CATO SD-WAN¶
About¶
Software-Defined Wide-Area-Network (SD-WAN) is defined as a virtual WAN architecture that allows enterprises to securely and efficiently connect users to applications. This technology solution brings unparalleled agility and cost savings to networking. With SD-WAN, organizations can deliver more responsive, more predictable applications at lower cost in less time than the managed MPLS services traditionally used by the enterprise.
Product Details¶
Vendor URL: CATO SD-WAN
Product Type: Network Management
Product Tier: Tier III
Integration Method: Azure Blob Storage
Log Guide: CATO SD-WAN Log Guide
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: CATO_SDWAN
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| action | security_result.action_details |
| account_id | principal.asset.product_object_id |
| anti_malware_reference | security_result.url_back_to_product |
| app_stack | security_result.about.labels |
| application | security_result.about.application |
| categories | security_result.category_details |
| client_class | principal.resource.name |
| dest_country | target.location.country_or_region |
| dest_ip | target.ip |
| dest_is_site_or_vpn | target.asset.attribute.labels |
| dest_port | target.port |
| dest_site_name | target.location.name |
| dest_user_id | target.user.userid |
| dns_name | target.user.user_display_name |
| domain_name | target.domain.name |
| event_sub_type | metadata.description |
| event_type | metadata.product_event_type |
| file_hash | target.file.sha256 |
| file_name | target.file.names |
| file_size | target.file.size |
| full_path_url | target.url |
| http_host_name | target.hostname |
| http_request_method | network.http.method |
| internalId | metadata.product_log_id |
| ip_protocol | network.ip_protocol |
| ISP_name | network.carrier_name |
| mitre_attack_subtechniques | security_result.attack_details.techniques |
| mitre_attack_tactics | security_result.attack_details.tactics |
| mitre_attack_techniques | security_result.attack_details.techniques |
| os_type | principal.asset.platform_software.platform_version |
| pop_name | security_result.about.labels |
| risk_level | security_result.severity_details |
| risk_level | security_result.severity |
| rule_id | security_result.rule_id |
| rule_name | security_result.rule_name |
| severity | security_result.severity_details |
| src_country | principal.location.country_or_region |
| src_ip | principal.ip |
| src_isp_ip | observer.ip |
| src_is_site_or_vpn | principal.asset.attribute.labels |
| src_port | principal.port |
| src_site | principal.location.name |
| subnet_name | additional.fields |
| traffic_direction | network.direction |
| threat_name | security_result.threat_name |
| threat_reference | security_result.url_back_to_product |
| threat_verdict | security_result.outcomes |
| threat_type | security_result.category_details |
| url | target.url |
| user_awareness_method | additional.fields |
| user_id | principal.user.userid |
| vpn_user_email | principal.hostname |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Generic | GENERIC_EVENT |
| Connection | NETWORK_CONNECTION |
Log Sample¶
{"ISP_name":"Rural Telephone Service Company Inc","account_id":1234,"action":"Monitor","app_stack":["TCP","SIP","Application],"application":"Application","categories":["General","Voip Video"],"dest_ip":"10.0.0.0","dest_is_site_or_vpn":"Site","dest_port":5060,"dest_site":"Park City","dest_site_name":"Park City","dest_user_id":-1,"dns_name":"Hostname@hostname.com","domain_name":"Hostname@hostname.com","event_count":1,"event_sub_type":"WAN Firewall","event_type":"Security","http_host_name":"Hostname@hostname.com","insertionDate":1710853034484,"internalId":"123abc123abc","ip_protocol":"TCP","os_type":"OS_LINUX","pop_name":"Kansas-City","rule":"WAN -Default","rule_id":"1234","rule_name":"WAN -Default","src_country":"United States","src_country_code":"US","src_ip":"0.0.0.0","src_is_site_or_vpn":"Site","src_isp_ip":"100.0.0.0","src_site":"Salina","src_site_name":"Salina","subnet_name":"Voice","time":1710852995106,"time_str":"2024-03-19T12:56:35Z","user_id":-1}
Sample Parsing¶
additional.fields["ISP_name"] = "Rural Telephone Service Company Inc"
additional.fields["subnet_name"] = "Voice"
metadata.base_labels.log_types = "CATO_SDWAN"
metadata.description = "WAN Firewall"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_event_type = "Security"
metadata.product_log_id = "123abc123abc"
metadata.product_name = "SD_WAN"
metadata.vendor_name = "CATO"
network.ip_protocol = "TCP"
observer.ip = "100.0.0.0"
principal.asset.platform_software.platform_version = "OS_LINUX"
principal.ip = "0.0.0.0"
principal.location.country_or_region = "United States"
principal.location.name = "Salina"
principal.user.userid = "-1"
security_result.about.labels.key = "pop_name"
security_result.about.labels.value = "Kansas-City"
security_result.about.labels.key = "app_stack"
security_result.about.labels.value = "TCP"
security_result.about.labels.key = "app_stack"
security_result.about.labels.value = "SIP"
security_result.about.labels.key = "app_stack"
security_result.about.labels.value = "Application"
security_result.action_details = "Monitor"
security_result.action = "UNKNOWN_ACTION"
security_result.category_details = "General"
security_result.category_details = "Voip Video"
security_result.rule_id = "1234"
security_result.rule_name = "WAN -Default"
target.administrative_domain = "hostname.com"
target.application = "Application"
target.hostname = "Hostname"
target.ip = "10.0.0.0"
target.location.name = "Park City"
target.port = 5060
target.user.user_display_name = "Hostname@hostname.com"
target.user.userid = "-1"