Overview

Cato Networks is a networks, cloud and endpoint management and security platform, categorized as a Secure Access Service Edge (SASE platform). Integrating your Cato Networks logs to the Hunters ecosystem will allow us to collect your data and store it in a parsed format, as well as viewing Cato’s systems' alerts in the Hunters Portal, investigate threat scenarios over it, and getting related Hunters' detections for your tenant.

See here for more information about Cato Networks' appliances and security services.

Supported Data Types

  • Cato Networks Security - Security events acquired from multiple sources including cato firewalls, anti malware and ips events and alerts.

  • Cato Networks Connectivity - Inner network management logs of your connections to Cato.

  • Cato Networks Sockets Management - Logs of the Cato Socket appliances.

  • Cato Networks Routing - Logs of Cato PoP routing stack.

  • Cato Networks System - System logs of Cato Client.

Hunters Integration

In order to integrate your Cato Networks logs into Hunters, supply Hunters with your Cato Customer ID (4 digits ID) and API Key (MD5-like string). The collection of the logs will be accomplished using our API collection systems.

Expected format for the Cato Customer ID and API Key
{
  "customer_id": "1234",
  "api_key": "0123456789ABCDEF0123456789ABCDEF"
}
CODE

The expected format of the logs is the raw message format as exported by Cato. The expected inner time field format is epoch-timestamp in milliseconds, where in UTC timezone. The events' format is nested nd-json, as detailed in the example below:

Cato Networks Security Events events sample
{"time": "2022-02-21T16:38:52Z", "fieldsMap": {"ISP_name": "Level 3", "account_id": "XXXX", "action": "Monitor", "application": "A-AAA DC", "dest_ip": "10.0.0.1", "dest_is_site_or_vpn": "Site", "dest_port": "53", "dest_site": "NA1 (A-AAA)", "event_count": "1", "event_sub_type": "WAN Firewall", "event_type": "Security", "internalId": "xyXYX1xYxy", "ip_protocol": "UDP", "os_type": "OS_LINUX", "pop_name": "New York", "rule": "subnets to Sites", "rule_id": "55555", "rule_name": "subnets to Sites", "src_country": "United States of America", "src_ip": "10.0.0.1", "src_is_site_or_vpn": "Site", "src_isp_ip": "192.168.1.1", "src_site": "AAA1", "subnet_name": "AAA - Server", "time": "1645461532599"}}
{"time": "2022-02-22T15:28:32Z", "fieldsMap": {"ISP_name": "Level 3", "account_id": "XXXX", "action": "Monitor", "application": "A-AAA DC", "dest_ip": "10.0.0.1", "dest_is_site_or_vpn": "Site", "dest_port": "53", "dest_site": "NA1 (A-AAA)", "event_count": "1", "event_sub_type": "WAN Firewall", "event_type": "Security", "internalId": "xyXYX1xYxy", "ip_protocol": "UDP", "os_type": "OS_LINUX", "pop_name": "New York", "rule": "subnets to Sites", "rule_id": "55555", "rule_name": "subnets to Sites", "src_country": "United States of America", "src_ip": "10.0.0.1", "src_is_site_or_vpn": "Site", "src_isp_ip": "192.168.1.1", "src_site": "AAA1", "subnet_name": "AAA - Server", "time": "1645461432196"}}
CODE

Further information about exporting your data can be found here.