This article explains how to use the Suspicious Activity Monitoring (SAM) feature with the IPS service to increase awareness of potential threats on your network.
Cato's SAM feature expands the IPS service to provide visibility for suspicious activities on your network that aren't monitored by standard IPS signatures. This type of traffic might represent phases of an attack vector, but isn't necessarily an immediate compromise or breach. This broader view of potential threats can help you identify all phases of an attack, and be better prepared for detection and defense against future similar attack vectors.
The Cato Security Research team creates specific signatures for unusual behavior patterns that look suspicious, such as a user running a network-wide port scan, or an access attempt on non-standard ports. The SAM service detects traffic that matches these signatures, and generates events and data that SOC teams can analyze to track and investigate threats. SAM events are labeled with the Suspicious Activity Sub-Type, to differentiate between malicious IPS events and possibly legitimate unusual traffic.
SAM monitors all WAN, inbound, and outbound traffic for your account, IPS Protection Scope settings do not affect SAM.
These are examples of scenarios that generate SAM events:
Outbound HTTP traffic exfiltrating system information
HTTP requests to low popularity destinations using non-standard HTTP ports
A programmatic HTTP client downloading a binary or executable file
Inbound traffic from known IoT devices that are potentially part of an IoT botnet
SAM is included in the IPS license. For more about purchasing the IPS license, please contact your Cato representative.
The IPS policy must be enabled before you can enable SAM.
Note: We recommend that you enable TLS inspection so that the IPS service and SAM enhancement provide the maximum protection for your network.
This section explains how to configure the SAM service.
By default, SAM is enabled for your account. The Suspicious Activity tab on the IPS screen lets you change this setting.
The Threats Dashboard screen lets you analyze suspicious activities in your network. You can set the widgets in the IPS section to show suspicious activity, and then filter the dashboard to show the data for specific SAM threat types, and relevant hosts and users. You can also view SAM events on the Events screen, pre-filtered for threat type, host, and user.
For more about how to filter the dashboard and view events from the Threats Dashboard widgets, see Using the Threats Dashboard.
The MITRE ATT&CK® Dashboard helps you analyze suspicious activities using the MITRE ATT&CK® framework of tactics and techniques. You can set the dashboard to show data for IPS Monitor events including SAM events. For more about using the MITRE ATT&CK® Dashboard, see Working with the MITRE ATT&CK® Dashboard.
If you want to stop logging events for specific traffic, you can allowlist that traffic in the IPS Allow List screen. To allowlist suspicious activity traffic, create an IPS Allow List rule using the Signature ID of the traffic you want to stop monitoring. For more information, see Allowlisting IPS Signatures.
You can also allowlist suspicious traffic by clicking the Signature ID of an event on the Events screen. For more information, see Allowlisting IPS Signatures.
You can review Security events in Monitoring > Events and find the unusual behaviors and potential threats detected by SAM. These events are labeled with the Sub-Type Suspicious Activity, which lets you distinguish them from the higher risk events generated with the IPS Sub-Type.
You can select the Suspicious Activity preset filter from the Select Presets drop-down menu to show the relevant events.
The Suspicious Activity Sub-Type is limited to 2,000,000 events per hour. See Cato Cloud Thresholds and Limits.
This is an example of an event detected by SAM: