This article describes the Security and Network operations capabilities of the Cato XOps platform, and what's included in the different XOps license tiers.
The Cato XOps platform enables both Security operations and Network operations teams to utilize AI and automation to monitor the organization's network for both security threats and network performance issues. XOps transforms unmanageable amounts of raw security and network events into consumable, cross-functional and actionable stories.
The platform includes advanced correlation engines of many different types that analyze traffic data to find matches for specific indications of threat activities or network issues. When an engine finds a match, it produces a story that can be reviewed and investigated in the Cato Management Application (CMA). CMA refers to these engines as Producers.
Each XOps story contains data from traffic flows with common properties that relate to the same threat or network issue. The Stories Workbench page shows the details of each story to help you understand and analyze them. You can sort and filter the stories to find the most important potential attacks, and then drill-down on a story to further investigate the details.
These are the names and descriptions of the various XOps story producers:
-
Threat Prevention - The Cato XOps Threat Prevention producer detects a specific set of attack behaviors in events generated by Cato’s real-time security services, such as IPS and Anti-Malware. The Threat Prevention stories help analysts focus on immediate, high-confidence threats.
Threat Prevention stories are usually based on correlated block events, meaning events for traffic that was blocked by one of the Security services. However, even though the traffic was already blocked, it is possible that this traffic relates to an ongoing threat. The XOps story lets you investigate the context and details of the suspicious traffic to help determine if there is still a threat that requires further mitigation.
For more about Threat Prevention stories, see Drilling-Down and Analyzing XOps Security Stories.
-
Threat Hunting - The Threat Hunting producer continuously scans the vast amount of historical traffic data stored in the data lake to detect traffic patterns that indicate potential threats. As opposed to the Threat Prevention producer, which focuses on recent events, the Threat Hunting producer looks for correlations over time in the stored traffic data. Correlations are identified over one week's data to ensure accuracy. Further, while the Threat Prevention producer looks at data in the event logs, the Threat Hunting producer analyzes a broader set of data from the traffic flows. This enables the Threat Hunting producer to detect more evasive threats that are difficult to identify with conventional methods because they generate a lower and harder-to-detect signature.
The following is the Overview page for a Threat Hunting story that identified 40 different traffic flows (signals) relating to a cybersquatting phishing threat:
For more about Threat Hunting stories, see Drilling-Down and Analyzing XOps Security Stories.
-
Usage Anomaly - Part of Cato's User and Entity Behavior Analytics (UEBA) capabilities, this producer compares user and site network activity with baselines calculated by machine learning algorithms, and generates stories for suspicious deviations from baseline usage levels. For example, a specific user is detected using more upstream bandwidth than usual.
For more about Usage Anomaly stories, see Analyzing XOps UEBA Stories for Usage and Events Anomalies.
-
Events Anomaly - Another element in Cato's UEBA capabilities, this producer detects indications that involve an entity on the network triggering an unusual number of Security events. For example, a user is associated with an unusually large number of IPS block events for traffic to a specific direction, which can indicate a potential infection on the user's device.
For more about Events Anomaly stories, see Analyzing XOps UEBA Stories for Usage and Events Anomalies.
-
Experience Anomaly: Detects unusual changes in application experience for specific sites and applications. After monitoring an application for 14 days, it creates a baseline using TTFB (Time to First Byte). The producer then checks the traffic once a day, and generates a story when the application experience is significantly different from the baseline. The story helps you review the affected site, application, traffic flows, and possible performance issues.
-
Account Operations: Detects account-level issues that can impact users, sites, and services. This includes issues such as directory sync failures, license exhaustion, expired certificates, connector issues, and other configuration or operational problems. The producer generates stories that help you understand the issue, review its scope and impact, and follow guided remediation steps to restore normal operation.
-
Predictive Insight: Detects potential performance and availability risks before they impact service. It analyzes network trends, resource usage, and configuration context to forecast developing issues. For example, it can generate a story when a site Socket is expected to exceed acceptable CPU usage. The story helps you review the forecast, understand when the issue may become critical, and follow guided remediation steps
-
Microsoft Endpoint Alerts - Customers who use Microsoft Defender for Endpoint can integrate the Defender alert data with Cato XOps to produce stories for endpoint devices. The Microsoft Endpoint Alerts producer creates a story by correlating data from Defender Alerts that occurred on the same device within a 24-hour period. Endpoint Alert stories include all relevant evidence for the Alert detected by Defender. By expanding the focus to the endpoint, these stories help you get a more complete picture of potential threats in your network.
For more about integrating Defender for Endpoint with Cato XOps, see Microsoft Defender for Endpoint Alerts: Configuring the XOps Integration.
-
Microsoft Entra ID Alerts - You can integrate alert data from Microsoft Entra ID Protection to generate Cato XOps stories. This lets analysts include data from risky sign-ins within the broader context of XOps investigations. The Cato Entra Identity Alert engine creates a story by correlating data from Entra ID Protection alerts that occurred for the same user within a 24-hour period.
For more about integrating Entra ID Alerts with Cato XOps, see Microsoft Entra ID: Configuring the XOps Integration.
-
Cloud Detection and Response: Uses Wiz issues to detect risks in cloud environments. This includes insecure configurations, vulnerable applications, exposed credentials, and threat detections. The producer processes Wiz issues in near real time and generates stories in the Stories Workbench. These stories combine Wiz cloud intelligence with Cato context, helping you investigate cloud risks and identify possible cross-environment attacks.
-
Cato Endpoint Alerts - The Cato EPP solution integrates with Cato XOps to generate stories for endpoint devices. The Cato Endpoint Alerts producer creates a story by correlating data from all Cato EPP alerts that occurred on the same device within a 24-hour period. Cato Endpoint Alerts stories include all relevant evidence detected by Cato EPP.
For more about Cato Endpoint Alerts stories, see Cato Endpoint Protection (EPP): Configuring the XOps Integration.
-
SentinelOne Alerts - Customers who use SentinelOne can integrate data from SentinelOne EDR to generate stories for endpoint devices. The SentinelOne producer creates a story by correlating data SentinelOne EDR incidents based on the Agent UUID (Device ID) and the threat file Hash within 90 days. These stories include all relevant evidence for the incidents detected by SentinelOne. Stories are created in near real-time after the original alert is generated.
For more about integrating SentinelOne Alerts, see SentinelOne EDR: Configuring the XOps Integration.
-
CrowdStrike Alerts - Customers that use CrowdStrike can integrate data from CrowdStrike detections based on the Incident ID. These stories include all relevant evidence for the detection identified by CrowdStrike. Stories are created in near real-time after the original alert is generated.
For more about integrating CrowdStrike Alerts, see CrowdStrike: Configuring the XOps Integration.
-
Site Operations - Cato XOps features the unique AIOps producer called Site Operations (formally known as Network XDR) that converges Network operations with Security operations into a single platform. This producer detects different indications and metrics related to connectivity and performance, and generates stories that correlate data for issues concerning the network. For example, if a WAN link is intermittently experiencing high packet loss, the producer creates a single story with all the relevant data for the link.
For more about Network stories in Cato XOps, see Reviewing Site Operations Stories.
This section provides use cases for each producer:
Scenario
A user clicks a phishing link and is redirected to a site that hosts an exploit kit.
How it works
Cato’s IPS detects the exploit attempt in real time and blocks the traffic before it reaches the endpoint.
Story
The Threat Prevention producer creates a story showing:
-
User identity and location
-
Exploit kit signature (e.g., CVE reference)
-
Action taken (traffic was blocked)
Outcome
Security teams quickly know an exploit attempt occurred, with no endpoint infection. They can trace whether the phishing email reached additional users. The Similar Stories tab displays any other users who tried to access the same domain, and the Events page provides a deep dive into the IPS signature and CVE to identify if they surfaced anywhere else in the network.
Scenario
A device communicates with a rare external IP every night at 2 AM. The IP isn’t on threat feeds but the communication pattern looks suspicious.
How it works
The Threat Hunting engine analyzes historical traffic in the data lake. It spots this unusual beaconing pattern over several weeks.
Story
The producer builds a story linking:
-
Repeated flows from the same host
-
Suspicious destination characteristics (low reputation, uncommon ASN)
-
Timeline of activity
Outcome
SOC analysts investigate and discover malware using a command-and-control channel. Early detection prevents data exfiltration.
Scenario
An HR employee usually uploads ~50 MB of files weekly. Suddenly, they upload 5 GB to an external file-sharing site.
How it works
The Usage Anomaly producer uses Machine Learning to compare current activity against the user’s baseline. The spike is flagged.
Story
The story shows:
-
Normal baseline vs. new behavior
-
Destination (Dropbox, Google Drive, etc.)
-
Timestamp and volume of traffic
Outcome
Security investigates and learns that the user accidentally uploaded confidential files to a personal account. The files are removed, and Cato recommends tightening the DLP controls to prevent such cases in the future.
Scenario
An IoT device starts communicating in a new traffic direction, sending data into the internet, a traffic direction never seen before by this device, whose regular behavior is to communicate only within the WAN.
How it works
The Events Anomaly producer identifies the deviation in event frequency, in users, sites or devices.
Story
The story highlights:
-
Usual behavior observed from this device (WAN communication)
-
Anomalous behavior: Multiple requests to external IP addresses, associated with threat intelligence feeds
Outcome
The team confirms a command and control attempt via an IoT device. The device is contained and the malicious communication is blocked.
Scenario
Microsoft Defender for Endpoint detects a malicious PowerShell script on a workstation.
How it works
The alert is forwarded from Microsoft Defender into Cato via the connector.
Story
The XOps platform correlates stories from this producer, endpoint alerts, with related stories from other producers (e.g., outbound traffic to suspicious IPs).
Outcome
The SOC team is provided with a unified view of endpoint malware and matching network behavior, enabling faster containment and root cause analysis.
Scenario
A branch office experiences intermittent connectivity issues, the primary ISP link keeps going up and down repeatedly (flapping), disrupting access to cloud applications and VPN tunnels.
How it works
Cato’s Site Operations engine continuously monitors link health. When multiple Link down and Link up events occur close together, it groups them into a single story—identifying a pattern of instability rather than isolated incidents.
Story
The story displays:
-
Affected site and specific WAN link
-
Timeline of correlated link flaps over the monitoring window
-
Analysis identifying flapping behavior (e.g., five link-down events within 10 minutes)
Outcome
The Site Operations engine aggregates all related events into one correlated story, reducing alert noise and highlighting a potential chronic link issue. The IT team is proactively notified, and switches to the backup ISP link, and works with the provider to resolve the root cause - minimizing downtime and preventing repeated service disruption.
Your XOps license determines the producers available for your account, and whether the service is managed by Cato. All license tiers benefit from the XOps platform tools in the Cato Management Application, including:
The table below describes the XOps license tiers that will come into effect from August 6, 2025. and explains which producers are available for each tier. Please contact your Cato representative or official reseller for more information on purchasing XOps licenses.
|
License |
Description |
|---|---|
|
No license |
If a connector is configured, events are created by the following producers:
|
|
XOps |
A paid, non-managed tier that includes the following set of producers that correlate data into a story, the platform to investigate them, mitigation recommendations and mitigation actions:
|
|
MDR |
A paid tier including a managed 24/7 SOC service enhancing the security and management of stories. This service is provided by the Cato Managed Detection and Response team and includes:
|
0 comments
Please sign in to leave a comment.