Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Cato Networks Security events | ✅ | ✅ | ✅ | cato_networks_security_events | NDJSON | API/S3 | |
Cato Networks Connectivity events | ✅ | cato_networks_connectivity_events | NDJSON | API/S3 | |||
Cato Networks Sockets Management events | cato_networks_sockets_management_events | NDJSON | API/S3 | ||||
Cato Networks Routing events | ✅ | cato_networks_routing_events | NDJSON | API/S3 |
Overview
Cato Networks is a network, cloud and endpoint management and security platform, categorized as a Secure Access Service Edge (SASE platform). Integrating your Cato Networks logs to the Hunters ecosystem will allow us to collect your data and store it in a parsed format, as well as viewing Cato’s systems' alerts in the Hunters Portal, investigate threat scenarios over it, and getting related Hunters' detections for your tenant.
See here for more information about Cato Networks' appliances and security services.
Supported data types
Cato Networks Security
Table name: cato_networks_security_events
Detailed records generated by the Cato Networks platform, documenting security events and traffic across the network. These logs are used for monitoring, analysis, and forensic investigation, providing insights into security incidents, threat detections, policy violations, and network activities to help ensure the security and integrity of an organization's network infrastructure.
Cato Networks Connectivity
Table name: cato_networks_connectivity_events
Records that detail the performance and status of network connections within the Cato Networks environment. These logs provide insights into network efficiency, connection issues, and the overall health of the network infrastructure, aiding in troubleshooting and ensuring optimal connectivity.
Cato Networks Sockets Management
Table name: cato_networks_sockets_management_events
Include detailed records related to the management, performance, and status of Cato Sockets, which are devices or software agents connecting an organization's various network resources (such as branch offices, cloud resources, and mobile users) to the Cato Cloud.
Cato Networks Routing
Table name: cato_networks_routing_events
Logs containing information about the routing decisions, changes, and activities within the Cato Networks environment. These logs provide insights into how data is being directed across the network, highlighting paths taken, policy applications, and any routing anomalies or adjustments to optimize network performance and connectivity.
Send data to Hunters
Hunters supports the collection of logs from Cato Networks using 2 methods:
GraphQL API
AWS S3
💡Tip
In large environments, we recommend collecting logs using an AWS S3 bucket for log shipping, instead of GraphQL API.
GraphQL API collection
This method allows you to seamlessly connect your Cato Networks environment with Hunters.
To connect Cato Networks logs with API:
Gather the following information from Cato Networks:
Your Cato Customer ID (4 digits ID)
API Key (MD5-like string).
Complete the process on the Hunters platform, following this process.
AWS S3 collection
If you already have your Cato Networks logs shipped to an AWS S3 bucket, or if your environment is large, you can use AWS S3 bucket as an intermediary storage and connect the bucket to Hunters.
To connect Cato Networks logs with AWS S3:
Navigate to Administration > Event Integrations.
Enable integration with Cato events.
Create a new integration, providing details such as the S3 bucket name, folder path (if applicable), region, and the IAM role ARN.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
The expected format of the logs is the raw message format as exported by Cato. The expected inner time field format is epoch-timestamp in milliseconds, where in UTC timezone. The events' format is nested NDJSON, as detailed in the examples below:
Cato Networks Security Events sample
{"time": "2022-02-21T16:38:52Z", "fieldsMap": {"ISP_name": "Level 3", "account_id": "XXXX", "action": "Monitor", "application": "A-AAA DC", "dest_ip": "10.0.0.1", "dest_is_site_or_vpn": "Site", "dest_port": "53", "dest_site": "NA1 (A-AAA)", "event_count": "1", "event_sub_type": "WAN Firewall", "event_type": "Security", "internalId": "xyXYX1xYxy", "ip_protocol": "UDP", "os_type": "OS_LINUX", "pop_name": "New York", "rule": "subnets to Sites", "rule_id": "55555", "rule_name": "subnets to Sites", "src_country": "United States of America", "src_ip": "10.0.0.1", "src_is_site_or_vpn": "Site", "src_isp_ip": "192.168.1.1", "src_site": "AAA1", "subnet_name": "AAA - Server", "time": "1645461532599"}}
{"time": "2022-02-22T15:28:32Z", "fieldsMap": {"ISP_name": "Level 3", "account_id": "XXXX", "action": "Monitor", "application": "A-AAA DC", "dest_ip": "10.0.0.1", "dest_is_site_or_vpn": "Site", "dest_port": "53", "dest_site": "NA1 (A-AAA)", "event_count": "1", "event_sub_type": "WAN Firewall", "event_type": "Security", "internalId": "xyXYX1xYxy", "ip_protocol": "UDP", "os_type": "OS_LINUX", "pop_name": "New York", "rule": "subnets to Sites", "rule_id": "55555", "rule_name": "subnets to Sites", "src_country": "United States of America", "src_ip": "10.0.0.1", "src_is_site_or_vpn": "Site", "src_isp_ip": "192.168.1.1", "src_site": "AAA1", "subnet_name": "AAA - Server", "time": "1645461432196"}}
Cato Networks Connectivity Events sample
{"time": "2022-02-21T16:13:01Z", "fieldsMap": {"account_id": "3141", "action": "Alert", "event_count": "1", "event_sub_type": "Last-Mile Quality", "event_type": "Connectivity", "internalId": "611111IXPo", "link_health_is_congested": "false", "link_health_jitter": "0", "link_health_latency": "3", "link_health_pkt_loss": "27", "qos_reported_time": "164159981957", "rule": "4334", "rule_id": "4334", "socket_interface": "WAN1", "src_is_site_or_vpn": "Site", "src_site": "SDEK (L-PRA)", "time": "161459981957", "traffic_direction": "DOWNSTREAM"}}
Cato Networks Sockets Management sample
{"time": "2021-02-21T11:48:31Z", "fieldsMap": {"account_id": "3141", "action": "Succeeded", "event_message": "User successfully opened Socket WebUI from Cato Management Application", "event_sub_type": "Socket WebUI Access", "event_type": "Sockets Management", "internalId": "YHuBDyphxU", "socket_role": "primary", "src_is_site_or_vpn": "Site", "src_site": "BHE1", "time": "1645994111336", "user_name": "User User"}}
Cato Networks Routing
{"time": "2022-02-21T10:03:33Z", "fieldsMap": {"account_id": "3141", "action": "Added", "bgp_cato_asn": "64115", "bgp_cato_ip": "1.1.1.127", "bgp_peer_asn": "61112", "bgp_peer_ip": "10.10.10.10", "bgp_route_cidr": "10.10.10.10/18", "event_count": "1", "event_message": "Dynamic", "event_sub_type": "BGP Routing", "event_type": "Routing", "internalId": "nUN2l16sRG", "pop_name": "Rallas", "src_is_site_or_vpn": "Site", "src_site": "NA1 (B-PRA)", "time": "1785437813404"}}