EU-Vietnam Business Network (EVBN) > Noindex > Cato Networks | InsightIDR Documentation

Cato Networks | InsightIDR Documentation

Cato Networks

Cato Networks provides an enterprise cloud service offering several integrated networking and security tools. These can be used to connect “all branch offices, mobile users, physical and cloud data centers to provide secure WAN and internet connectivity everywhere.”

To set up Cato Networks, you’ll need to:

  1. Review the requirements.
  2. Create an API key and obtain your Account ID from Cato Networks.
  3. Set up the Cato Networks event source in InsightIDR.
  4. Verify the configuration works.

Requirements

To complete the tasks outlined in this article, you’ll need the following:

  • Access to a Cato Networks account with Editors access.
  • API Key
  • Account ID

Create an API key and Obtain your Account ID from Cato Networks

  1. Log in to your Cato Networks Editors Account.
  2. Record the Account ID that appears in the Cato Networks URL to a temporary text file. If you have multiple account IDs you wish to monitor, repeat this step for each. For example, if your Account ID is “1234” then the URL should look like: https://rapid7.catonetworks.com/#!/1234/topology
  3. Open the Navigation Menu and click Administration > API Management.
  4. Enter the Name of the key and click Apply. If the API key has been successfully added a window will appear displaying the new API key.
  5. Click the Copy Icon to copy your API key and ensure you Save it to a secure location. Once you close the window you can no longer access the value of the API key.
  6. Click Ok to close the API window.
  7. On the API Management page click the Event Feed Enabled toggle to enable your account to send events to the Cato API servers.

Set up Cato Networks in InsightIDR

  1. From the left menu, go to Data Collection.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Firewall section, click the Cato Networks icon. The Add Event Source panel appears.
  4. Choose your collector and Cato Networks from the event source drop-down.
  5. Name your event source. If you do not, InsightIDR will apply the default event source name “Cato Networks”.
  6. Optionally choose to send unparsed logs.
  7. Select an attribution source.
  8. Enter the Account ID that you obtained from your Cato Networks Profile URL. If you wish to enter multiple Account IDs you must separate them using a comma.
  9. Select your credentials, or create a new credential. If you’re creating a new credential, enter the API key you created in Cato Networks.
  10. Click Save.

Attribution source options

Cato Networks product logs can contain information about hosts and accounts. When setting up Cato Networks as an event source, you will have the ability to specify the following attribution options:

  1. Use IDR engine if possible; if not, use event log

By selecting this option, the InsightIDR attribution engine will perform attribution using the source address present in the log lines. If it’s unable to resolve assets or accounts using the source address, it will use the assets or accounts present in the log lines, if any.

  1. Use event log if possible; if not, use IDR engine

By selecting this option, attribution will be done using the assets and accounts present in the log lines. If no assets or accounts are present in the log lines, the InsightIDR attribution engine will perform attribution using the source address present in the log lines.

  1. Use IDR engine only

By selecting this option, the InsightIDR attribution engine will perform the attribution using the source address present in the log lines, ignoring any assets and accounts present in the log lines.

  1. Use event log only

By selecting this option, attribution will be done using the assets and accounts present in the log lines, ignoring the source address.

Verify the configuration

Complete the following steps to view your logs and ensure events are making it to the Collector.

  1. On the new event source that was just created, click the View Raw Log button. If you see log messages in the box, then this shows that logs are flowing to the Collector.
  2. Click Log Search in the left menu.
  3. Select the applicable Log Sets and the Log Names within them. The Log Name will be the event source name or “Cato Networks” if you did not name the event source. Cato Networks logs flow into the Cato Networks log set.

Logs take a minimum of 7 minutes to appear in Log Search.

Please note that logs take at least 7 minutes to appear in Log Search after you set up the event source. If you see log messages when you select View Raw Log on the event source but do not see any log messages in Log Search after waiting for a few minutes for them to appear, then your logs do not match the recommended format and type for this event source.

Sample Logs

Example of internet firewall logs:

JSON
1
{
2
 
"time"
:
 
"2021-12-01T15:07:11Z"
,
3
 
"fieldsMap"
:
 
{
4
   
"ISP_name"
:
 
"Firewall (Internet) ISP"
,
5
   
"account_id"
:
 
"5678"
,
6
   
"action"
:
 
"Monitor"
,
7
   
"application"
:
 
"DNS"
,
8
   
"dest_ip"
:
 
"10.0.0.2"
,
9
   
"dest_is_site_or_vpn"
:
 
"Site"
,
10
   
"dest_port"
:
 
"53"
,
11
   
"dest_site"
:
 
"CSI LV-SWI"
,
12
   
"event_count"
:
 
"1"
,
13
   
"event_sub_type"
:
 
"Internet Firewall"
,
14
   
"event_type"
:
 
"Security"
,
15
   
"internalId"
:
 
"FH67fuFj6H"
,
16
   
"ip_protocol"
:
 
"UDP"
,
17
   
"os_type"
:
 
"OS_WINDOWS"
,
18
   
"os_version"
:
 
"10"
,
19
   
"pop_name"
:
 
"PopName"
,
20
   
"rule"
:
 
"Migrated by Cato Allow All WAN"
,
21
   
"rule_id"
:
 
"1234"
,
22
   
"rule_name"
:
 
"Migrated by Cato Allow All WAN"
,
23
   
"src_country"
:
 
"United States of America"
,
24
   
"src_ip"
:
 
"10.0.0.1"
,
25
   
"src_is_site_or_vpn"
:
 
"VPN User"
,
26
   
"src_isp_ip"
:
 
"10.0.0.3"
,
27
   
"src_site"
:
 
"John Adams"
,
28
   
"time"
:
 
"1638371231662"
,
29
   
"vpn_user_email"
:
 
"[email protected]"
30
 
}
31
}

Example of WAN firewall logs:

JSON
1
{
2
 
"time"
:
 
"2021-12-01T15:06:59Z"
,
3
 
"fieldsMap"
:
 
{
4
   
"ISP_name"
:
 
"Firewall (WAN) ISP"
,
5
   
"account_id"
:
 
"5678"
,
6
   
"action"
:
 
"Monitor"
,
7
   
"application"
:
 
"HTTP(S)"
,
8
   
"dest_ip"
:
 
"10.0.0.5"
,
9
   
"dest_is_site_or_vpn"
:
 
"Site"
,
10
   
"dest_port"
:
 
"80"
,
11
   
"dest_site"
:
 
"CSI LV-SWI"
,
12
   
"event_count"
:
 
"1"
,
13
   
"event_sub_type"
:
 
"WAN Firewall"
,
14
   
"event_type"
:
 
"Security"
,
15
   
"internalId"
:
 
"f85jFRj683"
,
16
   
"ip_protocol"
:
 
"TCP"
,
17
   
"os_type"
:
 
"OS_WINDOWS"
,
18
   
"os_version"
:
 
"10"
,
19
   
"pop_name"
:
 
"PopName"
,
20
   
"rule"
:
 
"Migrated by Cato Allow All WAN"
,
21
   
"rule_id"
:
 
"1234"
,
22
   
"rule_name"
:
 
"Migrated by Cato Allow All WAN"
,
23
   
"src_country"
:
 
"United States of America"
,
24
   
"src_ip"
:
 
"10.0.0.4"
,
25
   
"src_is_site_or_vpn"
:
 
"VPN User"
,
26
   
"src_isp_ip"
:
 
"10.0.0.6"
,
27
   
"src_site"
:
 
"Kerry Smith"
,
28
   
"time"
:
 
"1638371219092"
,
29
   
"vpn_user_email"
:
 
"[email protected]"
30
 
}
31
}

Bài viết liên quan
Bài viết mới
Thể Thao nổi bật