Reviewing XDR Stories for Cato Endpoint Protection (EPP) Alerts

This article discusses how you can use the Stories Workbench to review XDR stories for Cato EPP alerts.

Overview of Cato Endpoint Alert Stories

Cato Detection & Response (XDR) is an additional layer of security that creates stories for threats, and shows the story data in the Stories Workbench. The Cato EPP solution integrates with Cato XDR to generate stories for endpoint devices. The endpoint stories help you get a more complete picture of potential threats in your network, and you can conduct investigations in a unified XDR platform extending into both the network and the endpoint.

The Cato Endpoint Alert engine creates a story by correlating data from all Cato EPP alerts that occurred on the same device within a 24-hour period. Cato Endpoint Alert stories include all relevant evidence detected by Cato EPP. The Stories Workbench shows the Cato EPP stories together with the other story types, and you can sort and filter the stories to focus on the Cato Endpoint Alert stories.

Known Limitations

  • If the Cato EPP agent is disconnected from the Internet for over 8 hours, it's possible that XDR stories won't be created for some EPP events from that period. However, the EPP agent continues to detect and block threats, and the events will be available in the Events page.

Showing the Stories Workbench Page

Detection_Response_Workbench_Endpoint.png

The Stories Workbench page shows a summary of the stories for the potential threats in your account.

To show the Stories Workbench page:

  • From the navigation menu, click Monitoring> Stories Workbench.

For information about the columns in the Stories Workbench see Reviewing Detection & Response Stories for Your Account

Showing the Cato Endpoint Alert Stories

You can group and filter the stories according to the Cato Endpoint Alert story type to quickly find stories for endpoint devices. For more about grouping and filtering stories, see Reviewing Detection & Response Stories for Your Account.

Drilling-Down and Analyzing Endpoint Alert Stories

You can click on a story in the Stories Workbench to drill-down and investigate the details in a different page. This page contains a number of widgets that help you evaluate the potential threat identified in the story.

When you drill-down to investigate an Endpoint Alert story, you can review all the EPP Alerts that the story is based on, and examine in detail the pieces of evidence that relate to each Alert. The Evidences include processes, files, and registry values, and can be reviewed in two different ways:

  • A chronological process tree presented in the context of a specific Alert - This helps you understand the sequence of events that looked suspicious and generated the Alert

  • The Evidences table - Provides an overview of the Evidences from all the Endpoint Alert stories. This helps to assess more broadly the prevalence of specific malicious or suspicious activities on the endpoint device

Understanding the Endpoint Alert Story Drill-Down Widgets

Detection___Response_CatoEPP_callouts.png

These are the story drill-down widgets:

Item

Name

Description

1

Story summary

A summary of basic information about the story, including:

  • Indication for the detected attack

  • The Detection & Response engine that produced the story

  • Severity of the threat as determined by analyst

  • Verdict for the threat as determined by analyst

  • Attack type (for example, Browser Extension, Native Application, Scanner, Web App)

  • Detailed classification of the threat as determined by analyst (for example, Port Scan, Newly Registered Domain, SMB Scan)

  • Number of compromised devices

  • Number of signals (traffic flows) associated with the attack

  • Duration of the story since it was created

  • Story status

Click More_icon.png to open the Story Actions panel and change story settings such as Analyst Verdict, Analyst Severity, Status, and Classification.

2

Story timeline

Shows a timeline of the story, such as changes made to the story verdict and severity, and when new Alerts are added to the story

3

Details

Basic information for analyzing the story, including:

  • Criticality - Overall risk score for the story as calculated by Cato's machine learning risk analysis algorithm (values are from 1 (least critical) to 10 (most critical))

  • Created At - Time the story was generated

  • Updated At - Time of the latest story update, such as a new alert or changed verdict

4

Device

Name, operating system, and MAC address for the endpoint device associated with the story

5

User

Shows the user name and domain name for the user logged into the endpoint device

6

Alerts

Shows details for the Alerts related to the story.

  • Expand an Alert to show a chronological process tree for the Evidences related to the Alert, including processes and files

  • Click an item in the process tree to drill-down further and show granular data about the Evidence

These are the columns in the Alerts table:

  • An Alert Name that describes the suspicious activity

  • Criticality - Overall risk score for the Alert as calculated by Cato's machine learning risk analysis algorithm (values are from 1 - 10)

  • MITRE Techniques - MITRE ATT&CK® techniques identified for the threat

    For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard.

  • Status - Shows the remediation status for the Alert

  • Alert Time - Date of the initial suspicious activity detected for the Alert

  • Threat Name - Name of malware detected. For example: Trojan:Win32/Startpage

  • Description & Recommended Actions - Click View for a brief Alert description

7

Evidences

Aggregates details for all the Processes and Files identified in the evidence for the various story Alerts.

Some of the columns in the Evidences table are shared by all the types of Evidences, and some are specific per type.

These are the columns that appear for all types of Evidences:

  • Remediation Status - Shows whether the threat was remediated

  • Detection Time - Date and time when the event was detected by Cato EPP

These are the specific columns for each type of Evidence:

  • Processes:

    • Process Name - Name of the executable file for the process

    • Process ID - Windows-assigned ID number for the process

    • Process Command Line - Arguments that were passed to the process in Windows. This can reveal important context about the execution of a suspicious process

    • File Path - Location on the endpoint device of the executable file for the process

  • Files:

    • File Path - Location of the file on the endpoint device

    • File Name - Name of the file including extension

    • File Size - Size of the file in bytes, kilobytes, or megabytes

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment