This article discusses how to use Container objects to integrate custom lists of IoCs with Cato Security services.
You can add custom IoC lists to the threat intelligence for your Cato account to meet specific requirements for your organization's industry or location. The IoC lists are configured using Containers, which are user-defined categories that help you manage groups of items such as IP addresses or FQDNs. For example, create a Container that includes a list of malicious IP addresses identified by your organization's SOC or provided by a third-party threat intelligence service.
You can configure Containers with IoC lists directly in the Cato Management Application or through automated API processes, and then include the Containers in Internet Firewall rules. For more information about the API for Containers, see the Cato Networks GraphQL API Reference.
There are different types of Containers, and each type can include only a single type of data. These are the Container types:
-
IP - Can include single IP addresses, subnet masks (in dot-decimal or CIDR notation), and IP ranges
-
FQDN - Fully qualified domain names, for example: www.shop.example.com
This is an example workflow for integrating custom IoCs using a Container:
-
Configure a Container including the IPs identified as IoCs.
-
Create Internet Firewall rules with the Container configured in the App/Category field, and set the rule with the Block action.
-
Keep the Container updated by uploading a new list of IoCs to the Container. When you update the container, the firewall rule automatically enforces the new IoCs.
You can create a Container on the Categories page by uploading a source file with the data for the Container. After you create a Container, it appears in the table in the Containers tab. You can edit a Container in the table and upload a new source file to update the values in the Container.
Create a new Container by defining the Container type and uploading a source file containing the relevant values. The Container can be of type FQDN or IP. An IP Container can include a list of single IP addresses, subnet masks (in dot-decimal or CIDR notation), or IP ranges.
Requirements for Container Source Files
-
Source files for Containers must be in one of the following formats:
-
TXT files with values separated by one of the following delimiters:
-
Comma
-
Space
-
Line break
-
-
STIX format JSON files
Note: Cato is gradually enabling support for STIX format on accounts over a period of several weeks. It is possible that it may not be available for your account.
-
-
Source files must contain a minimum of 1 value and a maximum of 1 million values
-
For FQDN Containers, only alphabetic or numeric characters are supported, special characters are not supported
To create a Container:
-
From the navigation panel, select Resources > Categories and expand the Containers tab.
-
Click New. The New Container panel opens.
-
Enter the Display Name for the Container.
-
Select the container Type. Possible values: FQDN, IP.
-
Enter a Description for the Container.
-
Under Source, drag and drop or browse to upload a file with the values to include in the Container.
-
Click Save. The Container is created.
Update the values in a Container by uploading a new source file. When you upload a new source file, it replaces the existing file and only the values in the new source file are included in the Container.
To update a Container:
-
From the navigation panel, select Resources > Categories and expand the Containers tab.
-
Click in the row of a container. The Edit Container panel opens.
-
Under Source, drag and drop or browse to upload a file with the values to include in the Container.
-
Click Save. The Container is updated and contains the values in the new source file.
Configure Containers in the App/Category field in an Internet Firewall rule. Select the Container type and then select the specific containers to include in the rule. You can configure multiple Containers of the same type in a rule, but can't configure more than one Container type in a rule.
To configure a Container in an Internet Firewall rule:
-
From the navigation menu, select Security > Internet Firewall.
The Internet Firewall page opens to your existing unpublished revision, or to the newest published revision.
-
Click New.
-
Under App/Category select either FQDN Container or IP Container.
-
Select one or more containers from the drop-down menu.
-
Configure the other fields of the rule and save the rule. For more information about configuring Internet Firewall rules, see Managing the Internet Firewall Policy.
0 comments
Please sign in to leave a comment.