Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

Overview

Centripetal provides CleanINTERNET® technology which delivers fully-managed Enterprise-class SecOps as a service for all organizations, regardless of size or industry. CleanINTERNET® technology's Flow Event Logging does inspection of every inbound and outbound packet, log-and-flow event delivers real-time analytics. The syslog data is continually sent to standard Security and Event Monitoring (SIEM) platforms for threat analysis and mitigation. Advanced packet filtering that leverages threat intelligence becomes a critical technology in today’s SOC.

Collection

Centripetal log is a space-delimited syslog with observed 20 mandatory fields. Parsing of Centripetal syslogs is done by identifying mandatory fields and putting them in the Snare event map. The optional fields are all appended in SnareDataMap.

Sample Event

<14>1 2019-10-28T15:24:43.300-04:00 1.2.3.4 rulegate 3989 - - devname=office2.centripetal.local devid=PBWFHY type=traffic subtype=apf-flow eventid=5B70BD33AE direction=out observed=WAN,LAN,PUBLIC-d4,PUBLIC-d5 rx_bytes=1757 packet_count=7 action=allowed action_context=>WAN:pass,cap;>LAN:logged,cap;<WAN:pass,cap;<LAN:logged,cap cti_trigger=168.143.241.155 cti_provider=ET cti_feed=ET-IPCheck_Block-ip cti_type=IP proto=6 tcp_flags=>SYN;<SYN,ACK;>ACK;>ACK,PUSH;<ACK;<ACK,PUSH srcip=5.6.7.8 srcport=1 dstip=9.10.11.12 dstport=2 wanip=13.14.15.16 wanport=3

Fields

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format is ISO 8601 and RFC 3339
e.g. 2019-10-28T15:24:43.300-04:00

SYSTEM

The source system

CRITICALITY

14

TABLE

Centripetal

DEVNAME

Device name

DEVID

Serial number of the device for the traffic’s origin

TYPE

Event type is traffic

SUBTYPE

Event subtype is apf-flow

EVENTID

Eventid is 10 digit hexadecimal value

DIRECTION

IN, OUT

OBSERVED

Observed network types used

RX_BYTES

Received transmission bytes

PACKET_COUNT

Received packet count

ACTION

Status of the session

ACTION_CONTEXT

List of executed actions per network type sessions detected. e.g. logged, captured, logged&captured, etc.

CTI_TRIGGER

IP address of the triggering CTI system

CTI_PROVIDER

Name of the IP Reputation checking system

CTI_FEED

CTI system that does the IP Reputation check

CTI_TYPE

Cross triggering interface type. e.g URL, MD, IP, FQDN

PROTO

Interface of the traffic's destination

SRCIP

IP address of the traffic’s origin

SRCPORT

Port number of the traffic's origin

DSTIP

Destination IP address for the web

DSTPORT

Port number of the traffic's destination

SNAREDATAMAP

All other data in the event will be pushed to this field

Notes

Reference Documentation: https://www.centripetal.ai/

  • No labels