Drilling-Down and Analyzing XDR Security Stories

This article discusses how you can use the Detection & Response Story page to analyze stories for potential threats in your account.

Overview

You can click on a story in the Stories Workbench to drill-down and investigate the details in the Detection & Response Story page. This page contains an Overview of the story and a summary of Related Stories. The Overview contains a number of widgets that help you evaluate the potential threat identified by the XDR engines, while the Related Stories summary helps you put the story in broader context for analysis.

Generating AI Story Summaries

The Stories Workbench drill-down includes a tool that lets you create a natural language story description generated by AI, which provides rich context and helps you quickly assess the story. The story summary is generated dynamically to reflect the current state of the story. If the story updates with new information, you can regenerate the summary to reflect the changes.

The AI story summary is generated only on-demand by the admin

Protecting Sensitive Data with Tokenization

For robust data security during the transmission of story data to third-party AI services, Cato uses tokenization to ensure all sensitive data remains in the Cato XDR platform. This involves replacing sensitive information with unique identifiers, or "tokens," rendering the data meaningless to unauthorized entities. Sensitive data is never exposed to third-party services. This approach ensures the confidentiality of the story's details, aligning with our commitment to robust data privacy and security standards.

Note

Note: Due to the limitations of generative AI, the information provided in story summaries may occasionally contain inaccuracies.

Understanding the Story Overview Widgets

These are the story Overview widgets:

Item

Name

Description

Story summary

A summary of basic information about the story, including:

Threat category
Severity of the threat as determined by analyst
Verdict for the threat as determined by analyst
Attack type (for example, Browser Extension, Native Application, Scanner, Web App)
Number of compromised devices
Number of signals (traffic flows) associated with the attack
Story status

Click to open the Story Actions panel and change story settings such as Analyst Verdict and Status.

Story timeline

Shows a timeline of the story, such as changes made to the story verdict and severity, and when new targets related to the story are identified

Details

Key information for analyzing the story, including a threat description, and MITRE ATT&CK® techniques identified for the threat.

Click Generate AI Summary for a natural language story description that provides rich context and helps you quickly assess the story

Other details include:

ML Risk - Overall risk score for the story as calculated by Cato's machine learning risk analysis algorithm (values are from 1 - 10)
Predicted Verdict and Predicted Type based on machine learning predictions for the probable verdict and potential malware type that you may identify. The machine learning algorithms analyze the final verdicts of similar stories

For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard.

Click a MITRE ATT&CK® technique to read its description on the MITRE ATT&CK® website

Source

Basic information about the devices in your network impacted by the threat

Attack Geolocation

Shows the geolocation for sources in your network (orange locations) and external sources (red locations) related to the threat. Arrows connecting the sources indicate the direction of traffic

Target Actions

Events related to each target, including the following information:

Column	Description
Target	Domains or IP addresses of external sources identified in traffic flows related to the story
Type	Security engine that generated the events related to the target
Action	Action taken on the traffic related to the target
Related Events	Shows threat signatures that appear in events related to the target. Hover the mouse over a signature to show a summary event log Click the signature to open the Events page pre-filtered for the signature

Attack Distribution

Time distribution of attack related flows.

To make it easier to read the graph, in Targets, click a target to hide that data from the graph
To show the attack details, hover the mouse over the graph

Targets

Shows data for the potentially malicious sources outside your network site related to the story.

Column	Description
Creation Date	Registration date of the target domain
Target	Domains or IP addresses of external sources identified in traffic flows related to the story
Target Links	Links to look up the target in various external threat intelligence sources. For additional information, click the VirusTotal icon, or select other resources from the drop-down menu.
Malicious Score	The malicious score of the target according to Cato threat intelligence algorithms. Scores range from 0 (benign) to 1 (malicious)
Popularity	How often the target appears in Cato internal data sources. Values are: Unpopular, Low, Medium, High
Categories	Cato categories for the target domain
Threat Feeds	Number of Cato threat intelligence sources that detected the target as malicious
Engines	Number of third party security engines that detected the target as malicious
Registrant Country	Country where the target domain is registered
Google Search Hits	Number of Google search results for the target

Attack Related Events

Shows data for a representative sample of events related to the attack.

Column	Description
Target	Target domain or IP of the relevant communication flow
Start Time	Timestamp for the beginning of the flow
Direction	Direction of the flow. Directions include: Inbound - Traffic to your network originating at an external source Outbound - Traffic from your network to an external source WANbound - Traffic from your network to another site on your network
Source IP	Source IP address in your network sending or receiving the flow
Source Port	Source port in your network sending or receiving the flow
Destination IP	IP address of the external target sending or receiving the flow
Destination Port	The port of the external target sending or receiving the flow
Method	The HTTP method in the flow (GET, POST, and so on)
Full Path URL	The complete URL of the external resource in the flow
Client	Type of client applications that run on the operating system that created this network flow (for example, Chrome)
Cato App	The Cato application used in the flow
Destination Country	Location of the Destination IP in the flow
DNS Response IP	The IP address returned by a DNS lookup

Understanding the Related Stories Summary

The Related Stories summary provides context for the story you're investigating by letting you quickly review stories with the same source and stories with similar characteristics involving different sources on your network. The summary shows key details for each related story, and lets you easily open the Stories Workbench prefiltered for the related stories, or the Detection & Response Story page for a specific related story.

These are the tables in the Related Stories summary:

The Top Similar Stories table lets you quickly see if other sources in your network are involved in stories with similar characteristics to this story being investigated, such as the same Indication or Target. This table shows up to the top 5 similar stories according to the Targets Similarity score. The table is not limited to a specific time range.
The Stories on the Source table shows all the stories generated by the source in this story, within the selected time range. The default time range is the last 2 weeks. This lets you assess the broader context of activity for this source. For example, this can help determine whether the behavior in this story is unusual or routine for this specific source.

The following actions can be performed in both tables:

Click View in Workbench to open the Stories Workbench pre-filtered to show the stories in the table
Click in the row of a story to open the Detection & Response Story page for that story

These are the columns in the Related Stories tables:

Creation Time - Time the story was generated
Last Update - Time of the latest story update, such as a new target or changed verdict
Indication - Indicator of attack for the story. For more about indications, see Using the Indications Catalog
- Click to open the Detection & Response Story page for this story in a new tab
- Click for more information about the indication
Source - IP address, name of device, or SDP user on your network involved in the story
Targets Similarity (for Top Similar Stories only) - Level of similarity of targets in common with the investigated story, as calculated by a machine learning model (indicated by a percentage)
Common Targets (for Top Similar Stories only) - URLs or IP addresses of targets in common with the story being investigated
Criticality - Cato's risk analysis of the story (values are from 1 (low risk) - 10 (high risk))
The story Status - Values include:
- Open - Story was generated and is not resolved
- Pending Customer - Story was sent to customer and is waiting for a response from them
- Pending Analyst - Waiting for more information from security analysts
- Closed - Security analysts closed the story
- Reopened - XDR Security producers detected new traffic that matches a closed story, and automatically reopened the story to enable further review. Stories are reopened for traffic detected 12 or more hours after the story was first closed. Within 12 hours the story isn't reopened to allow for the handling of the story through mitigation or muting
Analyst Verdict - The verdict assigned to the story by an analyst
Analyst Classification - A detailed classification of the threat type as defined by an analyst