This article describes best practices for investigating threats with the Cato XDR Core platform.
The Cato XDR platform enables Security operations and Network operations teams to monitor the organization's network for both potential security threats and network issues. The XDR Core license tier includes a basic set of Security story producers for customers with a Threat Prevention license, as well as the Network XDR producer. This article describes best practices for getting the most out of your XDR Core and using it to significantly enhance your organization's security monitoring and remediation of threats. First, we discuss configuring integrations to expand XDR capabilities, and then we describe an end-to-end workflow for how to investigate a story in the Stories Workbench, including the following steps:
-
Identifying the most important stories to focus on
-
Steps for beginning an investigation
-
Setting a verdict and remediating the threat
To maximize the usefulness of the XDR platform, we recommend configuring supported integrations that expand the number and type of producers for XDR stories. We recommend setting up one of the following endpoint security integrations to help you get a more complete picture of potential threats, and conduct investigations in a unified XDR platform extending into both the network and the endpoint:
-
Microsoft Defender for Endpoint connector - Customers who use Defender for Endpoint can leverage the Microsoft API to integrate Defender alert data and generate XDR stories for endpoint devices. For more about this integration, see Reviewing XDR Stories for Microsoft Defender for Endpoint Alerts.
-
Cato Endpoint Protection - The Cato EPP solution natively integrates with Cato XDR to generate stories for endpoint devices, with no need to configure a connector. For more about this integration, see Reviewing XDR Stories for Cato Endpoint Protection (EPP) Alerts.
Selecting the right stories to work on in the Stories Workbench is a crucial first step for effective use of the XDR platform. You can use the tools and information provided in the Workbench to quickly identify the highest-priority stories to investigate. We recommend the following steps:
-
Group the stories - The Group By options can give you a quick overview of the different types of stories in your account, as well as indicate particular items of interest on the network such as sources or users. These are examples of helpful Group By options:
-
Source and Source IP - quickly see the users, devices, and IP addresses involved in stories
-
Producer - Quickly review the different types of stories detected. For more about the different types of Producers, see Getting Started with Cato XDR.
-
Indications - Get an overview of the specific indicators of attack detected
We recommend cycling through the different Group By options to get a quick understanding of the stories on your network from different perspectives, which can help you identify particular areas of interest to focus the investigation on.
-
-
Prioritize by Criticality - Start by focusing on the stories with the highest Criticality score. These are the potential threats that could have the most significant impact on your network. You can click in the Criticality column header to sort the stories by Criticality, or filter the stories for specific Criticality levels. Also, when you use the Group By options, each group indicates the number of high Criticality stories for the group.
Once you’ve selected a story to investigate, you can click on the story to drill-down to the details in the Detection & Response Story Overview page. We recommend taking the following steps to gain an initial understanding of what’s happening in the story:
-
Generate an AI Summary - The Details widget includes a tool that lets you create a natural language story description generated by AI, which provides rich context and helps you quickly assess the story. Generate the summary by clicking the Generate AI Summary button.
-
Check if the Traffic was Blocked - The Target Actions table shows events related to each target involved in the story, including whether the Block action was applied to the traffic by one of the Security services such as IPS. If some of the traffic to the targets wasn't blocked, then the story has a higher risk level. Even if all the traffic to the targets was blocked, it is possible that this traffic relates to an ongoing threat that requires further investigation.
-
Assess the Targets - The Targets table shows data for the potentially malicious sources outside your network site related to the story. We recommend focusing on the following columns when you start your investigation:
-
The Malicious Score tells you the likelihood that the target is malicious, according to Cato Threat Intelligence machine learning algorithms. Scores range from 0 (benign) to 1 (malicious)
-
The Target Links help you understand the target reputation by looking up the target in various external threat intelligence sources
-
-
Work with XDR Playbooks - The Cato XDR Security Playbooks provide a structured approach to investigating specific types of stories. They guide you through the investigation process and help you identify action items. For stories with a relevant playbook, you can find the link to the playbook in the Details widget. The XDR Security Playbooks are also available here.
-
Use Comments - If the story investigation includes collaboration among team members, use Comments to document what work has been done and provide important information and context for the next analyst who looks into the story. For more about using comments, see Managing XDR Story Investigations.
The Story Actions panel lets you perform crucial actions and record important information as you conclude your investigation. Some analysts make the mistake of closing a story without setting a verdict, and lose much of the benefit of the investigation process. When you set a verdict, you record meaningful information about the story for future reference, and can learn about recommended actions for remediation. This is an example workflow for setting a verdict and performing basic remediation steps after you identify a device has been compromised by an exploitation attempt of a known vulnerability:
-
Click Actions > Manage Story to open the Story Actions panel.
-
Set the Analyst Verdict to Malicious.
-
Define the Severity of the threat.
-
Define the Type as Exploitation Attempt, and if possible define a more specific Classification for the threat. Use the Additional Info field to record details about the investigation process or the results.
-
Follow the Recommended Actions, including:
-
Create firewall rules to block malicious targets and sources you identified in the story.
-
Update device software to remediate the vulnerability and avoid future exploitation attacks.
-
-
If you identify a compromised user, you can revoke the user's remote session to prevent access to the network. For more about revoking a remote session, see Revoking a Remote User Session.
-
Set the Story Status to Closed.
0 comments
Please sign in to leave a comment.