Aruba ClearPass Integration Guide
Aruba ClearPass should be configured to send logs via syslog to the Taegis™ XDR Collector. ClearPass logs are filtered and correlated for various security event observations. Please follow the instructions in Adding a Syslog Export Filter on the Aruba documentation site.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Aruba ClearPass | XDR Collector (mgmt IP) | UDP/514 |
Data Provided from Integrations ⫘
Auth | DNS | HTTP | Management | Netflow | NIDS | Process | Thirdparty | |
---|---|---|---|---|---|---|---|---|
Aruba ClearPass NAC | D |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configuration Instructions ⫘
To configure Aruba ClearPass to send logs to Secureworks® Taegis™ XDR, follow the instructions provided by Aruba to add a syslog export filter in Adding a Syslog Export Filter for each of the Export Template types. Consider the following requirements when completing the configuration steps:
- Export Template — Choose one of the templates and then repeat the steps for each remaining template.
- Export Event Format Type — CEF
- Syslog Servers — Select Add New Syslog Target (further instructions can be found in Adding a Syslog Export Filter) and specify the following:
- Host Address — The IP address of the XDR Collector
- Protocol — UDP
- Port — 514
- Repeat the same process for each of the Export Template types.
Important
Logs must not be split into more than one line as we are unable to rejoin the logs and any split portion may be ignored.