Creating the Response Policy for XDR Stories

This article explains how to use webhooks and other notifications with the XDR Response Policy that defines when you're notified for new and updated XDR stories, and when events are generated.

For more information about XDR stories, see Reviewing Detection & Response Stories for Your Account


The Response Policy helps you monitor Security and Network XDR stories by defining when notifications for stories are sent to admins and analysts, and when events are generated for the stories. You can create rules that define the story criteria for sending notifications and generating events, and can use subscription groups, mailing lists, and webhook integrations to configure which admins receive the notifications.

For example, you can create rules that send notifications:

  • If the story Criticality is high

  • When new stories are created for a specific source (such as a site or IP range)

  • When the story targets are updated

  • For Security stories with a specific indication of attack

  • For Network stories for specific issues, such as a site or link is down

Generating and Exporting Events for XDR Stories

When you define rules that generate events for XDR stories, you can view them on the Events page, and integrate the events with third-party services such as a SIEM or an AWS S3 bucket. By default, no XDR story events are generated, events are only generated according to configured rules. For more about XDR event fields, see below Cato Event and API Fields for XDR Story Events.

Integrating XDR Stories with Third-Party Services

Cato supports different ways to integrate events for XDR stories with your existing solutions and workflows.

Adding Rules to the XDR Response Policy

When you add a rule to the Response Policy, configure each section in the rule that is required to define the conditions for sending a notification or generating an event.

For example, if you want to generate an event for every XDR story that is created or updated, configure a rule with the Source as Any, and the Trigger as Story Created or Updated.


Note: For MDR customers, please contact to define Response Policy rules for your account.


Response Policy Rule Settings

A Response Policy rule has the following sections:

  • Name - The name you assign for the rule

  • Description for the rule

  • Source - The source of traffic on your network involved in the story. For example: Site, IP address, or SDP user

    For more about Source items for a rule, see Reference for Rule Objects.

  • Criteria - Characteristics of the story to match the rule. When you add criteria, select the criteria type, value, and the operator that determines the relationship between the criteria and value. For example: Criticality | Greater Than | 6.

    Configurable story criteria include the following: Criticality, Severity, Indication, Analyst Verdict, Producer, Added Targets, Status. For more about these story criteria, see Reviewing Detection & Response Stories for Your Account

    • The ​Producer​ criteria is the engine that generates the story, and includes both Security and Network XDR engines. For more about Network XDR, see Reviewing XDR Network Stories. For more about the Security XDR engines and their required license types, see Using the Indications Catalog
    • You can configure multiple values for the following criteria: Indication, Analyst Verdict, Severity, Producer. When you add multiple values to a single criteria entry, there is an OR relationship between them.

  • Trigger - Defines when the Response Policy engine checks a story for matching the rule. Settings include:

    • Story Created - The Response Policy engine checks for a match to the rule when a new story is created. Existing stories that are updated aren't checked for matching the rule.

    • Story Created or Updated - The Response Policy engine checks for a match to the rule when a new story is created or when an existing story is updated. Updates can include changes to the Status, Analyst Verdict, Severity, and Targets of the story.

  • Response - Select the response for when the rule is matched. Responses can include generating an event and notifications defined by Subscription Group, Mailing List, or Webhook Integration.

Creating New Response Policy Rules

Create a new Response Policy rule and configure the rule's settings to define when a story notification is sent.


To create a new Response Policy rule:

  1. From the navigation menu, click Security > Detection & Response.

  2. Select the Response Policy tab.

  3. Click New. The Add to Response Policy panel opens.

  4. Enter a Name for the rule.

  5. In the Source section, select the type (for example: Host, IP Range, Site) and then select one or more objects for the story source for this rule (or you can enter an IP address).

    The default Source value is Any.

  6. (Optional) Define Criteria that specify the characteristics a story must have to match the rule.

  7. Select the Trigger for the rule.

  8. Select the Response. If you select Send Notification, then define the Subscription Group, Mailing List, or Integration to receive the notification.

  9. Click Save. The rule is added to the policy.

Cato Event and API Fields for XDR Story Events

The Events page shows all the XDR story events generated for your account. You can filter the page to show the events using the Event Type Detection and Response.

Below are the relevant fields for XDR story events. The eventsFeed query of the Cato API shows data for XDR stories in these fields for eventFieldName type.

API enum Value

Event Field



User Display Name



Analyst Verdict






Device Name



Event Count

For XDR Stories, events are not automatically aggregated, therefore the Event Count will usually have a value of 1.





Event Type

For XDR story events, the Event Type is Detection and Response.





Event Internal ID




The engine that generated the story. Possible values: Threat Prevention, Threat Hunting, Usage Anomaly, Events Anomaly, Microsoft Endpoint Alert.



Name of the Response Policy rule that generated the event.


Source IP



Source is Site or SDP User



Source Site






Story ID



Threat Name



Threat Type







Possible values: Microsoft (for Microsoft Endpoint Alert stories), Cato.



Story data that isn't included in the other event fields. This field is included in exported events, but isn't shown in the Events page.

Note: This field is exported as raw unparsed data, and may contain escape characters. This format is subject to change.

Was this article helpful?

0 out of 0 found this helpful


Add your comment