This article explains how to use the XDR Stories Workbench and story drill-down page to analyze XDR stories for anomalous behavior detected by the Usage Anomaly and Events Anomaly engines.
For more about using the Stories Workbench, see Reviewing Detection & Response (XDR) Stories in the Stories Workbench.
Cato's XDR service detects anomalous activities based on User and Entity Behavior Analytics (UEBA), which may indicate a security threat. The Usage Anomaly and Events Anomaly engines monitor and analyze network traffic to identify unusual behaviors that could be signs of compromised accounts, insider threats, and advanced attacks. These engines incorporate machine learning and statistical modeling techniques with training on network traffic to build baseline behavior models for the users and entities in your account. Based on these models, the engines can identify various types of anomalies.
These are brief descriptions of the XDR UEBA anomaly engines and the types of anomalies they identify:
-
Usage Anomaly - Identifies anomalies related to unusual usage in applications. For example, a user uploads more data to an application than usual
-
Events Anomaly - Detects anomalies that involve an entity on the network triggering an unusual number of security events. For example, a site on the network triggers significantly more Internet Firewall block events than usual
When the XDR UEBA anomaly engines generate a story, you can review it in the Stories Workbench and drill-down for further analysis of the story data.
You can click on a Usage Anomaly or Events Anomaly story in the Stories Workbench to drill-down and investigate the details in a different page. This page contains a number of widgets that help you evaluate the potential threat.
Click a Security story in the Stories Workbench page to show the details for the UEBA story.
The Stories Workbench drill-down includes a tool that lets you create a natural language story description generated by AI, which provides rich context and helps you quickly assess the story. The story summary is generated dynamically to reflect the current state of the story. If the story updates with new information, you can regenerate the summary to reflect the changes.
-
The AI story summary is generated only on-demand by the admin
For robust data security during the transmission of story data to third-party AI services, Cato uses tokenization to ensure all sensitive data remains in the Cato XDR platform. This involves replacing sensitive information with unique identifiers, or "tokens," rendering the data meaningless to unauthorized entities. Sensitive data is never exposed to third-party services. This approach ensures the confidentiality of the story's details, aligning with our commitment to robust data privacy and security standards.
Note
Note: Due to the limitations of generative AI, the information provided in story summaries may occasionally contain inaccuracies.
These are the widgets for a Usage Anomaly or Events Anomaly story:
Item |
Name |
Description |
---|---|---|
1 |
Story summary |
A summary of basic information about the story, including:
|
2 |
Story timeline |
Shows a timeline of the story, such as changes made to the story verdict and severity, and when the status is updated |
3 |
Details |
Basic details about the story, including
|
4 |
Anomaly Distribution |
Graph of the anomalous behavior for the last 14 days. For Usage Anomaly stories, the graph shows data for the relevant apps. For Events Anomaly stories, the graph shows data for relevant events.
|
5 |
Source |
Basic information about the device in your network associated with the anomaly |
6 |
Top Applications |
Top applications related to the anomaly, with relevant details. For example, an app for an upstream bandwidth anomaly appears with the total upload amount from the app
|
7 |
Top Servers/Destinations |
Top servers and destinations involved in the anomaly, with relevant details. For example, a server for an upstream bandwidth anomaly appears with the total upload amount to the server
|
8 |
Top Hosts |
Top hosts related to the anomaly, with relevant details. For example:
Click View All to open the Application Analytics screen and show the hosts pre-filtered for the apps related to the anomaly |
9 |
Targets |
Shows data for the potentially malicious sources outside your network site related to the story. These are descriptions of the target table columns:
|
10 |
Top Connections |
Data for the top connections related to the anomaly. For example, for an SDP User Upstream Bandwidth Anomaly, the connections with the most upload bandwidth used. These are descriptions of the table columns:
|
0 comments
Please sign in to leave a comment.