Overview
Centripetal provides CleanINTERNET® technology which delivers fully-managed Enterprise-class SecOps as a service for all organizations, regardless of size or industry. CleanINTERNET® technology's Flow Event Logging does inspection of every inbound and outbound packet, log-and-flow event delivers real-time analytics. The syslog data is continually sent to standard Security and Event Monitoring (SIEM) platforms for threat analysis and mitigation. Advanced packet filtering that leverages threat intelligence becomes a critical technology in today’s SOC.
Collection
Centripetal log is a space-delimited syslog with observed 20 mandatory fields. Parsing of Centripetal syslogs is done by identifying mandatory fields and putting them in the Snare event map. The optional fields are all appended in SnareDataMap.
Sample Event
<14>1 2019-10-28T15:24:43.300-04:00 1.2.3.4 rulegate 3989 - - devname=office2.centripetal.local devid=PBWFHY type=traffic subtype=apf-flow eventid=5B70BD33AE direction=out observed=WAN,LAN,PUBLIC-d4,PUBLIC-d5 rx_bytes=1757 packet_count=7 action=allowed action_context=>WAN:pass,cap;>LAN:logged,cap;<WAN:pass,cap;<LAN:logged,cap cti_trigger=168.143.241.155 cti_provider=ET cti_feed=ET-IPCheck_Block-ip cti_type=IP proto=6 tcp_flags=>SYN;<SYN,ACK;>ACK;>ACK,PUSH;<ACK;<ACK,PUSH srcip=5.6.7.8 srcport=1 dstip=9.10.11.12 dstport=2 wanip=13.14.15.16 wanport=3
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format is ISO 8601 and RFC 3339 |
SYSTEM | The source system |
CRITICALITY | 14 |
TABLE | Centripetal |
DEVNAME | Device name |
DEVID | Serial number of the device for the traffic’s origin |
TYPE | Event type is traffic |
SUBTYPE | Event subtype is apf-flow |
EVENTID | Eventid is 10 digit hexadecimal value |
DIRECTION | IN, OUT |
OBSERVED | Observed network types used |
RX_BYTES | Received transmission bytes |
PACKET_COUNT | Received packet count |
ACTION | Status of the session |
ACTION_CONTEXT | List of executed actions per network type sessions detected. e.g. logged, captured, logged&captured, etc. |
CTI_TRIGGER | IP address of the triggering CTI system |
CTI_PROVIDER | Name of the IP Reputation checking system |
CTI_FEED | CTI system that does the IP Reputation check |
CTI_TYPE | Cross triggering interface type. e.g URL, MD, IP, FQDN |
PROTO | Interface of the traffic's destination |
SRCIP | IP address of the traffic’s origin |
SRCPORT | Port number of the traffic's origin |
DSTIP | Destination IP address for the web |
DSTPORT | Port number of the traffic's destination |
SNAREDATAMAP | All other data in the event will be pushed to this field |
Notes
Reference Documentation: https://www.centripetal.ai/