This article discusses how you can use the Stories Workbench to review XOps stories for Cato EPP alerts.
The Cato EPP solution integrates with Cato XOps to generate stories for endpoint devices. The endpoint stories help you get a more complete picture of potential threats in your network, and you can conduct investigations in a unified XOps platform extending into both the network and the endpoint.
The Cato Endpoint Alert engine creates a story by correlating data from all Cato EPP alerts that occurred on the same device within a 24-hour period. Cato Endpoint Alert stories include all relevant evidence detected by Cato EPP. The Stories Workbench shows the Cato EPP stories together with the other story types, and you can sort and filter the stories to focus on the Cato Endpoint Alert stories.
For more information on reviewing XOps stories, including data from Microsoft Cato EPP, see Drilling-Down and Analyzing XOps Security Stories
-
If the Cato EPP agent is disconnected from the Internet for over 8 hours, it's possible that XOps stories won't be created for some EPP events from that period. However, the EPP agent continues to detect and block threats, and the events will be available in the Events page.
-
Cato EPP XOps stores can take up to 4 hours to be visible on the Events page
-
To add a connector, you must have editor permission for Integrations (in the Resources section). For more information, see Managing Admin Roles Using RBAC.
Once you have created the connector, stories will be visible in the Stories Workbench.
For information about the columns in the Stories Workbench see Understanding the Stories Columns.
The Status column on the Connectors Settings page shows the status of the connection between the CrowdStrike app and your Cato account. These are the explanations of the statuses:
-
Connected - Your account is connected to the app and working correctly
-
Pending user consent - Permissions have not been granted to let Cato access the CrowdStrike app. To resolve this issue, refresh the browser. If Status changes to Connected, the issue is resolved, if Status doesn't change, delete and recreate the connector.
-
Error - There is a connectivity, permissions, license, or other issue with the connector. Delete and recreate the connector.
Once you have created the connector, stories will be visible in the Stories Workbench.
For information about the columns in the Stories Workbench, see Understanding the Stories Columns
For more information on reviewing XOps stories, including data from Microsoft Defender, see Drilling-Down and Analyzing XOps Security Stories
You can group and filter the stories according to the Cato Endpoint Alert story type to quickly find stories for endpoint devices. For more about grouping and filtering stories, see Reviewing Detection & Response XOps Stories in the Stories Workbench.
0 comments
Please sign in to leave a comment.