Integrating Cato Events with Microsoft Sentinel

Use the Microsoft Sentinel integration to include Cato event data in your existing monitoring, correlation, and investigation workflows. 

Cato offers two types of integration with Microsoft Sentinel. Each approach offers distinct advantages depending on your goals and environment:

• The native turnkey integration sends events directly from Cato to Sentinel and maps them automatically to the Sentinel data model, so dashboards, analytics rules, alerts, and other Sentinel features can process Cato event data without additional parsing or normalization.
  The integration uses the standard Cato MS Tenant connector for authentication and transport across Cato Microsoft integrations. The shared connector provides a consistent configuration workflow and centralized access control for integrations such as Entra ID and App and Data API.
• A custom GitHub integration is available from the Cato GitHub repo. For more details, see Choosing Between the Native Turnkey and Custom GitHub Integration Methods, below.

Sample Company uses Microsoft Sentinel for centralized security monitoring and response. As a Cato customer, they have useful data from key security features such as IPS. They can use this integration to send high-severity IPS event types directly to Sentinel, where they can easily integrate into existing workflows for the SoC team.

The MS Tenant acts as a parent connector for most Microsoft Apps. When you add a Microsoft integration, first create the parent connector. You only need to configure this connector once, and you can then use it for all Microsoft apps.

Define the Sentinel integration in the CMA by specifying the target Microsoft tenant, workspace, and table. You can also use filters to define which events to include in the integration. After you save the Sentinel integration, you need to authenticate to the Microsoft tenant and allow Cato to push data to your Sentinel account.

After creating the integration in the CMA, you have 10 minutes to complete the process in Microsoft for security reasons. If the process is not complete in this time frame, you will need to delete the integration in the CMA and start again.

After the integration is created, data flows to Microsoft in the table you specified above. Cato appends the letters "_CL" to the table name to help you distinguish it from built-in tables in Microsoft.

Deleting the integration in the CMA does not remove any resources created in Microsoft.

Note: If access to the third-party service is limited to specific IP addresses, see this article for the list of Cato IP addresses that you need to allow. You must be signed in to view the article.

Filters

Use filters to control which Cato events are exported to Microsoft Sentinel. This helps reduce ingestion costs, minimize noise, and focus investigations on the events that are most relevant to specific sites, users, or regions. You can also use filters to route different subsets of events to different SIEM environments.

Use filter groups to define filters based on any Event Field or combination of fields. Conditions within each group use AND logic. OR logic is applied between groups. The filters in the screenshot configure the integration to export:

• Events that originate from Paris or Madrid, are of sub-type Internet Firewall, and resulted in actions other than Monitor or Prompt
• Username contains Test

To create the Sentinel integration:

1. From the navigation menu, select Resources > Integrations.
2. On the Configured Integrations tab, click New. The New Integration panel opens.

3. Select Microsoft Sentinel and configure the following fields:

   1. Enter a Name for this integration.
   2. Select the name of the MS Tenant integration in the Connector Tenant field. 
   3. Enter your existing Log Analytics Workspace Name that receives the data in Microsoft Log Analytics.
   4. Enter a new Log Analytics Table Name to hold the data in the Log Analytics Workspace with this name. 
   5. Define how many days you want Microsoft to retain Cato data in the Table Retention Days field.
   6. Optional: Add filters to control which Cato events are sent to Microsoft Sentinel.
4. Click Save to deploy the integration to Microsoft. 
   Note: You now have 10 minutes to complete the setup in Microsoft.
5. A browser tab opens and directs you to authorize the creation of the integration in Microsoft.
   Note: You must authorize the integration with the same tenant used to create the MS Tenant integration. The user must have permissions to create resources on that tenant.
6. In the Microsoft portal, select the resource group and region that contain the target Log Analytics workspace, and click Review + Create.
7. Click Create to start the deployment.
8. When the deployment is complete, you can close the Microsoft window.
9. In the CMA, refresh the Integrations page. The integration status appears in the Integrated Apps tab.

In addition to the native turnkey integration described in this article, you can also integrate Cato events with Microsoft Sentinel using the tools in the Cato GitHub account. Each approach offers distinct advantages depending on your goals and environment.