection
1181detect_invalid_addresscombinationinfrastructuredetection
1183detect_malformed_htieinfrastructuredetection
1184detect_malformed_assoc_reqinfrastructuredetection
1185detect_overflow_ieinfrastructuredetection
1186detect_overflow_eapol_keyinfrastructuredetection
1187detect_malformed_large_durationinfrastructuredetection
1188detect_malformed_frame_wrong_channelinfrastructuredetection
1189detect_malformed_frame_authinfrastructuredetection
1190detect_cts_rate_anomalyinfrastructuredetection
1191detect_rts_rate_anomalyinfrastructuredetection
1205signature_deauth_broadcastinfrastructuredetection
1206signature_deassociation_broadcastinfrastructuredetection
1222detect_adhoc_using_valid_ssidinfrastructuredetection