HomeGuidesAPI ReferenceGuidesMRT APIConfiguration API
GitHubAirheads Developer Community
Guides
GitHubAirheads Developer Community

Security Alerts

Sample Security Webhook Alerts

Suggest Edits

Gateway

IDPS Gateway Threat Count

{
  "id": "cadc836a-ef94-3a20-bc35-57e7351a5162",
  "alertId": "0e311107-1b13-3258-a9b5-e3ee0e4f32fe",
  "tenantId": "20b15d98f71411eebe566237c088cb89",
  "tenantName": "ABC Enterprise",
  "mspId": null,
  "mspName": null,
  "name": "IDPS Gateway Threat Count",
  "category": "Security",
  "deviceType": "Gateway",
  "severity": "Critical",
  "time": "2026-01-01T00:00:00.000Z",
  "operation": "Add",
  "state": "Active",
  "siteId": "14076693093",
  "configScope": "Global",
  "summary": "Gateway gateway_name had more than {threshold} threats in {duration} minutes.",
  "notes": "This is a sample note.",
  "impactedEntities": {
    "deviceSerial": [
      "CG0019588"
    ]
  },
  "additionalDetails": [
    {
      "deviceSerial": [
        "CG0019588"
      ]
    }
  ]
}

Switch

ARP Security MAC Mismatch

{
  "id": "cadc836a-ef94-3a20-bc35-57e7351a5162",
  "alertId": "0e311107-1b13-3258-a9b5-e3ee0e4f32fe",
  "tenantId": "20b15d98f71411eebe566237c088cb89",
  "tenantName": "ABC Enterprise",
  "mspId": null,
  "mspName": null,
  "name": "ARP Security MAC Mismatch",
  "category": "Security",
  "deviceType": "Switch",
  "severity": "Critical",
  "time": "2026-01-01T00:00:00.000Z",
  "operation": "Add",
  "state": "Active",
  "siteId": "14076693093",
  "configScope": "Global",
  "summary": "Switch Aruba7008, ARP packet received from MAC 98:0e:00:0c:03:c2 on VLAN 10, untrusted port 1/1/2 with ip 10.1.1.1 is dropped due to MAC mismatch in IP binding table.",
  "notes": "This is a sample note.",
  "impactedEntities": {
    "deviceSerial": [
      "CG0019588"
    ],
    "clientMac": []
  },
  "additionalDetails": [
    {
      "serial": "CG0019588",
      "hostname": "Aruba7008_0A_CF_C0",
      "firmwareVersion": "10.8.0.0_93576",
      "ipAddress": "10.1.1.1",
      "senderMac": "98:0e:00:0c:03:c2"
    }
  ]
}

ARP Security Packet Drop

{
  "id": "cadc836a-ef94-3a20-bc35-57e7351a5162",
  "alertId": "0e311107-1b13-3258-a9b5-e3ee0e4f32fe",
  "tenantId": "20b15d98f71411eebe566237c088cb89",
  "tenantName": "ABC Enterprise",
  "mspId": null,
  "mspName": null,
  "name": "ARP Security Packet Drop",
  "category": "Security",
  "deviceType": "Switch",
  "severity": "Critical",
  "time": "2026-01-01T00:00:00.000Z",
  "operation": "Add",
  "state": "Active",
  "siteId": "14076693093",
  "configScope": "Global",
  "summary": "Switch Aruba7008, ARP packet received from MAC 98:0e:00:0c:03:c2 on VLAN 10, untrusted port 1/1/2 with ip 10.1.1.1 is dropped as there is no corresponding entry in the IP binding table.",
  "notes": "This is a sample note.",
  "impactedEntities": {
    "deviceSerial": [
      "CG0019588"
    ],
    "clientMac": []
  },
  "additionalDetails": [
    {
      "serial": "CG0019588",
      "hostname": "Aruba7008_0A_CF_C0",
      "firmwareVersion": "10.8.0.0_93576",
      "ipAddress": "10.1.1.1",
      "senderMac": "98:0e:00:0c:03:c2"
    }
  ]
}

Client Limit Exceeded

{
  "id": "cadc836a-ef94-3a20-bc35-57e7351a5162",
  "alertId": "0e311107-1b13-3258-a9b5-e3ee0e4f32fe",
  "tenantId": "20b15d98f71411eebe566237c088cb89",
  "tenantName": "ABC Enterprise",
  "mspId": null,
  "mspName": null,
  "name": "Client Limit Exceeded",
  "category": "Security",
  "deviceType": "Switch",
  "severity": "Critical",
  "time": "2026-01-01T00:00:00.000Z",
  "operation": "Add",
  "state": "Active",
  "siteId": "14076693093",
  "configScope": "Global",
  "summary": "Switch Aruba7008, client limit exceeded on port 1/1/2, caused by an unauthorized client 98:0e:00:0c:03:c2.",
  "notes": "This is a sample note.",
  "impactedEntities": {
    "deviceSerial": [
      "CG0019588"
    ],
    "clientMac": []
  },
  "additionalDetails": [
    {
      "serial": "CG0019588",
      "hostname": "Aruba7008_0A_CF_C0",
      "firmwareVersion": "10.8.0.0_93576"
    }
  ]
}

Duplicate IP Detected

{
  "id": "cadc836a-ef94-3a20-bc35-57e7351a5162",
  "alertId": "0e311107-1b13-3258-a9b5-e3ee0e4f32fe",
  "tenantId": "20b15d98f71411eebe566237c088cb89",
  "tenantName": "ABC Enterprise",
  "mspId": null,
  "mspName": null,
  "name": "Duplicate IP Detected",
  "category": "Security",
  "deviceType": "Switch",
  "severity": "Critical",
  "time": "2026-01-01T00:00:00.000Z",
  "operation": "Add",
  "state": "Active",
  "siteId": "14076693093",
  "configScope": "Global",
  "summary": "duplicate IPv4 address 10.1.11.1 is detected on interface vlan11 with a MAC address of 9c:37:08:03:8a:00",
  "notes": "This is a sample note.",
  "impactedEntities": {
    "deviceSerial": [
      "CG0019588"
    ],
    "clientMac": []
  },
  "additionalDetails": [
    {
      "serial": "CG0019588",
      "hostname": "Aruba7008_0A_CF_C0",
      "firmwareVersion": "10.8.0.0_93576"
    }
  ]
}

RADIUS server status

{
  "id": "cadc836a-ef94-3a20-bc35-57e7351a5162",
  "alertId": "0e311107-1b13-3258-a9b5-e3ee0e4f32fe",
  "tenantId": "20b15d98f71411eebe566237c088cb89",
  "tenantName": "ABC Enterprise",
  "mspId": null,
  "mspName": null,
  "name": "RADIUS server status",
  "category": "Security",
  "deviceType": "Switch",
  "severity": "Critical",
  "time": "2026-01-01T00:00:00.000Z",
  "operation": "Add",
  "state": "Active",
  "siteId": "14076693093",
  "configScope": "Global",
  "summary": "Switch Aruba7008, RADIUS Server with Address:10.10.10.1, Authport:2083, VRF_ID:2 is unreachable",
  "notes": "This is a sample note.",
  "impactedEntities": {
    "deviceSerial": [
      "CG0019588"
    ],
    "clientMac": []
  },
  "additionalDetails": [
    {
      "serial": "CG0019588",
      "hostname": "Aruba7008_0A_CF_C0",
      "firmwareVersion": "10.8.0.0_93576"
    }
  ]
}

Rogue DHCP Server

{
  "id": "cadc836a-ef94-3a20-bc35-57e7351a5162",
  "alertId": "0e311107-1b13-3258-a9b5-e3ee0e4f32fe",
  "tenantId": "20b15d98f71411eebe566237c088cb89",
  "tenantName": "ABC Enterprise",
  "mspId": null,
  "mspName": null,
  "name": "Rogue DHCP Server",
  "category": "Security",
  "deviceType": "Switch",
  "severity": "Critical",
  "time": "2026-01-01T00:00:00.000Z",
  "operation": "Add",
  "state": "Active",
  "siteId": "14076693093",
  "configScope": "Global",
  "summary": "Switch Aruba7008, server 10.1.1.1 packet received on untrusted port 1/1/1 dropped",
  "notes": "This is a sample note.",
  "impactedEntities": {
    "deviceSerial": [
      "CG0019588"
    ],
    "clientMac": []
  },
  "additionalDetails": [
    {
      "serial": "CG0019588",
      "hostname": "Aruba7008_0A_CF_C0",
      "firmwareVersion": "10.8.0.0_93576"
    }
  ]
}

Rogue IPv6 Router

{
  "id": "cadc836a-ef94-3a20-bc35-57e7351a5162",
  "alertId": "0e311107-1b13-3258-a9b5-e3ee0e4f32fe",
  "tenantId": "20b15d98f71411eebe566237c088cb89",
  "tenantName": "ABC Enterprise",
  "mspId": null,
  "mspName": null,
  "name": "Rogue IPv6 Router",
  "category": "Security",
  "deviceType": "Switch",
  "severity": "Major",
  "time": "2026-01-01T00:00:00.000Z",
  "operation": "Add",
  "state": "Active",
  "siteId": "14076693093",
  "configScope": "Global",
  "summary": "Switch Aruba7008, ND packet of type router-advertisement received on port:1/1/1 vlan: 100 with src_mac:98:0e:00:0c:03:c2 is Dropped. count=5",
  "notes": "This is a sample note.",
  "impactedEntities": {
    "deviceSerial": [
      "CG0019588"
    ],
    "clientMac": []
  },
  "additionalDetails": [
    {
      "serial": "CG0019588",
      "hostname": "Aruba7008_0A_CF_C0",
      "firmwareVersion": "10.8.0.0_93576"
    }
  ]
}

Sticky MAC Move Violation

{
  "id": "cadc836a-ef94-3a20-bc35-57e7351a5162",
  "alertId": "0e311107-1b13-3258-a9b5-e3ee0e4f32fe",
  "tenantId": "20b15d98f71411eebe566237c088cb89",
  "tenantName": "ABC Enterprise",
  "mspId": null,
  "mspName": null,
  "name": "Sticky MAC Move Violation",
  "category": "Security",
  "deviceType": "Switch",
  "severity": "Critical",
  "time": "2026-01-01T00:00:00.000Z",
  "operation": "Add",
  "state": "Active",
  "siteId": "14076693093",
  "configScope": "Global",
  "summary": "Switch Aruba7008, port security sticky client move violation triggered on port 1/1/2 for client with MAC address f8:60:f0:05:3c:cd.",
  "notes": "This is a sample note.",
  "impactedEntities": {
    "deviceSerial": [
      "CG0019588"
    ],
    "clientMac": []
  },
  "additionalDetails": [
    {
      "serial": "CG0019588",
      "hostname": "Aruba7008_0A_CF_C0",
      "firmwareVersion": "10.8.0.0_93576"
    }
  ]
}

Updated 5 days ago

What’s Next