HPE Aruba Networking

  • Updated on Aug 1, 2025
  • Published on Dec 16, 2024
Prev Next
Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

HPE Aruba ClearPass

✅

✅

✅

hpe_aruba_clearpass_alerts

CEF

S3

Overview

HPE Aruba ClearPass is a powerful network access control (NAC) solution that provides secure, policy-based access for wired, wireless, and VPN networks. It enables organizations to authenticate, authorize, and enforce security policies for users and devices across diverse environments. With features like role-based access control, device profiling, and automated threat responses, ClearPass simplifies managing network security while enhancing visibility and compliance.

ClearPass plays a critical role in modern enterprise environments by offering visibility, authentication, and control over a wide range of user devices—managed and unmanaged alike. Through detailed logging and event tracking, ClearPass enables administrators to monitor access events, troubleshoot authentication issues, and audit user and device behavior in real time.

In security-sensitive environments, ClearPass provides a rich stream of log data that can be ingested by Hunters’ SIEM or analyzed directly to detect, investigate, and respond to access control events. These logs follow formats such as CEF (Common Event Format) and contain detailed contextual attributes about authentication attempts, posture assessments, device profiling, and policy enforcement.

Supported data types

Aruba ClearPass

Table name: hpe_aruba_clearpass_alerts

HPE Aruba ClearPass alerts notify administrators of security events and policy violations within the network. These alerts provide critical information about unauthorized access attempts, suspicious activity, or endpoint compliance issues, enabling swift action to mitigate risks. They can be configured to trigger automated responses or integrate with third-party security tools for enhanced incident management.

Send data to Hunters

Hunters supports the collection of HPE Aruba Networking logs via an intermediary AWS S3 storage.

To connect HPE Aruba Networking logs:

  1. Set up log forwarding from HPE Aruba Networking to a designated AWS S3 bucket.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in CEF format.

<143>Jul 15 01:34:05 pbgxxx001 Jul 15 2025 01:34:05 12.12.12.12 CEF:0|Aruba Networks|ClearPass|1.12.5.12345|2123|Guest Access|1|cat=Session Logs dvc=10.12.12.12 duser=arxxx_ensor requestMethod=EAP-ABCD,EAP-Mxxxv2 dmac=20xxx4fa3 dpriv=HuexxxxXI, [User xxxxd] cs4=UNKNOWN cs4Label=System Posture Txxx outcome=[Update Endpoint Known], HueHoxxxx_100 rt=Jul 15 2025 01:32:10
Jul 28 2025 08:22:36 10.12.12.12 CEF:0|Aruba Networks|ClearPass|1.12.5.12345|2123|TAxx+ Administration|1|cat=Session Logs dvc=10.12.12.12 duser=_svcxxxc destinationServiceName=HueHxxxxxtch_Device Access Service dst=10.12.12.123 dpriv=0 rt=Jul 28 2025 08:20:44