Generating an XDR Security Report

This article describes Cato's XDR security reports that highlight XDR story investigations, summarize data for security events, and present insights about your account's overall security posture.

Overview of XDR Reports

Cato provides Predefined Report templates that summarize data related to the XDR stories investigated for your account. This lets you generate an XDR report that presents an overview of all story investigations, as well as breakdowns that focus on the most important ones, such as for malicious and suspicious stories. Create the template for the Predefined Report and define the report time range. Then you can generate a report, and download it as a PDF that you can easily share in your organization.

Creating a Predefined XDR Report

By default, the Predefined Report templates for the XDR reports show story data for the past week. You can also define a customer time range.

For more about working with Predefined Reports, see Cato Reports.

PredefinedReportsXDR.png

To create a Predefined Report:

  1. From the navigation pane, select Monitoring > Reports.

  2. From the Predefined Reports tab, click New. The Create Report panel opens.

  3. Enter the Report Name for the Predefined Report.

  4. In Type, select XDR Report.

  5. Select the Time Range of the report.

    For a Custom range, select start date (From) and the end date (To) for the Predefined Report.

    The time range dates follow UTC.

  6. Click Save. The report template is added to the Predefined Reports tab.

    You can also click Save & Generate, and then the report is generated and you can download it from the Generated Reports tab.

Understanding the XDR Report

These are the sections in the XDR report:

  • Executive Overview

    • Overall totals of events and stories for the selected time range, including:

      • All Events: The total number of events for the account

      • Security Events: The number of events generated by the Cato security engines enabled for the account

      • Investigated Stories: The total number of Detection & Response stories that were investigated and given a verdict in the Stories Workbench

      • Suspicious and Malicious Stories: The number of stories that were investigated and given a verdict of Suspicious or Malicious in the Stories Workbench

    • Investigated Stories by Verdict: Breakdown by verdict of all investigated stories

    • Investigated Stories Over Time: Graph showing the amount of investigated stories over the past 6 months, including a breakdown by the threat type (for example: Suspicious Activity, Reputation, Policy Violation, Malware)

  • Malicious and Suspicous Stories

    Shows information about stories that received a verdict of Malicious or Suspicious, including:

    • Malicious & Suspicious Stories by Threat Type: Number of Malicious or Suspicous stories according to the type of threat (for example, Suspicious Activity, Reputation, Policy Violation, Malware)

    • Malicious & Suspicious Stories by Site: Number of Malicious or Suspicous stories according to site with the traffic that generated the story

    • Malicious Stories by Severity: Chart showing number of Malicious stories by severity (High, Medium, Low)

    • Malicious & Suspicious Stories by Location: Graph showing Number of Malicious or Suspicous stories according to location of the threat. Locations are based on the targets and sources in the story, and therefore one story can have multiple threat locations.

  • General Security Posture

    • Top Blocked Applications Internet Firewall: Top applications blocked by the Internet Firewall with the hit count

    • Top Blocked Categories Internet Firewall: Top categories blocked by the Internet Firewall with the hit count

    • Top Blocked Applications WAN Firewall: Top applications blocked by the WAN Firewall with the hit count

    • Top Blocked Categories WAN Firewall: Top categories blocked by the WAN Firewall with the hit count

    • IPS Events by Risk Level: Chart showing breakdown of IPS block events by risk level

    • Anti-Malware Block Events Graph showing all the block events for the Anti-Malware service over the time range of the report

  • Investigation Audit

    This section lets you quickly review all the XDR story investigations that reached a verdict during the report time range. The information in the audit table reflects the state of the investigations at the time the report was generated.

    These are the table columns:

    • Link to Story: Click to open the drill-down page for the story in the Stories Workbench

    • Creation Date: Date of the first traffic flow for the story

    • Indication: Indicator of attack for the story. For more about Indications, see Using the Indications Catalog

    • Type: The Detection & Response engine that created the story

    • Classification of the threat type. For example: Suspicious Target, C&C, Suspicious Browser Extension, Scanner

    • Verdict for the story as determined by analyst

    • Severity of the story as determined by an analyst (possible values: Low, Medium, High)

    • Site: The site on your network with the traffic that generated the story

    • Source: IP address, name of device, or SDP user on your network involved in the story

    • Status: The status of the story investigation. Possible values include: Open, Closed, Pending more info (including number of days pending)

Was this article helpful?

0 comments

Add your comment