Reviewing Detection & Response (XDR) Stories in the Stories Workbench

This article discusses how you can use the Stories Workbench to review stories for potential threats in your account.

Overview of Detection & Response Stories

Cato Detection & Response is an additional layer of security that creates stories for threats. When Cato’s advanced correlation engines analyze traffic data and find a match for a potential threat, they generate a story. The story contains data from traffic flows with common properties that relate to the same threat. The Stories Workbench page shows the details of each story to help you understand and analyze the threats. You can sort and filter the stories to find the most important potential attacks, and then drill-down on a story to further investigate the details.

These are examples of data that a story can include:

  • Sources in your network

  • External targets of network traffic

  • Identification and description of the threat

  • Relevant geolocations

  • Related applications

  • Relevant events

  • Popularity of the target according to Cato internal data

  • Malicious score of the target according to Cato machine learning models

Prerequisites

  • One or more of the following security services must be enabled for stories to be detected and to appear in the Stories Workbench:

    • IPS

    • Anti-Malware

    • NG Anti-Malware

Showing the Stories Workbench Page

The Stories Workbench page shows a summary of the stories for the potential threats in your account.

To show the Stories Workbench page:

  • From the navigation menu, click Monitoring> Stories Workbench.

Understanding the Stories Columns

Detection__Remediation_Stories_Workbench.png

Column

Description

ID

Unique Cato ID for this story

Created

Date of the first traffic flow for the story

Updated

Date of the most recent traffic flow for the story

Criticality

Cato's risk analysis of the story (values are from 1 - 10)

Indication

Indicator of attack for the story. For more about indications, see Using the Indications Catalog

Source

IP address, name of device, or SDP user on your network involved in the story

Engine Type

The security engine that created the story.

Status

  • Pending Customer - Story was sent to customer and is waiting for a response from them

  • Pending Analyst - Waiting for more information from security analysts

  • Closed - Security analysts closed the story

Grouping the Stories

To provide context when reviewing the stories, you can show the stories in groups defined by details including Source, Indication, Status, and Type. For example, you can show together all of the stories related to a specific source IP address or all of the Cybersquatting stories. This gives you a broader perspective when analyzing the stories, and can help you reach faster and more accurate conclusions.

Each group highlights the criticality levels for the stories in that group, including the number of high, medium, and low criticality stories.

Stories_Workbench_Grouping.png

To group the stories in the Stories Workbench:

  1. From the navigation menu, click Monitoring> Stories Workbench.

  2. From the Group By drop-down menu, select the required criterion.

    The stories are shown in expandable groups.

Filtering the Stories

There are three ways to filter the data in the Stories Workbench:

  • Select a preset filter

  • Automatically update the filter with a selected item

  • Manually configure the filter

Preset Filters

You can select a preset filter to focus on either Network Operations or Security Operations stories. When you select a preset filter, the story columns most relevant for that type of story are shown by default.

To select a preset filter:

  1. In the filter bar, click the Select Presets dropdown menu.

  2. Select the preset. The Stories Workbench is updated to show the stories that match the preset.

Automatically Filtering for an Item

As you hover over an item or field where a filter option is available, the TD_Filter.png button appears. Click the icon to show the filter options:

  • Add to Filter - Adds the item to the filter, and the Stories Workbench now only shows stories that include this item. For example, if you filter for a specific Criticality score, the page only shows stories with that Criticality.

  • Exclude from Filter - Updates the filter to exclude this item, and the Stories Workbench now only shows stories that do NOT include this item.

You can continue to add items to the filter, click TD_Filter.png again to update the filter and drill-down further.

Selecting the Time Range

The default time range for the Stories Workbench is the previous two days. You can select a different time range to show a longer or shorter time period. For more information, see Setting the Time Range Filter.

The maximum date range for the Stories Workbench is 90 days.

Manually Configuring the Filter

You can manually configure the story filter for greater granularity to analyze the stories. After you configure the filter, it is added to the stories filter bar and the page is automatically updated to show the stories that match the new filter.

To create a filter:

  1. In the filter bar, click Add2.png.

  2. Start typing or select the Field.

  3. Select the Operator, which determines the relationship between the Field and the Value you are searching for.

  4. Select the Value.

  5. Click Add Filter. The filter is added to the filter bar and the Stories Workbench is updated to show stories based on the filters.

Clearing the Filter

You can remove each item in the filter separately, or clear the entire filter.

To clear the filters for the Stories Workbench page:

  1. To clear a single filter, click remove.png next to the filter (item 1 above).

  2. To clear all the filters, click X at the right end of the filter bar (item 2 above).

Drilling-Down and Analyzing Stories

You can click on a story in the Stories Workbench to drill-down and investigate the details in a different page. This page contains a number of widgets that help you evaluate the potential threat identified by the Threat Prevention engine.

Generating AI Story Summaries

The Stories Workbench drill-down includes a tool that lets you create a natural language story description generated by AI, which provides rich context and helps you quickly assess the story. The story summary is generated dynamically to reflect the current state of the story. If the story updates with new information, you can regenerate the summary to reflect the changes.

  • The AI story summary is generated only on-demand by the admin

Protecting Sensitive Data with Tokenization

For robust data security during the transmission of story data to third-party AI services, Cato uses tokenization to ensure all sensitive data remains in the Cato XDR platform. This involves replacing sensitive information with unique identifiers, or "tokens," rendering the data meaningless to unauthorized entities. Sensitive data is never exposed to third-party services. This approach ensures the confidentiality of the story's details, aligning with our commitment to robust data privacy and security standards.

Note

Note: Due to the limitations of generative AI, the information provided in story summaries may occasionally contain inaccuracies.

Understanding the Story Drill-Down Widgets

Detection___Remediation_Callouts_PNG.png

These are the story drill-down widgets:

Item

Name

Description

1

Story summary

A summary of basic information about the story, including:

  • Threat category

  • Severity of the threat as determined by analyst

  • Verdict for the threat as determined by analyst

  • Attack type (for example, Browser Extension, Native Application, Scanner, Web App)

  • Number of compromised devices

  • Number of signals (traffic flows) associated with the attack

  • Story status

Click More_icon.png to open the Story Actions panel and change story settings such as Analyst Verdict and Status.

2

Story timeline

Shows a timeline of the story, such as changes made to the story verdict and severity, and when new targets related to the story are identified

3

Details

Key information for analyzing the story, including a threat description, and MITRE ATT&CK® techniques identified for the threat.

  • Click Generate AI Summary for a natural language story description that provides rich context and helps you quickly assess the story

Other details include:

  • ML Risk - Overall risk score for the story as calculated by Cato's machine learning risk analysis algorithm (values are from 1 - 10)

  • Predicted Verdict and Predicted Type based on machine learning predictions for the probable verdict and potential malware type that you may identify. The machine learning algorithms analyze the final verdicts of similar stories

  • Similar Stories - Shows stories with the same Indication or Target. Details shown for each story include: story threat type, story verdict (if available), and the level of similarity as calculated by a machine learning model (indicated by a percentage). Hover the mouse on the story to show a more detailed classification of the threat

For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard.

  • Click a MITRE ATT&CK® technique to read its description on the MITRE ATT&CK® website

4

Source

Basic information about the devices in your network impacted by the threat

5

Attack Geolocation

Shows the geolocation for sources in your network (orange locations) and external sources (red locations) related to the threat. Arrows connecting the sources indicate the direction of traffic

6

Target Actions

Events related to each target, including the following information:

Column

Description

Target

Domains or IP addresses of external sources identified in traffic flows related to the story

Type

Security engine that generated the events related to the target

Action

Action taken on the traffic related to the target

Related Events

Shows tcategoryhreat signatures that appear in events related to the target.

  • Hover the mouse over a signature to show a summary event log

  • Click the signature to open the Events page pre-filtered for the signature

7

Attack Distribution

Time distribution of attack related flows.

  • To make it easier to read the graph, in Targets, click a target to hide that data from the graph

  • To show the attack details, hover the mouse over the graph

8

Targets

Shows data for the potentially malicious sources outside your network site related to the story.

Column

Description

Creation Date

Registration date of the target domain

Target

Domains or IP addresses of external sources identified in traffic flows related to the story

Target Links

Links to look up the target in various external threat intelligence sources.

For additional information, click the VirusTotal icon, or select other resources from the drop-down menu.

Malicious Score

The malicious score of the target according to Cato threat intelligence algorithms. Scores range from 0 (benign) to 1 (malicious)

Popularity

How often the target appears in Cato internal data sources. Values are: Unpopular, Low, Medium, High

Categories

Cato categories for the target domain

Threat Feeds

Number of Cato threat intelligence sources that detected the target as malicious

Engines

Number of third party security engines that detected the target as malicious

Registrant Country

Country where the target domain is registered

Google Search Hits

Number of Google search results for the target

9

Attack Related Events

Shows data for a representative sample of events related to the attack.

Column

Description

Target

Target domain or IP of the relevant communication flow

Start Time

Timestamp for the beginning of the flow

Direction

Direction of the flow. Directions include:

  • Inbound - Traffic to your network originating at an external source

  • Outbound - Traffic from your network to an external source

  • WANbound - Traffic from your network to another site on your network

Source IP

Source IP address in your network sending or receiving the flow

Source Port

Source port in your network sending or receiving the flow

Destination IP

IP address of the external target sending or receiving the flow

Destination Port

The port of the external target sending or receiving the flow

Method

The HTTP method in the flow (GET, POST, and so on)

Full Path URL

The complete URL of the external resource in the flow

Client

The client type in the flow

Cato App

The Cato application used in the flow

Destination Country

Location of the Destination IP in the flow

DNS Response IP

The IP address returned by a DNS lookup

Was this article helpful?

1 out of 1 found this helpful

0 comments

Add your comment