Cato Networks Knowledge Base

Search

Integrating Cato Events with Azure Storage Account (EA)

  • Updated

This article explains how to integrate an Azure storage account with your Cato account to upload events directly to a storage account.

Note

Note: This is an Early Availability (EA) feature that is only available for limited release. For more information, contact your Cato Networks representative or send an email to ea@catonetworks.com.

Overview of Events Integration

For customers that review and analyze event data in an Azure storage account, you can configure your Cato account to automatically and continuously upload events to it. This is different then the eventsFeed API, which requires customers to pull the data from Cato and is impacted by issues such as rate-limiting.

Note

Note: You can define up to a total of three Event Integrations for your account.

Events Integration Use Case

Sample company is using the IPS Suspicious Activity Monitoring feature which generates a lot of security events. They decide to create an Azure storage account to store all the event data, which they can then integrate with their SIEM solution. Sample company enables Events Integration and adds the Azure storage account as an integration to their Cato account so that all the IPS events area automatically uploaded to the Azure storage.

Configuring the Azure Storage Account

Create a new storage account for the Cato event data, we recommend that you don't use an existing storage account for the Event Integration. Generate a connection string for the storage account to allow Cato to access it. You will paste it in the Cato Management Application when you configure the Event Integration. You can create the connection string from an access key or from a Shared access signature (SAS).

Generating a Connection String with SAS

The SAS lets you restrict permissions for the storage container, such as allowed IP addresses, and an expiration date for the connection string. The token for the SAS connection string includes an expiration date, which is shown on the Event Integration page. After the expiration date, the token is no longer valid, and Cato can't push events to the storage container. To maintain uninterrupted uploading of events, make sure to generate a new connection string and apply it to the integration before the SAS expiration date.

Configure these settings for SAS before you generate the connection string:

  • Allowed services - Blob

  • Allowed resource types - Container, Object

  • Allowed permissions - Read, Write, List

SAS_settings.png

The Cato Cloud uploads data to the storage account as follows, every 60 seconds, or when there is more than 10MB of data.

To configure a storage account in Azure to receive Cato event data:

  1. Create a new storage account with the appropriate settings.

    1. In the Instance details, select Standard performance.

      basic_storage_account.png

    2. Click Review and then click Create.

  2. Create a new container for the event data (Data storage > Containers).

    You will enter the container Name in the Cato Management Application when you create the integration for the events (below).

  3. Copy the connection string for the storage account. You will paste this string when you create the integration for the events (below).

    In the left-hand navigation pane, go to the Security + networking section.

    • Access keys - copy the connection string for the key you are using

    • Shared access signature - configure the settings for the permissions and click Generate SAS and connection string, then copy the string

Adding Azure Account Storage for Events

Create a new integration for the Azure storage account in the Events Integration tab, and paste the connection string to the integration. This string gives Cato permission to upload the event data to the storage account. You can't edit the string after creating the integration, instead you can Reset the field, and then paste connection string.

After you define and enable the Azure storage integration, it takes a few minutes for Cato to start uploading events to the storage account.

You can choose to filter the events that are uploaded to the storage account. For example, only upload IPS events for your account to it. The default setting is no filter and all events are uploaded to the storage account.

Azure_integration_cma.png

To add an Azure storage integration to upload events for your account:

  1. From the navigation menu, select Administration > API & Integrations and select the Connectors tab.

  2. Select Enable integration with Cato events.

  3. Click New. The New Integration panel opens.

  4. In Integration, select Azure Account Storage and enter the Name for the integration.

  5. Enter these Connection Details for the integration based on the settings in Azure:

    • Connection String - Paste the connection string that you copied from the storage account

    • Name - Identical name of the container in the storage account

    • (Optional) Folder - Identical name for the folder path within the container (if necessary)

  6. (Optional) Define the filter settings for events that are uploaded to the storage account.

    When you define multiple filters, there is an AND relationship, and the events that match all filters are uploaded.

  7. Click Apply. The Azure storage account is now integrated with your account.

    Note: You can define up to a total of three Event Integrations for your account.

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.