Integrating Custom IoC Lists with Containers

You can add custom IoC lists to the threat intelligence for your Cato account to meet specific requirements for your organization's industry or location. The IoC lists are configured using Containers, which are user-defined categories that help you manage groups of items such as IP addresses or FQDNs. For example, create a Container that includes a list of malicious IP addresses identified by your organization's SOC or provided by a third-party threat intelligence service.

You can configure Containers with IoC lists directly in the Cato Management Application or through automated API processes, and then include the Containers in Internet Firewall rules. For more information about the API for Containers, see the Cato Networks GraphQL API Reference.

There are different types of Containers, and each type can include only a single type of data. These are the Container types:

This is an example workflow for integrating custom IoCs using a Container:

You can create a Container on the Categories page by:

After you create a Container, it appears in the table in the Containers tab. You can edit a Container in the table manually or upload a new source file to update the values in the Container.

Syncing IoCs from a URL

IoCs can be uploaded directly from a URL, allowing you to automatically ingest external threat feeds or frequently updated indicator lists. This enables faster threat response times with regular automated updates and ensures accuracy with reduced human error. You can configure how often these IoCs sync using either hourly or daily intervals.

If a sync fails, it is automatically retried three times within 15 minutes before a notification is sent. It then continues attempting to sync up to seven additional times over the next hour. You can view the current sync status using the indicator shown in the Containers table in the Members column.

You can also manually trigger a sync from the URL on the Container table by selecting the three dots next to the relevant Container and clicking Sync Now.

Uploading IoCs from a File

IoCs can be uploaded from a file allowing you to create a Container of IoCs in bulk. The Container can be of type FQDN or IP. An IP Container can include a list of single IP addresses, subnet masks (in dot-decimal or CIDR notation), or IP ranges.

Requirements for Container Source Files

• Source files for Containers must be in one of the following formats:

  • TXT files with values separated by one of the following delimiters:

    • Comma

    • Space

    • Line break

  • CSV files with values listed in column A with no header

  • STIX format JSON files

• Source files must contain a minimum of 1 value and a maximum of 1 million values

• For FQDN Containers, only alphabetic or numeric characters are supported, special characters are not supported

Creating a Container

Create a container that contains IoC from a file, URL, or manually.

To create a Container:

1. From the navigation panel, select Resources > Categories and expand the Containers tab.

2. Click New. The New Container panel opens.

3. Enter the Display Name for the Container.

4. Select the container Type. Possible values: FQDN, IP.

5. Enter a Description for the Container.

6. Choose the Source for the Container by either:

   • Uploading a file

     • Choose the File type (CSV or STIX) and add the file by either dragging and dropping it into the File Uploader or clicking Browse

   • Syncing a file from a URL

     • Choose the File type (CSV or STIX), add the URL, and choose the intervals for the file to sync.

       Note: Click Test Container before saving the Container

   • Adding items manually

7. Choose tracking options. For more information, see Alerts.

8. Click Save. The Container is created and visible in the Containers table.

Configure Containers in the App/Category field in an Internet Firewall rule. Select the Container type and then select the specific containers to include in the rule. You can configure multiple Containers of the same type in a rule.