Collect Cato Networks logs

This document explains how to ingest Cato Networks logs to Google Security Operations using AWS S3. The parser first initializes a set of fields to empty strings and then parses JSON-formatted Cato Networks logs. It then maps the extracted fields to the corresponding fields in the Google SecOps Unified Data Model (UDM) model, handling different event types and enriching the data with additional context.

Before you begin

Make sure you have the following prerequisites:

• Google SecOps instance
• Privileged access to AWS S3, AWS IAM
• Privileged access to Cato Networks

Configure AWS IAM and S3 Bucket

1. Create Amazon S3 bucket following this user guide: Creating a bucket
2. Save the bucket Name and Region for future reference.
3. Create a User following this user guide: Creating an IAM user.
4. Select the created User.
5. Select the Security credentials tab.
6. Click Create Access Key in the Access Keys section.
7. Select Third-party service as Use case.
8. Click Next.
9. Optional: Add a description tag.
10. Click Create access key.
11. Click Download CSV file to save the Access Key and Secret Access Key for future reference.
12. Click Done.
13. Select the Permissions tab.
14. Click Add permissions in section Permissions policies.
15. Select Add permissions.
16. Select Attach policies directly.
17. Search for the AmazonS3FullAccess policy and then select the policy.
18. Click Next.
19. Click Add permissions.

Configure a New IAM Policy For S3 Bucket to enable data uploads

1. In Policy, click the JSON tab.

2. Edit the following JSON, replace <bucket name> with your S3 bucket, and then paste it in the tab.

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "",
               "Effect": "Allow",
               "Action": [
                   "s3:ListBucket",
                   "s3:GetBucketLocation"
               ],
               "Resource": [
                   "arn:aws:s3:::<bucket name>"
               ]
           },
           {
               "Sid": "",
               "Effect": "Allow",
               "Action": [
                   "s3:PutObject"
               ],
               "Resource": [
                   "arn:aws:s3:::<bucket name>/*"
               ]
           }
       ]
   }
   

3. Click Create policy.

Configure a New IAM Role With Cato's ARN

1. In the Select trusted entity screen, select Custom Trust Policy and add Cato's ARN to the role: arn:aws:iam::428465470022:role/cato-events-integration

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "Statement1",
               "Effect": "Allow",
               "Principal": {
                   "AWS": "arn:aws:iam::428465470022:role/cato-events-integration"
               },
               "Action": "sts:AssumeRole"
           }
       ]
   }
   

2. Click Next.

3. In the Add permissions screen, attach the policy that you created earlier to the role.

4. Click Next.

5. Enter the Role name and click Create role.

Configure Cato Networks Events and S3 Integration

1. Sign in to the Cato Networks web UI.
2. Go to Resources > Event Integrations.
3. Click Enable integration with Cato events.
4. Click New.
5. Provide the following configuration details:
   • Enter the Name for the integration.
   • Bucket Name: Identical name of the S3 bucket.
   • Folder: Identical name for the folder path within the S3 bucket (if necessary).
   • Region: Identical region for the S3 bucket.
   • Role ARN: Copy and paste the ARN for the role for the S3 bucket.
   • (Optional) Define the filter settings for events that are uploaded to the S3 bucket (When you define multiple filters, there is an AND relationship, and the events that match all filters are uploaded).
6. Click Apply.

Set up feeds

There are two different entry points to set up feeds in the Google SecOps platform:

• SIEM Settings > Feeds

• Content Hub > Content Packs

Set up feeds from SIEM Settings > Feeds

To configure a feed, follow these steps:

1. Go to SIEM Settings > Feeds.
2. Click Add New Feed.
3. On the next page, click Configure a single feed.
4. In the Feed name field, enter a name for the feed (for example, Cato Logs).
5. Select Amazon S3 as the Source type.
6. Select Cato Networks as the Log type.
7. Click Next.

8. Specify values for the following input parameters:

   • Region: The region where the Amazon S3 bucket is located.
   • S3 URI: The bucket URI (the format should be: s3://<your-log-bucket-name>). Replace the following:
     • your-log-bucket-name: the name of the bucket.
   • URI is a: Select Directory or Directory which includes subdirectories.
   • Source deletion options: Select deletion option according to your preference.
   • Access Key ID: the User access key with access to the S3 bucket.
   • Secret Access Key: the User secret key with access to the S3 bucket.

9. Click Next.

10. Review your new feed configuration in the Finalize screen, and then click Submit.

Set up feeds from the Content Hub

Specify values for the following fields:

• Region: The region where the Amazon S3 bucket is located.

  • S3 URI: The bucket URI (the format should be: s3://<your-log-bucket-name>). Replace the following:
    • your-log-bucket-name: the name of the bucket.
  • URI is a: Select Directory or Directory which includes subdirectories.
  • Source deletion options: select deletion option according to your preference.
  • Access Key ID: the User access key with access to the S3 bucket.
  • Secret Access Key: the User secret key with access to the S3 bucket.

Advanced options

• Feed Name: A prepopulated value that identifies the feed.
• Source Type: Method used to collect logs into Google SecOps.
• Asset Namespace: Namespace associated with the feed.
• Ingestion Labels: Labels applied to all events from this feed.

UDM mapping table

Need more help? Get answers from Community members and Google SecOps professionals.