Mitigating Threats in XDR Stories - Revoke User Session

This article discusses how to mitigate a threat in an XDR story by revoking a user's session from the story Overview in the Stories Workbench.

For more about XDR and the Stories Workbench, see the following articles:

Overview

XDR stories sometimes relate to suspicious activity originating from a specific user. For example, the story may indicate that the user's remote session was compromised by an attacker, or that the user is falling victim to a social engineering attack such as phishing. The story Overview page in the Stories Workbench lets you mitigate these types of threats by revoking the session of the user in the story and requiring them to reauthenticate. This ensures that only a legitimate authenticated user can access the network.

When you revoke a user session, the user is logged out of the network and shown the Client login screen to enter their credentials. After reauthenticating, the user can continue their remote session. If the user isn't connected when the mitigation action is performed, the authentication token is revoked and the user will be required to enter their credentials next time they connect.

How Does it Work?

When an analyst revokes a user session from the XDR Overview page, a request is sent to the Cato user service to revoke the user's token. When the user service acknowledges receipt of the request, the action status is reported as Success in the Action Center. For more about the Action Center, see below Reviewing Mitigation Actions in the Action Center.

The story timeline in the Overview page is updated when the request is sent and when the user service acknowledges receiving the request.

Use Case - Unusual User Activity

Analysts at Example Corp. investigated an XDR story in the Overview page, and identified a user uploading a large amount of data to a file-sharing application. They are unsure if the upload activity is for legitimate reasons or not. The analysts further notice that the user agent in use for this upload activity is anomalous for this user, indicating a possible case of credential theft by an adversary. They therefore decide to revoke the user session to force reauthentication on the device. The analysts can then continue their investigation knowing that only a legitimate authenticated user is connected to the network.

Known Limitations

  • The Revoke User Session action is available only for remote users connecting to the network with the Cato Client. It is not supported for users behind a site

  • The Revoke User Session action is supported for stories that identified a user and that are generated by one of the following producers:

    • Threat Prevention

    • Threat Hunting

    • Events Anomaly

    • Usage Anomaly

    • Cato Endpoint Alerts

  • It may take up to 10 minutes for the user session to be revoked

Revoking a User Session in an XDR Story

In the story Overview page, revoke the user's session from the Actions menu.

XDR_Revoke_Session.png

To revoke a user session:

  1. In the story Overview, click the Actions button.

  2. Click Revoke User Session. The Revoke User Session panel opens.

    XDR_Revoke_Session_Panel.png
  3. Select the user whose active session you want to revoke. The panel automatically shows the user identified in the story.

  4. (Optional) Add a note explaining the reason for revoking the user session.

  5. Click Revoke Session. A request is sent to the Cato user service and the session is revoked within a few minutes.

Reviewing Mitigation Actions in the Action Center

The Action Center tab in the Security > Detection & Response page lets you review the XDR mitigation actions taken in your account.

XDR_Action_Center.png

The Action Center shows the following information for each mitigation action:

  • Time - Timestamp for when the mitigation action was sent

  • Action - Description of the mitigation action

  • Subject - The user the action was performed on

  • Status - Status of the action. For the Revoke User Session action, these are the Status values:

    • Success - The request to revoke the session was sent to the Cato user service

    • Failure - There was an issue with the request to revoke the session

  • Author - Admin who performed the action

  • Trigger - The Story ID for the story from which the action was sent. Click to open the Overview page for the story

  • Note - Optional note entered by the admin

Was this article helpful?

0 out of 0 found this helpful

0 comments

Add your comment