Document toolboxDocument toolbox

ddos.arbor

Introduction

The tags beginning with ddos.arbor identify events generated by Netscout (formerly Arbor Networks).

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as ddos.arbor. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Arbor Networks Peakflow

ddos.arbor.peakflow.dos

ddos.arbor.peakflow.dos

ddos.arbor.peakflow.sp

ddos.arbor.peakflow.sp

Arbor Networks Pravail

ddos.arbor.pravail.aps

ddos.arbor.pravail.aps

For more information, read more About Devo tags.

Table structure

These are the fields displayed in these tables:

ddos.arbor.peakflow.dos

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

host

str

vhost

 

rawMessage

str

 

 

anomaly

str

 

 

id

int4

 

 

status

str

 

 

severity

int4

 

 

srcIp

ip4

 

 

srcPort1

str

 

 

srcPort2

str

 

 

dstIp

ip4

 

 

dstPort1

str

 

 

dstPort2

str

 

 

startTime

str

 

 

duration

int4

 

 

percent

float8

 

 

rate

str

 

 

rateUnit

str

 

 

protocol

str

 

 

flags

str

 

 

url

str

 

✓

hostchain

str

 

✓

tag

str

 

✓

ddos.arbor.peakflow.sp

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

host

str

vhost

 

rawMessage

str

 

 

action

str

 

 

startTime

str

 

 

duration

int4

 

 

stopTime

str

 

 

direction

str

 

 

srcIp

ip4

 

 

signatures

str

 

 

impact

str

 

 

importance

int4

 

 

managed_objects

str

 

 

status

str

 

 

parent_managed_object

str

 

 

leader

str

 

✓

hostchain

str

 

✓

tag

str

 

✓

ddos.arbor.pravail.aps

Field

Type

Source field name

Extra fields

Field

Type

Source field name

Extra fields

eventdate

timestamp

 

 

host

str

vhost

 

blocked_host

str

 

 

srcIp

ip4

 

 

dstIp

ip4

 

 

srcPort

int4

 

 

dstPort

int4

 

 

time

str

 

 

epoch

str

 

 

elid

str

 

 

threat_name

str

 

 

threat_category

str

 

 

pattern

str

 

 

pgid

str

 

 

pgname

str

 

 

match_type

str

 

 

url

str

 

 

rawMessage

str

 

✓

hostchain

str

 

✓

tag

str

 

✓