Search another article?
Cato Network - SGBox SIEM Integration Guide
This Guide explains how to configure SGBox to make API calls to Cato Network with the purpose of collecting events in SGBox SIEM related to Network and IDS/IPS activities managed by CATO.
To complete the tasks outlined in this guide, you’ll need the following:
- Create an API key and obtain your Account ID from Cato Networks.
- Configure SGBox Playbooks for Cato Network
Overview of Cato API Keys
The API Keys page lets you generate API keys in the Cato Management Application that are used to authenticate to the Cato API server. Enter the API key for an API client or for scripts to run API calls for authentication to Cato.
Cato supports two types of API calls:
- View permissions – Perform read-only API calls to retrieve data for your account
- Edit permissions – Perform write API calls to make changes to your account
Note: SGBox uses eventsFeed API to ingest event data, so it is required to make sure to select Enable integration with Cato events in the Resources > Event Integrations page.
Generating an API Key
In the navigation menu, click Account > API Keys.
- Click New. The Create API Key panel open.
- Enter a Key Name.
- Select option View in the API Permission for this key.
- (Optional) Select a date that the API key Expires at.
- In Allow access from IPs, select Specific IP list, and define the IP addresses that are allowed to use this API key, including the SGBox IP Address.
- The default setting is to allow this API key for Any IP address.
- Click Apply. The API key is added and a popup window containing the new API key is displayed.
- Click (Copy) and copy the API Key that is generated by the Cato Management Application and save it to a secure location.
- Once you close this window, you can’t access the value for the API key.
- Click OK to close the pop-up window.
Obtain your Account ID from Cato Networks
Account ID Location:
Log in to your Cato Networks Editors Account.
- The Account ID is found within the Cato Management Application. Specifically by navigating to Account > Account Info.
- Also it is shown within the URL of the Cato account when logged in.
- For example, if your Account ID is “1234” then the URL should look like: https://sgbox.catonetworks.com/#!/1234/topology
Configure SGBox Playbooks for Cato Networks
Add Custom Host
You must define a Host in SGBox to make sure that the logs collected from CATO will be written into the SIEM, to achieve or analyze them.
- Go to SCM > Network > Host list
- Click the button ➕ New Host
- Insert “CatoNetwork” in the Host field and Save the new host
Cato Network Package Installation
It is also necessary to install a Cato network package in SGBox to deploy on the SIEM configuration used to obtain or analyze CATO events.
- Go to SCM > Applications > Packages and download the package named “Cato Network” by click the button Install
- During the Installation of the package in the field Select the hosts the package will be associated with choose “CatoNetwork” previously defined in the Host list.
- Click Install to finish the installation
Cato Network PB Configurations
- Go to SCM > PB > Playbook and edit [Cato] Network Get RawLogs
- Edit node called [SET] Credentials Parameters and insert API key and Account ID obtained from CATO, save the changes on node by click Save button.
- Edit node called [WRITE] RawLog and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes on node by click Save button.
- To save all changes and exit the [Cato] Network Get RawLogs playbook, click the Save button.
- Schedule the [Cato] Network Get RawLogs PB by clicking the button with the clock icon 🕓 , set an appropriate time interval (not less than 5 minutes), save the change, to run Playbook, click the Execute button and choose Background run.
If the API connection between Cato Network and SGBox is working, a Green 🟢 icon will appear on the Status column and in the Host list for CatoNetwork hosts on the Last Log column will start showing the timestamp of the last data received from CATO in SGBox.
Notes, to check the availability of data collected by SGBox you can also refer to the Historical search page: https://www.sgbox.eu/en/knowledge-base/historical-search/
In case the execution of PB gives an error, a Red icon 🔴 will be shown, In this case the advice is to better check the configuration part to make sure that there are no errors in the input of the parameters needed for the API connection, or, In case of further problems you can open a ticket to SGBox Support via ticketing portal: https://sgboxportal.sgbox.it/portal/en/signin
Analyzing collected data
Go to LM > Configuration > Mapping > edit mapping called [Cato] Network and in the field choose from list choose “CatoNetwork” previously defined in the Host list, save the changes by click OK button, Confirm.
In this way, SGBox will begin to analyze the events it has collected, which will be searchable from the SGBox analysis pages (Class/Pattern analysis, Custom Report List, Dashboard).