Monitoring Suspicious Activity with IPS (SAM)

This article explains how to use the Suspicious Activity Monitoring (SAM) feature with the IPS service to increase awareness of potential threats on your network.

Overview of the SAM Service

Cato's SAM feature expands the IPS service to provide visibility for suspicious activities on your network that aren't monitored by standard IPS signatures. This type of traffic might represent phases of an attack vector, but isn't necessarily an immediate compromise or breach. This broader view of potential threats can help you identify all phases of an attack, and be better prepared for detection and defense against future similar attack vectors.

You can view and analyze suspicious activity data in the Threats Dashboard and MITRE ATT&CK® Dashboard, and review SAM events in the Events screen.

What is SAM?

The Cato Security Research team creates specific signatures for unusual behavior patterns that look suspicious, such as a user running a network-wide port scan, or an access attempt on non-standard ports. The SAM service detects traffic that matches these signatures, and generates events and data that SOC teams can analyze to track and investigate threats. SAM events are labeled with the Suspicious Activity Sub-Type, to differentiate between malicious IPS events and possibly legitimate unusual traffic.

SAM monitors all WAN, inbound, and outbound traffic for your account, IPS Protection Scope settings do not affect SAM.

These are examples of scenarios that generate SAM events:

  • Outbound HTTP traffic exfiltrating system information

  • HTTP requests to low popularity destinations using non-standard HTTP ports

  • A programmatic HTTP client downloading a binary or executable file

  • Inbound traffic from known IoT devices that are potentially part of an IoT botnet


  • SAM is included in the IPS license. For more about purchasing the IPS license, please contact your Cato representative.

  • The IPS policy must be enabled before you can enable SAM.


Note: We recommend that you enable TLS inspection so that the IPS service and SAM enhancement provide the maximum protection for your network.

Working with SAM

This section explains how to configure the SAM service.


Enabling and Disabling SAM

By default, SAM is enabled for your account. The Suspicious Activity tab on the IPS screen lets you change this setting.

To enable or disable SAM for your account:

  1. From the navigation menu, click Security > IPS.

  2. Select the Suspicious Activity tab.

  3. Click to enable or disable Suspicious Activity Monitoring for the account.

  4. Click Save.

Viewing SAM Data in the Threats Dashboard

The Threats Dashboard screen lets you analyze suspicious activities in your network. You can set the widgets in the IPS section to show suspicious activity, and then filter the dashboard to show the data for specific SAM threat types, and relevant hosts and users. You can also view SAM events on the Events screen, pre-filtered for threat type, host, and user.

For more about how to filter the dashboard and view events from the Threats Dashboard widgets, see Using the Threats Dashboard.

To view Suspicious Activity Data in the Threats Dashboard:

  1. From the navigation menu, select Monitoring > Threats Dashboard.

  2. Under the IPS section, in the Event Type drop-down menu, select Suspicious Activity.

    The widgets now show SAM data.

Analyzing SAM Data in the MITRE ATT&CK® Dashboard

The MITRE ATT&CK® Dashboard helps you analyze suspicious activities using the MITRE ATT&CK® framework of tactics and techniques. You can set the dashboard to show data for IPS Monitor events including SAM events. For more about using the MITRE ATT&CK® Dashboard, see Working with the MITRE ATT&CK® Dashboard.

Allowlisting Suspicious Activity Traffic

If you want to stop logging events for specific traffic, you can allowlist that traffic in the IPS Allow List screen. To allowlist suspicious activity traffic, create an IPS Allow List rule using the Signature ID of the traffic you want to stop monitoring. For more information, see Allowlisting IPS Signatures.

You can also allowlist suspicious traffic by clicking the Signature ID of an event on the Events screen. For more information, see Allowlisting IPS Signatures.

Reviewing SAM Events

You can review Security events in Monitoring > Events and find the unusual behaviors and potential threats detected by SAM. These events are labeled with the Sub-Type Suspicious Activity, which lets you distinguish them from the higher risk events generated with the IPS Sub-Type.

You can select the Suspicious Activity preset filter from the Select Presets drop-down menu to show the relevant events.

The Suspicious Activity Sub-Type is limited to 2,000,000 events per hour. See Cato Cloud Thresholds and Limits.

This is an example of an event detected by SAM:


Was this article helpful?

0 out of 0 found this helpful


Add your comment