Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Overview

Centripetal provides CleanINTERNET® technology which delivers fully-managed Enterprise-class SecOps as a service for all organizations, regardless of size or industry. CleanINTERNET® technology's Flow Event Logging does inspection of every inbound and outbound packet, log-and-flow event delivers real-time analytics. The syslog data is continually sent to standard Security and Event Monitoring (SIEM) platforms for threat analysis and mitigation. Advanced packet filtering that leverages threat intelligence becomes a critical technology in today’s SOC.

Collection

Sample Event

<14>1 2019-10-28T15:24:43.300-04:00 10.4.2.199 rulegate 3989 - - devname=office2.centripetal.local devid=PBWFHY type=traffic subtype=apf-flow eventid=5B70BD33AE direction=out observed=WAN,LAN,PUBLIC-d4,PUBLIC-d5 rx_bytes=1757 packet_count=7 action=allowed action_context=>WAN:pass,cap;>LAN:logged,cap;<WAN:pass,cap;<LAN:logged,cap cti_trigger=168.143.241.155 cti_provider=ET cti_feed=ET-IPCheck_Block-ip cti_type=IP proto=6 tcp_flags=>SYN;<SYN,ACK;>ACK;>ACK,PUSH;<ACK;<ACK,PUSH srcip=10.4.7.12 srcport=61518 dstip=168.143.241.155 dstport=80 wanip=150.225.2.180 wanport=61518

Fields

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format is ISO 8601 and RFC 3339
e.g. 2019-10-28T15:24:43.300-04:00

SYSTEM

The source system

CRITICALITY

DEVNAME

Device name

DEVID

Serial number of the device for the traffic’s origin

TYPE

Event type is traffic

SUBTYPE

Event subtype is apf-flow

EVENTID

Eventid is 10 digit hexadecimal value

DIRECTION

IN, OUT

OBSERVED

Observed network types used

RX_BYTES

Received transmission bytes

PACKET_COUNT

Received packet count

ACTION

Status of the session

ACTION_CONTEXT

List of executed actions per network type sessions detected. e.g. logged, logged, captured, etc.

CTI_TRIGGER

IP address of the triggering CTI system

CTI_PROVIDER

Name of the IP Reputation checking system

CTI_FEED

CTI system that does the IP Reputation check

CTI_TYPE

Cross triggering interface type. e.g URL, MD, IP, FQDN

PROTO

Interface of the traffic's destination

SRCIP

IP address of the traffic’s origin

SRCPORT

Port number of the traffic's origin

DSTIP

Destination IP address for the web

DSTPORT

Port number of the traffic's destination

SNAREDATAMAP

All other data in the event will be pushed to this field

Notes

Reference Documentation: https://www.centripetal.ai/

  • No labels