Drilling-Down and Analyzing XOps Security Stories

This article discusses how you can use the Detection & Response Story page to analyze stories for potential threats in your account.

Overview

You can click on a story in the Stories Workbench to drill-down and investigate the details in the Detection & Response Story page. This page contains an Overview of the story and a summary of Related Stories. The Overview contains a number of widgets that help you evaluate the potential threat identified by the XOps engines, while the Related Stories summary helps you put the story in broader context for analysis.

Generating AI Story Summaries

The Stories Workbench drill-down includes a tool that lets you create a natural language story description generated by AI, which provides rich context and helps you quickly assess the story. The story summary is generated dynamically to reflect the current state of the story. If the story updates with new information, you can regenerate the summary to reflect the changes.

  • The AI story summary is generated only on-demand by the admin

Protecting Sensitive Data with Tokenization

For robust data security during the transmission of story data to third-party AI services, Cato uses tokenization to ensure all sensitive data remains in the Cato XOps platform. This involves replacing sensitive information with unique identifiers, or "tokens," rendering the data meaningless to unauthorized entities. Sensitive data is never exposed to third-party services. This approach ensures the confidentiality of the story's details, aligning with our commitment to robust data privacy and security standards.

Note

Note: Due to the limitations of generative AI, the information provided in story summaries may occasionally contain inaccuracies.

Drilling-Down and Analyzing Stories

A Detection and Response Story includes widgets for evaluating the identified threat. Within the Story, you can review the relevant alerts and supporting evidence like processes, files, registry values, scheduled tasks, and network activity. This evidence is presented in either:

  • A chronological process tree presented in the context of a specific Alert. This helps you understand the sequence of events that looked suspicious and generated the Alert.

    Note: This may be unavailable on some stories due to API connectivity issues.

  • The Evidences table providing an overview of the Evidences for the story. This helps to assess more broadly the prevalence of specific malicious or suspicious activities on the endpoint device.

Understanding the Story Overview Widgets

Detection___Response_Story_Overview.png

These are the story Overview widgets:

Note

Note: Not every widget is included in every story. The widgets in each story depend on the story type and the data available.

Name

Description

Story summary

The Overview shows a summary of basic information about the story, including:

  • Indication for the detected attack

  • The Detection & Response engine that created the story

  • Severity of the threat as determined by analyst

  • Verdict for the threat as determined by analyst

  • Attack type (for example, Browser Extension, Native Application, Scanner, Web App)

  • Detailed classification of the threat as determined by analyst (for example, Port Scan, Newly Registered Domain, SMB Scan)

  • Number of compromised devices

  • Number of signals (traffic flows) associated with the attack

  • Duration of the story since it was created

  • Story status

    Use the Actions drop-down menu and select Manage Story change story settings such as Analyst Verdict, Analyst Severity, Status, and Classification.

    The Related Stories tab provides context for the story you're investigating by letting you quickly review stories with the same source and stories with similar characteristics involving different sources on your network.

    Story timeline

    Shows a timeline of the story, such as changes made to the story verdict and severity, and when new targets related to the story are identified

    Details

    Key information for analyzing the story, including a threat description, and MITRE ATT&CK® techniques identified for the threat.

    • Click Generate AI Summary for a natural language story description that provides rich context and helps you quickly assess the story

    Other details include:

    • Criticality - Overall risk score for the story as calculated by Cato's machine learning risk analysis algorithm (values are from 1 - 10)

      This machine learning model, known as a random forest, calculates criticality by analyzing specific parameters from threat intelligence (TI) and data generated from network flows and events.

      A random forest is a type of ML model that combines the results of many smaller “decision trees” to improve accuracy and reliability. It’s especially useful for evaluating complex, multi-factor data like security threats.

      To assess criticality, the model considers important factors such as:

      • OS type

      • Domain popularity within Cato

      • Client classification

      • Security engine type creating the events (if relevant)

      • Action taken (block, monitor, etc.)

      • MITRE techniques

      • IP location

      • WHOIS data

      In total, the model evaluates over 40 parameters to ensure a comprehensive and accurate assessment of Story criticality.

    • Predicted Verdict and Predicted Type based on machine learning predictions for the probable verdict and potential malware type that you may identify. The machine learning algorithms analyze the final verdicts of similar stories

    For more about the MITRE ATT&CK® framework, see Using the MITRE ATT&CK® Dashboard.

    • Click a MITRE ATT&CK® technique to read its description on the MITRE ATT&CK® website

    Source

    Basic information about the user and devices in your network impacted by the threat

    Alerts/Incidents/Detections

    Shows details for the Alerts related to the story.

    • Expand an Alert to show a chronological process tree for the Evidences related to the Alert, including processes, files, and registry values

    • Click an item in the process tree to drill-down further and show granular data about the Evidence

    These are the columns in the table:

    • An that describes the suspicious activity

    • Criticality - Overall risk score for the Alert as calculated by Cato's machine learning risk analysis algorithm (values are from 1 - 10)

    • MITRE Techniques - MITRE ATT&CK® techniques identified for the threat

      For more about the MITRE ATT&CK® framework, see Using the MITRE ATT&CK® Dashboard.

    • Status - Shows whether the Alert is New or was already Resolved

    • First Activity Date - Date of initial suspicious activity detected for the Alert

    • Last Activity Date - Date of most recent suspicious activity detected for the Alert

    • Threat Name - Name of malware detected. For example: Trojan:Win32/Startpage

    • Description & Recommended Actions - Click View for a brief Alert description and recommended steps for investigating and mitigating the threat

    • Target - The URL involved in the Alert

    • Destination IP - The remote IP address involved in the story

    Evidences

    Aggregates details for all the Processes, Files, and Registry values identified in the evidence for the various story Alerts.

    Some of the columns in the Evidences table are shared by all the types of Evidences, and some are specific per type.

    These are the columns that appear for all types of Evidences:

    • Verdict - Verdict generated by Defender for the piece of evidence (Malicious, Suspicious, or No threats found)

    • Remediation Status - Shows whether the threat was remediated

    • Created - Date and time when the event was recorded

    These are the specific columns for each type of Evidence:

    • Processes:

      • Process Name - Name of the executable file for the process

      • Process ID - Windows-assigned ID number for the process

      • Process Command Line - Arguments that were passed to the process in Windows. This can reveal important context about the execution of a suspicious process

      • File Path - Location on the endpoint device of the executable file for the process

    • Files:

      • File Path - Location of the file on the endpoint device

      • File Name - Name of the file including extension

      • File Size - Size of the file in bytes, kilobytes, or megabytes

    • Registry:

      • Registry key Name

      • Registry Value Type - Format of the data stored in the registry value

      • Registry Value - The value of the registry entry

    Attack Geolocation

    Shows the geolocation for sources in your network (orange locations) and external sources (red locations) related to the threat. Arrows connecting the sources indicate the direction of traffic

    Target Actions

    Events related to each target, including the following information:

    Column

    Description

    Target

    Domains or IP addresses of external sources identified in traffic flows related to the story

    Type

    Security engine that generated the events related to the target

    Action

    Action taken on the traffic related to the target

    Related Events

    Shows threat signatures that appear in events related to the target.

    • Hover the mouse over a signature to show a summary event log

    • Click the signature to open the Events page pre-filtered for the signature

    Attack Distribution

    Time distribution of attack related flows.

    • To make it easier to read the graph, in Targets, click a target to hide that data from the graph

    • To show the attack details, hover the mouse over the graph

    Targets

    Shows data for the potentially malicious sources outside your network site related to the story.

    Column

    Description

    Creation Date

    Registration date of the target domain

    Target

    Domains or IP addresses of external sources identified in traffic flows related to the story

    Target Links

    Links to look up the target in various external threat intelligence sources.

    For additional information, click the VirusTotal icon, or select other resources from the drop-down menu.

    Malicious Score

    The malicious score of the target according to Cato threat intelligence algorithms. Scores range from 0 (benign) to 1 (malicious)

    Popularity

    How often the target appears in Cato internal data sources. Values are: Unpopular, Low, Medium, High

    Categories

    Cato categories for the target domain

    Threat Feeds

    Number of Cato threat intelligence sources that detected the target as malicious

    Engines

    Number of third party security engines that detected the target as malicious

    Registrant Country

    Country where the target domain is registered

    Google Search Hits

    Number of Google search results for the target

    Attack Related Flows

    Shows data for a representative sample of events related to the attack.

    Column

    Description

    Target

    Target domain or IP of the relevant communication flow

    Start Time

    Timestamp for the beginning of the flow

    Direction

    Direction of the flow. Directions include:

    • Inbound - Traffic to your network originating at an external source

    • Outbound - Traffic from your network to an external source

    • WANbound - Traffic from your network to another site on your network

    Source IP

    Source IP address in your network sending or receiving the flow

    Source Port

    Source port in your network sending or receiving the flow

    Destination IP

    IP address of the external target sending or receiving the flow

    Destination Port

    The port of the external target sending or receiving the flow

    Method

    The HTTP method in the flow (GET, POST, and so on)

    Full Path URL

    The complete URL of the external resource in the flow

    Client

    Type of client applications that run on the operating system that created this network flow (for example, Chrome)

    Cato App

    The Cato application used in the flow

    Destination Country

    Location of the Destination IP in the flow

    DNS Response IP

    The IP address returned by a DNS lookup

    Sign-In Events

    (This widget requires the Microsoft Entra ID connector)

    Charts with breakdowns of data from sign-in events for the user from the day of the alert plus the preceding 2 days. Use the dropdown to choose the data type shown on the charts. These are the options:

    • Source IP - The IP address of the source detected in the sign-in event

    • Sign-In Location - The geolocation where the sign-in was performed from

    • Client Classification - The type of client used for the sign-in (for example, the browser name and version)

    • User Agent - The user agent used in the sign-in as it appears in the User Agent field in the HTTP header for the traffic. These are examples of user agent values:

      • Chrome/90.0.4430.212

      • Safari/537.36

      • Mozilla/5.0 (Windows NT 10.0; Win64; x64)

    • OS Type - The type of operating system on the device used for the sign-in (for example, Windows, macOS)

    • OS Version - The version number of the operating system on the device used for the sign-in

    Sign-In Events on the User

    (This widget requires the Microsoft Entra ID connector)

    Shows data from the user's sign-in events from the day of the alert and the preceding 2 days.

    These are the columns in the table:

    • Time of the sign-in event

    • User Name for the sign-in

    • Source IP - The IP address of the source detected in the sign-in event

    • Sign-In Location - The geolocation where the sign-in was performed from

    • Action - Result of the sign-in attempt (values: Failed, Succeeded, Access denied)

    • Failure Reason - Explanation for sign-in results of Failed or Access denied

    • Application - The application the user attempted to sign in to

    • Client Classification - The type of client used for the sign-in (for example, the browser name and version)

    • OS Type - The type of operating system on the device used for the sign-in (for example, Windows, macOS)

    • OS Version - The version number of the operating system on the device used for the sign-in

    • User Agent - The user agent used in the sign-in as it appears in the User Agent field in the HTTP header for the traffic. These are examples of user agent values:

      • Chrome/90.0.4430.212

      • Safari/537.36

      • Mozilla/5.0 (Windows NT 10.0; Win64; x64)

    Understanding the Related Stories Summary

    XDR_Related_Stories.png

    The Related Stories summary provides context for the story you're investigating by letting you quickly review stories with the same source and stories with similar characteristics involving different sources on your network. The summary shows key details for each related story, and lets you easily open the Stories Workbench prefiltered for the related stories, or the Detection & Response Story page for a specific related story.

    These are the tables in the Related Stories summary:

    • The Top Similar Stories table lets you quickly see if other sources in your network are involved in stories with similar characteristics to this story being investigated, such as the same Indication or Target. This table shows up to the top 5 similar stories according to the Targets Similarity score. The table is not limited to a specific time range.

    • The Stories on the Source table shows all the stories generated by the source in this story, within the selected time range. The default time range is the last 2 weeks. This lets you assess the broader context of activity for this source. For example, this can help determine whether the behavior in this story is unusual or routine for this specific source.

    The following actions can be performed in both tables:

    • Click View in Workbench to open the Stories Workbench pre-filtered to show the stories in the table

    • Click in the row of a story to open the Detection & Response Story page for that story

    These are the columns in the Related Stories tables:

    • Creation Time - Time the story was generated

    • Last Update - Time of the latest story update, such as a new target or changed verdict

    • Indication - Indicator of attack for the story. For more about indications, see Using the Indications Catalog

      • Click Open_in_New_Tab.png to open the Detection & Response Story page for this story in a new tab

      • Click Tooltip_icon.png for more information about the indication

    • Source - IP address, name of device, or SDP user on your network involved in the story

    • Targets Similarity (for Top Similar Stories only) - Level of similarity of targets in common with the investigated story, as calculated by a machine learning model (indicated by a percentage)

    • Common Targets (for Top Similar Stories only) - URLs or IP addresses of targets in common with the story being investigated

    • Criticality - Cato's risk analysis of the story (values are from 1 (low risk) - 10 (high risk))

    • The story Status - Values include:

      • Open - Story was generated and is not resolved

      • Pending Customer - Story was sent to customer and is waiting for a response from them

      • Pending Analyst - Waiting for more information from security analysts

      • Closed - Security analysts closed the story

      • Reopened - XOps producers detected new traffic that matches a closed story, and automatically reopened the story to enable further review. Stories are reopened for traffic detected 12 or more hours after the story was first closed. Within 12 hours the story isn't reopened to allow for the handling of the story through mitigation or muting

    • Analyst Verdict - The verdict assigned to the story by an analyst

    • Analyst Classification - A detailed classification of the threat type as defined by an analyst

    Was this article helpful?

    1 out of 1 found this helpful

    0 comments