Generating an XDR Detections Report

This article describes how to generate Cato XDR Detections reports that highlight the XDR stories created for your account. and present insights about your account's overall security posture.

Note

Note: Cato is gradually enabling the Scheduled reports feature on accounts over a period of several weeks. It is possible that Scheduled reports may not be available in the Cato Management Application for your account.

Overview

Cato provides Predefined Report templates that summarize data for all the XDR Security stories detected for your account, regardless of whether the stories were investigated. This lets you generate a report that highlights the comprehensive threat detection capabilities of Cato XDR for relevant stakeholders in the organization. The XDR Detections report includes data such as the total number of Security stories created with breakdown by Criticality, and the most common sites and indications of attack in XDR stories.

Create the template for the Scheduled or One-Time report and define the report time range. By default, the Predefined Report template for the XDR Detections report shows story data for the past week.

For more about working with Predefined Reports, see Cato Reports.

  • XDR Detections reports are available for XDR Core and XDR Pro customers

Known Limitations

XDR Detections reports do not support filtering by sites or SDP users. If any filters are configured, they will not be expressed in the report and it will show data for all sites and SDP users.

165d24a08749f0.png

Creating a Scheduled XDR Detections Report

Create a new Scheduled report and define the Report Schedule which defines how often the report is generated - daily, weekly, or monthly. Generated reports are stored in the Cato Cloud, and they can be automatically emailed or downloaded. The Report Schedule also defines the time range that is covered by each report. The time range starts on 00:00 UTC (inclusive) at the start of each period, and ends on 00:00 UTC (non-inclusive) at the end of the period.

You can select the Mailing List of email addresses for the recipients, the list can include Cato Management Application admins and external users.

For more information about Mailing Lists, see Working with Mailing Lists.

To create a scheduled XDR Detections report:

  1. From the navigation pane, select Monitoring > Reports.

  2. From the Predefined Reports tab, click New > Scheduled report. The Scheduled Report panel opens.

  3. Enter the Report Name for the Predefined Report.

  4. In Type, select XDR Detections.

  5. In Report Schedule, configure these settings:

    1. Select the Frequency that the report is automatically sent: Daily, Weekly, or Monthly.

    2. For Weekly and Monthly Scheduled reports, in Every select the day that the report is sent.

  6. In Subscriptions, select the Mailing List that receives the report.

    You can click New to create a new mailing list.

  7. Click Save. The report template is added to the Predefined Reports tab.

Manually Generating a Scheduled Report

A new Scheduled report is generated based on the Report Schedule settings. For example, a weekly report configured for Monday, is generated every Monday. You can also choose to manually generate a Predefined Report, and the generated report uses the same time range based on the current day. If an admin manually generates a weekly report on a Tuesday, the time range for the report is the previous 7 days starting from that Tuesday, regardless of the starting day of the Scheduled report.

To manually generate a Scheduled report:

  1. From the navigation pane, select Monitoring > Reports.

  2. From the Predefined Reports tab, find the Scheduled report and click Generate.

  3. From the Generated Reports tab, find the report and click Download.

Creating a One-Time XDR Detections Report

Create a new One-time report template, and define the Time Range that the report covers.

To create a One-Time XDR Security report:

  1. From the navigation pane, select Monitoring > Reports.

  2. From the Predefined Reports tab, click New > One-time report. The One-time report panel opens.

  3. Enter the Report Name for the Predefined Report.

  4. In Type, select XDR Detections.

  5. Select the Time Range of the report.

    For a Custom range, select start date (From) and the end date (To) for the Predefined Report.

    The time range dates follow UTC.

  6. Click Save. The report template is added to the Predefined Reports tab.

    You can also click Save & Generate, and then the report is generated and you can download it from the Generated Reports tab.

    For more about generating reports, see Cato Reports.

Understanding the XDR Detections Report

These are the sections in the XDR Detections report:

  • Executive Overview

    • Overall totals of events and stories for the selected time range, including:

      • All Events: The total number of events for the account

      • Security Events: The number of events generated by the Cato security engines enabled for the account

      • Stories Created: The total number of XDR stories that were generated for the account

      • High Criticality Stories: The number of created stories with Criticality between 7-10

  • Created Stories by Criticality: Number of stories generated for the account with breakdown by Criticality

    • High - Stories with a Criticality between 7-10

    • Medium - Stories with a Criticality between 4-6

    • Low - Stories with a Criticality between 1-3

  • Created Stories by Site: Number of stories according to the site with the traffic that generated the story

  • Created Stories Over Time by Criticality: Graph showing the amount of created stories over time, including a breakdown by Criticality. The graph shows 6 months of data

  • Top 5 MITRE Techniques: Top MITRE ATT&CK® techniques in stories created for the account. For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard

  • Top 5 Indications of Attack: Top indications of attack in stories created for the account. For more about indications, see Using the Indications Catalog

  • Stories Created by Engine Type: Number of stories generated for the account with breakdown by engine type. For more about the different XDR engines, see Using the Indications Catalog

  • Created Stories by Location: Top 10 locations by country associated with threats detected in stories for the account. Threat locations include the locations of targets and sources in stories. Therefore a single story can be associated with multiple threat locations

  • General Security Posture:

    • Top Blocked Applications Internet Firewall: Top applications blocked by the Internet Firewall with the hit count

    • Top Blocked Categories Internet Firewall: Top categories blocked by the Internet Firewall with the hit count

    • Top Blocked Applications WAN Firewall: Top applications blocked by the WAN Firewall with the hit count

    • Top Blocked Categories WAN Firewall: Top categories blocked by the WAN Firewall with the hit count

    • IPS Events by Risk Level: Chart showing breakdown of IPS block events by risk level

    • Anti-Malware Block Events: Graph showing all the block events for the Anti-Malware service over the time range of the report

  • Created Stories

    This section lets you quickly review all the XDR stories created during the report time range.

    These are the table columns:

    • Link to Story: Click to open the drill-down page for the story in the Stories Workbench

    • Creation Date: Date the story was created

    • Story Duration: Time passed from the first traffic flow for the story until story was closed, or until the time the report was generated

    • Indication: Indicator of attack for the story. For more about Indications, see Using the Indications Catalog

    • Type: The XDR engine that created the story

    • The Criticality for the story

    • Site: The site on your network with the traffic that generated the story

    • Source: IP address, name of device, or SDP user on your network involved in the story

    • Status: The status of the story investigation at the time the report was generated. Possible values include: Open, Closed, Pending more info (including number of days pending)

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment