Configuring the Cato Technology Add-on for Splunk Integration

Overview

Cato lets you stream events and flows directly to Splunk and normalize the data to the Splunk Common Information Model (CIM) with the Cato Technology Add-on (TA), so you can immediately use standard Splunk searches, dashboards, and detection content without building custom parsing. The Cato TA is a Splunk application that maps Cato telemetry to CIM-compliant fields for use with Splunk analytics, dashboards, and detections.

With CIM-normalized data, your telemetry is immediately usable across the Splunk ecosystem, including Splunk Enterprise Security (ES). You can use out-of-the-box dashboards, correlation searches, and detection content without additional customization, reduce operational overhead, and accelerate investigation workflows for network, security, and user activity.

Prerequisites

Required:

Splunk Common Information Model (CIM) Add-on

Optional:

Splunk Enterprise Security (ES)

Understanding the Cato Splunk Integration

The Cato Splunk integration with the TA supports the following data sources:

Events - Events generated by the Cato platform, including Internet and WAN Firewall, Threat Prevention, authentication, system, and connectivity changes
Flows - Enriched network flow telemetry with application context and aggregated metrics

You can ingest the data in one of these formats:

Native Cato schema
Splunk Common Information Model (CIM) using the Cato TA

The CIM-based option lets you quickly use Splunk-native analytics and security content.

For more information, see Cato Event to Splunk CIM Field Mapping (EA).

Benefits of Using CIM and Splunk Enterprise Security

Using CIM-normalized data with the Cato Technology Add-on provides these benefits:

Use standardized Splunk data models for consistent analysis across environments
Run out-of-the-box correlation searches and detections in Splunk ES
Enable prebuilt dashboards for network, security, and user activity
Reduce the need for custom field extraction and normalization
Accelerate SOC onboarding and investigation workflows

When you use Splunk Enterprise Security (ES):

CIM-mapped data automatically populates ES data models
Prebuilt correlation searches generate notable events
Security dashboards provide immediate visibility into threats and activity
Content packs such as ESCU work without additional customization

About the Cato TA

The Cato Technology Add-on (TA) normalizes Cato telemetry into CIM-compliant fields.App details:

App Name: Cato Networks CIM Add-on for Splunk
App ID: TA-catonetworks-cim
Author: Cato Networks

Supported CIM Data Models

The Cato Technology Add-on maps telemetry to these Splunk CIM data models:

Network Traffic
Intrusion Detection
Network Resolution (DNS)
Web
Authentication
Malware
Change (Account Management)

Deploy the Cato TA

Configure the integration and deploy the Technology Add-on to normalize the data.

To configure the integration with the Cato Technology Add-on:

From the navigation menu, select Resources > Integrations.
Configure the Splunk integration to stream data to your Splunk environment.
Select the data sources:
- Events
- Flows
In your Splunk environment, search for Cato Networks CIM Add-on for Splunk and install it.
(Optional) Enable Splunk Enterprise Security for advanced analytics and detections.

Recommended Configuration

For the best visibility in Splunk, we recommend that you enable both Events and Flows for the integration. This provides broader telemetry coverage and lets you correlate discrete security events with the related traffic context. You can enable only one data source if required, and event filtering is supported. However, full visibility and correlation requires events and flows.

Correlating Events and Flows

Events and Flows share the Flow ID field, which lets you correlate security events with the related network traffic. This helps you investigate incidents with additional traffic context and improves analysis across network, security, and user activity.