XOps stories transform unmanageable amounts of raw security and network events into consumable, cross-functional and actionable stories. To integrate XOps stories into your existing workflows and increase visibility, you can export XOps stories into your SIEM. Cato supports two types of SIEM integrations: CMA turnkey integrations that are configured from the Integrations page or an integration managed from a third-party.
To export XOps stories to your SIEM, you need to:
-
Create a Response Policy rule that creates events for stories
-
Create an event integration
The Response Policy helps you monitor XOps stories by defining when notification actions or events are generated for the stories. For more information, see Creating the Response Policy for XOps Stories.
The event type for XOps stories is Detection and Response.
To create a response policy rule:
-
From the navigation menu, click Home > Detection & Response Policy.
-
Select the Response Policy tab.
-
Click New. The Add to Response Policy panel opens.
-
Enter a Name for the rule.
-
Select the Source of the events you want to export to your SIEM.
-
(Optional) Define Criteria that specify the characteristics a story must have to match the rule.
-
Select the Trigger for the rule. You can configure whether the trigger should be when a story is created, updated or both.
-
In the Response section, select Event.
-
Click Save. The rule is added to the policy.
You can also integrate events for XOps stories with your existing third-party services and workflows.
-
For a list of vendor-supported integrations for Cato events, see Cato Data: Third-Party Supported Integrations
-
For a turnkey integration with your SIEM, see the relevant configuration articles. The supported SIEMs are:
0 comments
Article is closed for comments.