Guardicore Centra¶
About¶
Akamai Guardicore Segmentation is a software-based microsegmentation solution that provides the simplest, fastest, and most intuitive way to enforce Zero Trust principles. It enables you to prevent malicious lateral movement in your network through precise segmentation policies, visuals of activity within your IT environment, and network security alerts. Akamai Guardicore Segmentation works across your data centers, multicloud environments, and endpoints. It is faster to deploy than infrastructure segmentation approaches and provides you with unparalleled visibility and control of your network.
Product Details¶
Vendor URL: Guardicore
Product Type: Workload Secuirty
Product Tier: Tier II
Integration Method: Syslog
Parser Details¶
Log Format: CEF
Expected Normalization Rate: 90%
Data Label: GUARDICORE_CENTRA
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| agent.malformed_agent.agent_id | additional.fields |
| agent.malformed_agent.component_id | additional.fields |
| agent.malformed_agent.display_name | additional.fields |
| dstHost | target.hostname |
| kv.id | metadata.product_log_id |
| kv.shost | principal.hostname |
| kv.src | principal.user.product_object_id |
| kv2.component_id | target.user.product_object_id |
| kv2.ip | target.ip |
| kv2.labels | target.platform_version |
| kv2.Site | target.user.office_address.name |
| kv3.Asset_id | target.user.product_object_id |
| kv3.Asset_name | target.hostname |
| kv3.Change_cause | security_result.summary |
| kv3.Changed_by | principal.hostname |
| kv3.IP_Addresses | target.ip |
| kv3.Removed_labels | target.user.office_address.name |
| observer | observer.hostname |
| productEvent | product_event_type |
| severity | security_result.severity |
| srcIP | principal.ip |
| srMsg | security_result.description |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| all others | GENERIC_EVENT |
Log Sample¶
<10> May 16 12:00:00 Guardicore CEF:0|Guardicore|Centra|45|Agent Log Event|Agent Log Event|high|id=abcd1234-ab12-cd34-ef56-abcdef123456 shost=gc-aggregator-10-10-10-10 start=2023-05-16 12:00:00 cs1Label=Affected Agents cs1=SAMPLE001-SAMPLEAPPS-COM-abcde12345 (ip: 10.10.1.1, component_id: 12345) msg=The Agent client was disconnected from controller-agents-server during initialization
Sample Parsing¶
metadata.event_timestamp.seconds = 1684238433
metadata.event_type = "GENERIC_EVENT"
metadata.log_type = "GUARDICORE_CENTRA"
metadata.product_event_type = "Agent Log Event"
metadata.product_log_id = "abcd1234-ab12-cd34-ef56-abcdef123456"
metadata.product_name = "Guardicore Centra"
metadata.vendor_name = "Guardicore"
observer.hostname = "Guardicore"
principal.hostname = "gc-aggregator-10-10-10-10"
security_result.description = "The Agent client was disconnected from controller-agents-server during initialization"
security_result.severity = "HIGH"
target.hostname = "SAMPLE001-SAMPLEAPPS-COM-abcde12345"
target.ip = "10.10.1.1"
target.user.product_object_id = "12345"
Rules¶
Coming Soon