Use the CrowdStrike Falcon Next-Gen SIEM integration to include Cato event data in your existing monitoring, correlation, and investigation workflows. The native integration sends events directly from Cato to Falcon, enriched with context about network activity, threats, users, devices, and other aspects of traffic traversing the Cato platform. This gives SOC analysts the full network context they need to investigate and hunt threats without leaving Falcon.
Sample Company uses Falcon for centralized security monitoring and response. As a Cato customer, they can enrich their Falcon data with Cato event information such as network activity, threats, user data, devices, and all other aspects of traffic traversing the Cato platform. The integration can send this data directly to Falcon, where they can easily integrate it into existing workflows for the SOC and NOC teams.
- CrowdStrike Falcon Next-Gen SIEM or Falcon Next-Gen SIEM 10 GB subscription.
- For vendor-specific fields and the optional Falcon parser, the Beta feature must be enabled in Falcon. For more information and to enable these features, contact your CrowdStrike representative.
- To add a connector, you must have editor permission for Integrations (in the Resources section). For more information, see Managing Admin Roles Using RBAC.
- Review the prerequisites for all Cato event integrations in Getting Started with Event Integrations.
To configure the Falcon integration:
- Configure the integration within the SaaS application
- Create the API connector in the Cato Management Application (CMA)
Filters
Use filters to control which Cato events are exported to Falcon. This helps reduce ingestion costs, minimize noise, and focus investigations on the events that are most relevant to specific sites, users, or regions. You can also use filters to route different subsets of events to different SIEM environments.
Use filter groups to define filters based on any Event Field or combination of fields. Conditions within each group use AND logic. OR logic is applied between groups. The filters in the screenshot configure the integration to export:
- Events that originate from Paris or Madrid, are of sub-type Internet Firewall, and resulted in actions other than Monitor or Prompt
- Username contains Test
In the Falcon console, create a data connection.
To configure the Falcon integration:
- From the Falcon console, select Data connectors > Data connections.
- Click Add connection.
- In the Product filter, select HEC. In the Connector type filter, select Push.
- Click the HEC/HTTP Event Connector, and then click Configure.
-
Enter a name for the connection and configure the following details (only supported if enabled in Falcon, for more information see the Prerequisites):
- Vendor: CatoNetworks
- VendorProduct: CatoNetworksSASECloud
- (Optional) Parsers: cato-sase
- Accept the terms and conditions and click Create connection.
- After the connection is created, click the three dots and select Generate API key, and then select Regenerate API key.
- Copy and save the API key and API URL. You enter them in the CMA.
After you configure the connection in Falcon, add the connection details in the CMA.
To create the API connector in the CMA:
- From the navigation menu, select Resources > Integrations.
- Click the Configured Integrations tab.
-
Click New.
The New Integration panel opens.
- Select CrowdStrike Falcon NG-SIEM.
- Enter the API key and API URL that you copied from Falcon.
- Optional: Add filters to control which Cato events are sent to Falcon.
- Click Save.
- The integration appears in the Configured Integrations table with a Connected status.
0 comments
Article is closed for comments.