Integrating Cato Events with Microsoft Sentinel

Overview

Use the Microsoft Sentinel integration to include Cato event data in your existing monitoring, correlation, and investigation workflows. The native integration sends events directly from Cato to Sentinel and maps them automatically to the Sentinel data model, so dashboards, analytics rules, alerts, and other Sentinel features can process Cato event data without additional parsing or normalization.

The integration uses the standard Cato Microsoft Tenant connector for authentication and transport across Cato Microsoft integrations. The shared connector provides a consistent configuration workflow and centralized access control for integrations such as Entra ID and App and Data API.

Use Case

A company is using Microsoft Sentinel for centralized security monitoring and response. As Cato customers, they have useful data from key security features such as IPS. They can use this integration to send high-severity IPS event types directly to Sentinel, where they can easily integrate into existing workflows for the SoC team.

Prerequisites

  • An MS Tenant integration in the Configured Integrations tab in the CMA (Resources > Integrations)

    This is a parent integration for Microsoft apps

  • An existing Log Analytics workspace in Sentinel where Cato events will be stored
  • To add a connector, you must have editor permission for Integrations (in the Resources section). For more information, see Managing Admin Roles Using RBAC.
  • Review the prerequisites for all Cato event integrations in Getting Started with Event Integrations

Creating the MS Tenant Integration

The MS Tenant acts as a parent connector for most Microsoft Apps. When adding an integration with a Microsoft app, the first step to configure the integration is to create the parent connector. You only need to configure this connector once, and it can then be used for all Microsoft apps.

To create the MS Tenant integration:

  1. From the navigation menu, select Resources > Integrations and click the Configured Integrations tab.
  2. Click New. The New Connector panel opens.

  3. In the New Connector panel, select the MS Tenant (Configure a new MS Tenant) app.

    New_Microsoft_365_Connector.png
  4. Enter the Connector Name.

  5. Click Authorize and Save.

    A new browser tab opens to the Microsoft 365 app.

  6. In the new browser tab, authenticate to the Microsoft 365 app:

    1. Select the Microsoft account for the Microsoft 365 app.

      Otherwise, there may be a Microsoft authentication error.

    2. Enter the password for the app and approve it.
    3. Accept the permissions to let Cato access the Microsoft 365 app.

    4. The screen shows that you have successfully applied the permissions for the app.

      Success_Connector_Permissions.png

      You can close the browser tab and return to the Cato Management Application.

  7. The Microsoft 365 SaaS application is added to the Integrated Apps tab.

Creating the Sentinel Integration

Define the Sentinel integration in the CMA by specifying the target Microsoft Tenant, Workspace, and table, as well as defining which events you want to include in the integration using filters. Afterwards, you save the Sentinel integration, you need to authenticate to the Microsoft tenant and allow Cato to push data to your Sentinel account.

After creating the integration in the CMA, you have 10 minutes to complete the process in Microsoft for security reasons. If the process is not complete in this time frame, you will need to delete the integration in the CMA and start again.

After the integration is created, data flows to Microsoft in the table you specified above. Cato appends the letters "_CL" to the table name to help you distinguish it from built-in tables in Microsoft.

Deleting the integration in the CMA does not remove any resources created in Microsoft.

Note: If access to the third-party service is limited to specific IP addresses, please refer to this article for the list of Cato IP addresses that you need to allow (you must be signed in to view this article).

To create the Sentinel integration:

  1. From the navigation menu, click Resources > Integrations.
  2. On the Configured Integrations tab, click New. The New Integration panel opens.

  3. Select Microsoft Sentinel and configure the following fields:

    sentinel_3.png
    1. Enter a Name for this integration.
    2. Select the name of the MS Tenant integration in the Connector Tenant field. 
    3. Enter your existing Log Analytics Workspace Name that receives the data in Microsoft Log Analytics.
    4. Enter a new Log Analytics Table Name to hold the data in the Log Analytics Workspace with this name. 
    5. Define how many days you want Microsoft to retain Cato data in the Table Retention Days field.
    6. Add a filter to only send some Cato events to Microsoft Sentinel. 
  4. Click Save to deploy the integration to Microsoft. You now have ten minutes to complete the setup in Microsoft.

  5. A browser tab opens and directs you to authorize the creation of the integration in Microsoft.

    Note: You must authorize integration with the same tenant that the master connector was created with in the MS Tenant integration above and have a user with permissions to create resources on that tenant.

  6. In the Microsoft portal, select the resource group and region that contains the target Log Analytics workspace and press Review + Create

    sentinel_4.png
  7. Click Create to start the deployment.
  8. When the deployment is complete, you can close the Microsoft window.

  9. In the CMA, after refreshing the Integrations page, you can view the status of the integration in the Integrated Apps tab.

    image-20251019-105133.png

Choosing Between the Native Turnkey and Custom GitHub Integration Methods

In addition to the native turnkey integration described in this article, you can also integrate Cato events with Microsoft Sentinel using the tools in the Cato GitHub account. Each approach offers distinct advantages depending on your goals and environment.

When to Use the Native Integration

Cato’s native integration offers a scalable and supportable solution with minimal configuration. Benefits of the native integration include:

  • The ability to handle large volumes of events efficiently with no API based limitations
  • Fully maintained and supported by Cato
  • Automatically maps the schema between Cato and Microsoft Sentinel

When to Use the GitHub Integration

The GitHub integration provides flexibility for advanced use cases where custom data sources or processing logic are needed. You might want to use this integration in the following situations:

  • The Cato integration doesn't support the type of data that you want to ingest
  • You want to customize the schema or events feed data

Known Limitations

  • Large event limitation: Some XOps events can include extensive story information in the raw_data field, which may cause the event to exceed Microsoft Sentinel ingestion size limits (approximately 1 MB). When this occurs, Cato still forwards the event to Sentinel, but omits the raw_data field to maintain compatibility with Sentinel ingestion requirements.

Was this article helpful?

0 out of 0 found this helpful

0 comments