Overview of Detection & Response Stories
Cato Detection & Response is a new layer of security that creates stories for threats. When Cato’s advanced correlation engines analyze traffic data and find a match for a potential threat, they generate a story. The story contains data from traffic flows with common properties that relate to the same threat. The Stories Workbench shows the details of each story to help you understand and analyze the threats. You can sort and filter the stories to find the most important potential attacks, and then drill-down on a story to further investigate the details.
These are examples of data that a story can include:
Sources in your network
External targets of network traffic
Identification and description of the threat
Relevant geolocations
Related applications
Relevant traffic flows
Popularity of the target according to Cato internal data
Malicious score of the target according to Cato threat intelligence algorithms
Prerequisites
This version of the Detection & Response feature is available for Cato MDR customers only. For more about subscribing to the MDR service, please contact your Cato representative.
Showing the Stories Workbench
The Stories Workbench shows a summary of the stories for the potential threats in your account.
To show the Stories Workbench:
From the navigation menu, click Home> Stories Workbench.
Understanding the Stories Columns

Column | Description |
|---|---|
ID | Unique Cato ID for this story |
Created | Date of the first traffic flow for the story |
Updated | Date of the most recent traffic flow for the story |
Risk Score | Cato's risk analysis of the story (values are from 1 - 10) |
IOA | Indicator of Attack for the story |
Source | IP address or name of device on your network impacted by the story |
Type |
|
Status |
|
Grouping the Stories
To provide context when reviewing the stories, you can show the stories in groups defined by details including Source, Indication, Status, and Type. For example, you can show together all of the stories related to a specific source IP address or all of the Cybersquatting stories. This gives you a broader perspective when analyzing the stories, and can help you reach faster and more accurate conclusions.
Each group highlights the criticality levels for the stories in that group, including the number of high, medium, and low criticality stories.

To group the stories in the Stories Workbench:
From the navigation menu, click Home > Stories Workbench.
From the Group By drop-down menu, select the required criterion.
The stories are shown in expandable groups.
Filtering the Stories
There are two ways to filter the data in the Stories Workbench: automatically update the filter with the selected item, or manually configure the filter.
Automatically Filtering for an Item
As you hover over an item or field where a filter option is available, the
button appears. Click the icon to show the filter options:
Add to Filter - Adds the item to the filter, and the Stories Workbench now only shows stories that includes this item. For example, if you filter for a specific Risk Score, the screen only shows stories with that Risk Score.
Exclude from Filter - Updates the filter to exclude this item, and the Stories Workbench now only shows stories that do NOT include this item.
You can continue to add items to the filter, click
again to update the filter and drill-down further.
Selecting the Time Range
The default time range for the Stories Workbench is the previous two days. You can select a different time range to show the stories a longer or shorter time period. For more information, see Setting the Time Range Filter.
The maximum date range for the Stories Workbench is 90 days.
Manually Configuring the Filter
You can manually configure the story filter for greater granularity to analyze the stories. After you configure the filter, it is added to the stories filter bar and the screen is automatically updated to show the stories that match the new filter.
To create a filter:
In the filter bar, click
.Start typing or select the Field.
Select the Operator, which determines the relationship between the Field and the Value you are searching for.
Select the Value.
Click Add Filter. The filter is added to the filter bar and the Stories Workbench is updated to show stories based on the filters.
Clearing the Filter
You can remove each item in the filter separately, or clear the entire filter.
To clear the filters for the Stories Workbench:
To clear a single filter, click
next to the filter (item 1 above).To clear all the filters, click X at the right end of the filter bar (item 2 above).
Drilling-Down and Analyzing Stories
You can click on a story in the Stories Workbench to drill-down and investigate the details in a different screen. This screen contains a number of widgets that help you evaluate the potential threat. There are specialized widgets to analyze data for Threat Hunting or Usage Anomaly stories.
Understanding the Threat Hunting Widgets

These are the widgets for a Threat Hunting story:
Item | Name | Description | ||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
1 | Story summary | A summary of basic information about the story, including:
| ||||||||||||||||||||||||||||||||
2 | Story timeline | Shows a timeline of the story, such as changes made to the story verdict and severity, and when new targets related to the story are identified | ||||||||||||||||||||||||||||||||
3 | Details | Key information for analyzing the story, including a threat description, Cato threat signatures detected in the relevant traffic, and MITRE ATT&CK® techniques identified for the threat. For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard.
| ||||||||||||||||||||||||||||||||
4 | Source | Basic information about the devices in your network impacted by the threat | ||||||||||||||||||||||||||||||||
5 | Attack Geolocation | Shows the geolocation for sources in your network (orange locations) and external sources (red locations) related to the threat. Arrows connecting the sources indicate the direction of traffic | ||||||||||||||||||||||||||||||||
6 | Attack Distribution | Time distribution of attack related flows.
| ||||||||||||||||||||||||||||||||
7 | Targets | Shows data for the potentially malicious sources outside your network site related to the story.
| ||||||||||||||||||||||||||||||||
8 | Attack Related Flows | Shows data for a representative sample of traffic flows related to the attack.
|
Understanding the Usage Anomaly Widgets

These are the widgets for a Usage Anomaly story:
Item | Name | Description |
|---|---|---|
1 | Story summary | Provides a summary of basic information about the story, including:
|
2 | Details | Key information for analyzing the story, including a threat description and summary, and MITRE ATT&CK® techniques identified for the threat. For more about the MITRE ATT&CK® framework, see Working with the MITRE ATT&CK® Dashboard.
|
3 | Anomaly Distribution | Graph of the anomalous behavior for the last 14 days
|
4 | Top Hosts | Top hosts related to the anomaly, with relevant details. For example, a host for an upstream bandwidth anomaly appears with the number of uploads from the host
|
5 | Top Applications | Top applications related to the anomaly, with relevant details. For example, an app for an upstream bandwidth anomaly appears with the number of uploads from the app
|
6 | Top Servers/Destinations | Top servers and destinations related to the anomaly, with relevant details. For example, a server for an upstream bandwidth anomaly appears with the number of uploads to the server
|
Reviewing Ticketed Stories
The Cato MDR team opens tickets to notify you about significant stories. When you receive a ticket you can easily review the story in the Stories Workbench by clicking the link provided in the ticket. This is a sample ticket:
