Muting Detection & Response (XDR) Stories (EA)

This article discusses how to create a rule that mutes Detection & Response (XDR) stories so that they do not appear on the Stories Workbench.

Note

Note:  Muting Network Stories is an Early Availability (EA) feature that is only available for limited release. For more information, contact your Cato Networks representative or send an email to ea@catonetworks.com.

Overview

The Detection & Response correlation engines analyze traffic data to find matches for potential threats or network degradation. If a match is identified, a story is generated in the Stories Workbench to help you understand and analyze the issue. If you do not want a story to be created you can configure a Mute Stories rule. This reduces the generation of false positive stories and helps you focus your analysis on actual potential threats or network issues. Stories can be muted for a specific or unlimited time range

You can mute stories created by these engines:

  • Threat Prevention

  • Threat Hunting

  • Network XDR

Note

Note: For MDR customers, please contact  to define Mute Stories rules for your account.

Muting Threat Prevention and Threat Hunting Stories

You can define traffic from a trusted resource which is then excluded from a story. For example, a user downloads a file for a legitimate business process that is marked as malicious by the Anti-Malware engine.

After a user downloads the file, no story is generated.

There are two ways to add Mute Stories rules for Threat Prevention and Threat Hunting Stories:

  • Create a rule in the Detection & Response page

  • Create a rule from a story in the Stories Workbench. This method is helpful when you notice specific traffic in a story that you know is benign

Muting Network Stories

You can mute stories generated by specific network issues. For example, if you know a local ISP has a planned outage, you can mute stories generated by the Site down indication for the period of the outage.

Stories are generated, but are filtered out of the Stories Workbench.

You can identify whether a story has been muted in the Muted column in the Incident Timeline of a story.

Muted.png

You can add Mute Stories rules for Network stories by creating a rule in the Detection & Response page.

Items in a Detection & Response Mute Stories Rule

The following table explains the items that you can use to define the settings for a Detection & Response Mute Stories rule. When you configure multiple objects in a setting, there is an OR relationship between them. For example, if there is a rule configured with sources including a Site and a User, the rule is applied when the traffic matches either the Site or the User.

Item

Description

Producer

The Detection & Response engine or engines the rule applies to. For more about these engines and the types of stories they detect, see Using the Indications Catalog

Indication ID

The identifier for the indication used by the Detection & Response engines. Each Indication ID is associated with a Detection & Response engine query that identifies specific traffic parameters.

If you define an Indication ID, the rule only excludes traffic from stories generated by the specific engine query associated with that Indication ID.

If no Indication ID is defined, the traffic is excluded from all engine queries that match the rule settings.

For more about Indications, see Using the Indications Catalog.

Direction

(Threat Prevention and Threat Hunting Stories)

Define the direction of the traffic flow that the rule applies to. Directions include:

  • Inbound - Traffic to your network originating at an external source

  • Outbound - Traffic from your network to an external source

  • WANbound - Traffic from your network to another site on your network

  • All of the above

Time Frame

Select the time frame when the rule applies, or select Unlimited for the rule to continue to apply without expiration.

When an expiration date is set:

  • For Threat Prevention and Threat Hunting stories the rule expires at the beginning of that date, in the time zone configured in the user profile settings in the Cato Management Application.

  • For Network stories, you can select the time zone that the time frame applies to.

Setting an expiration date is a recommended best practice for maintaining an effective security posture.

Source

Source of the traffic for this rule.

You can select one or more of the following Source types:

Threat Prevention and Threat Hunting Stories

Network stories

  • Site

  • IP

  • IP Range

  • User

  • Any

  • Site

  • Network Interface

  • Any

Device

(Threat Prevention and Threat Hunting Stories)

The type of device the rule applies to, defined by operating system.

Destination

(Threat Prevention and Threat Hunting Stories)

Destination of the traffic for this rule.

You can select one or more of the following Destination types:

  • IP

  • URL

  • Domain

  • FQDN

  • Application

  • Any

In addition to the above settings, the following information is shown for each Mute Stories rule:

  • Author - The user name of the user who created the rule.

  • Created At - Date the rule was created.

Showing the Detection & Response Mute Stories Rulebase

To show the Detection & Response Mute Stories rulebase:

  1. From the navigation menu, click Security > Detection & Response.

Detection_Response_Allow_List.png

Creating a Mute Stories Rule in the Detection & Response Page

Add a new Mute Stories rule and configure the settings that define the traffic to be disregarded by the Detection & Response engines.

Detection_Response_Allow_List_Add_to_Allowlist.png

To create a Detection & Response Mute Stories rule:

  1. From the navigation menu, click Security > Detection & Response.

  2. Select the Mute Stories tab.

  3. Click New. The Add to Mute Stories panel opens.

  4. Configure the settings for the rule as described above.

  5. Click Save. The rule is added to the Mute Stories rulebase.

Creating a Mute Stories Rule from a Story

Note

Note: This is only support for Threat Prevention and Threat Hunting Stories

View the story drill-down in the Stories Workbench and use the Story Actions panel to create a Mute Stories rule.

The following rule settings are autofilled based on data from the story:

  • Direction

  • Source

    • If the story contains multiple types of data for the source, they are all added in the Source setting. For example, if the story identified an IP and Site for a source, then both an IP and Site are autofilled in the Source section for the rule.

  • Destination - Autofilled based on the story Targets

    • If the story identified multiple Targets, they are all added in the Destination setting

To create a Mute Stories rule from a story:

  1. From the navigation menu, click Monitoring> Stories Workbench.

  2. Click the story to open the drill-down page for the story.

  3. Click More_icon.png to open the Story Actions panel.

  4. Click Add to New Mute Stories. The Add to New Mute Stories Rule panel opens.

    Detection_Response_Allow_List_from_Story.png
  5. Configure the settings for the rule as described above.

  6. Click Save. The rule is added to the Mute Stories rulebase.

  7. To show the Detection & Response Mute Stories rulebase, from the navigation menu click Security > Detection & Response.

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment