Analyzing XDR UEBA Stories for Usage and Events Anomalies

This article explains how to use the XDR Stories Workbench and story drill-down page to analyze XDR stories for anomalous behavior detected by the Usage Anomaly and Events Anomaly engines.

For more about using the Stories Workbench, see Reviewing Detection & Response (XDR) Stories in the Stories Workbench.

Overview

Cato's XDR service detects anomalous activities based on User and Entity Behavior Analytics (UEBA), which may indicate a security threat. The Usage Anomaly and Events Anomaly engines monitor and analyze network traffic to identify unusual behaviors that could be signs of compromised accounts, insider threats, and advanced attacks. These engines incorporate machine learning and statistical modeling techniques with training on network traffic to build baseline behavior models for the users and entities in your account. Based on these models, the engines can identify various types of anomalies.

These are brief descriptions of the XDR UEBA anomaly engines and the types of anomalies they identify:

  • Usage Anomaly - Identifies anomalies related to unusual usage in applications. For example, a user uploads more data to an application than usual

  • Events Anomaly - Detects anomalies that involve an entity on the network triggering an unusual number of security events. For example, a site on the network triggers significantly more Internet Firewall block events than usual

When the XDR UEBA anomaly engines generate a story, you can review it in the Stories Workbench and drill-down for further analysis of the story data.

Prerequisites

  • Usage Anomaly and Events Anomaly stories are available only for XDR Pro and MDR customers. For more about purchasing an XDR Pro license, or subscribing to the MDR service, please contact your Cato representative.

Drilling-Down and Analyzing UEBA Anomaly Stories

You can click on a Usage Anomaly or Events Anomaly story in the Stories Workbench to drill-down and investigate the details in a different page. This page contains a number of widgets that help you evaluate the potential threat.

Showing a Security Story

Click a Security story in the Stories Workbench page to show the details for the UEBA story.

To show the Stories Workbench page:

  • From the navigation menu, click Home > Stories Workbench.

Generating AI Story Summaries

The Stories Workbench drill-down includes a tool that lets you create a natural language story description generated by AI, which provides rich context and helps you quickly assess the story. The story summary is generated dynamically to reflect the current state of the story. If the story updates with new information, you can regenerate the summary to reflect the changes.

  • The AI story summary is generated only on-demand by the admin

Protecting Sensitive Data with Tokenization

For robust data security during the transmission of story data to third-party AI services, Cato uses tokenization to ensure all sensitive data remains in the Cato XDR platform. This involves replacing sensitive information with unique identifiers, or "tokens," rendering the data meaningless to unauthorized entities. Sensitive data is never exposed to third-party services. This approach ensures the confidentiality of the story's details, aligning with our commitment to robust data privacy and security standards.

Note

Note: Due to the limitations of generative AI, the information provided in story summaries may occasionally contain inaccuracies.

Understanding the UEBA Anomaly Widgets

Detection___Response_Anomaly_calloutsPNG.png

These are the widgets for a Usage Anomaly or Events Anomaly story:

Item

Name

Description

1

Story summary

A summary of basic information about the story, including:

  • Anomaly name

  • Indication for the Attack Detected

  • The Detection & Response Producer (engine) that generated the story

  • Analyst Severity - Severity of the threat

  • Analyst Verdict for the threat

  • Attack type

  • Detailed classification of the threat as determined by analyst

  • Story status

2

Story timeline

Shows a timeline of the story, such as changes made to the story verdict and severity, and when the status is updated

3

Details

Basic details about the story, including

  • A threat description and summary

    • Click Generate AI Summary for a natural language story description that provides rich context and helps you quickly assess the story

  • First Signal - Time of the first signal (traffic flow) associated with the anomaly

  • Creation Date - Time the story was generated

  • Last Updated - Time of the latest story update, such as a new target or changed verdict

  • Criticality - Overall risk score for the story as calculated by Cato's machine learning risk analysis algorithm (values are from 1 (least critical) to 10 (most critical))

  • Train Period - The period of training for the machine learning model to determine anomalous behavior

  • Indication ID - The identifier for the indication used by the XDR engines. You can use the ID to look up the indication in the Indications Catalog

  • MITRE Tags - MITRE ATT&CK® techniques identified for the threat.

    For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard.

    • Click a MITRE ATT&CK® technique to read its description on the MITRE ATT&CK® website

  • Predicted Verdict and Predicted Type based on machine learning predictions for the probable verdict and potential malware type that you may identify. The machine learning algorithms analyze the final verdicts of similar stories

  • Similar Stories - Shows stories with similar Targets. Details shown for each story include: story threat type, story verdict (if available), and the level of similarity as calculated by a machine learning model (indicated by a percentage). Hover the mouse on the story to show a more detailed classification of the threat

4

Anomaly Distribution

Graph of the anomalous behavior for the last 14 days. For Usage Anomaly stories, the graph shows data for the relevant apps. For Events Anomaly stories, the graph shows data for relevant events.

  • To show the anomaly details, hover the mouse over the graph

  • To more closely investigate the different apps or events detected in the anomaly, click the toggle button of an app or event to turn its graph on or off.

  • Click View All to open the Application Analytics screen pre-filtered for the apps related to the anomaly

5

Source

Basic information about the device in your network associated with the anomaly

6

Top Applications

Top applications related to the anomaly, with relevant details. For example, an app for an upstream bandwidth anomaly appears with the total upload amount from the app

  • Click View All to open the Application Analytics screen pre-filtered for the apps related to the anomaly

7

Top Servers/Destinations

Top servers and destinations involved in the anomaly, with relevant details. For example, a server for an upstream bandwidth anomaly appears with the total upload amount to the server

  • Click View All to open the Application Analytics screen and show the destinations pre-filtered for the apps related to the anomaly

8

Top Hosts

Top hosts related to the anomaly, with relevant details. For example:

  • A host for an upstream bandwidth anomaly appears with the number of uploads from the host

  • Hosts for an anomaly in a user's behavior show the IP addresses for the user in connections related to the anomaly

Click View All to open the Application Analytics screen and show the hosts pre-filtered for the apps related to the anomaly

9

Targets

Shows data for the potentially malicious sources outside your network site related to the story.

These are descriptions of the target table columns:

  • Target - Domains or IP addresses of external sources identified in traffic flows related to the story

  • Creation Date - Registration date of the target domain

  • Target Links - Links to look up the target in various external threat intelligence sources. For additional information, click the VirusTotal icon, or select other resources from the drop-down menu.

  • Malicious Score - The malicious score of the target according to Cato threat intelligence algorithms. Scores range from 0 (benign) to 1 (malicious)

  • Popularity - How often the target appears in Cato internal data sources. Values are: Unpopular, Low, Medium, High

  • Categories - Cato categories for the target domain

  • Threat Feeds - Number of Cato threat intelligence sources that detected the target as malicious

  • Engines - Number of third party security engines that detected the target as malicious

  • Registrant Country - Country where the target domain is registered

  • Google Search Hits - Number of Google search results for the target

10

Top Connections

Data for the top connections related to the anomaly. For example, for an SDP User Upstream Bandwidth Anomaly, the connections with the most upload bandwidth used.

These are descriptions of the table columns:

  • Application - The application detected in the traffic flow for the connection

  • Source IP - Source IP address in your network sending or receiving the flow

  • Destination - IP address or domain of the external target sending or receiving the flow

  • Flows - Number of flows associated with the connection

  • Download - Download bandwidth usage

  • Upload - Upload bandwidth usage

  • Usage - Total bandwidth usage

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment