Configure Cato SSE 360 for Arctic Wolf monitoring

You can configure Cato SSE 360® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • A Cato Management Application account administrator role with Editor permissions.

Enable the events feed

  1. Sign in to the Cato Management Application.
  2. Click Resources.
  3. In the side navigation pane, click Event Integrations
  4. On the Event Integrations page, click the Enable integration with Cato events toggle to the on position.

Disable allowlist event tracking

Allowlist event tracking generates a high volume of data that is not security-relevant and too fast to be queried through the API, causing operational issues. You must disable allowlist event tracking to reduce noise and prevent polling timeouts.

  1. Sign in to the Cato Management Application.
  2. Click Security.
  3. In the side navigation pane, click IPS.
  4. Click the Allow List tab.
  5. For each entry on the Allow List tab:
    1. Click the name of the entry to open the Edit panel.
    2. In the Track menu, clear the Event checkbox.
    3. Click Apply.

      The Edit panel closes.

  6. Click Save.

Create an API key

  1. Sign in to the Cato Management Application.
  2. Click Resources.
  3. In the side navigation pane, click API Keys.
  4. On the API Keys page, click New.
  5. In the Create API Key panel, configure these settings:
    • Key Name — Enter a name for the API key.
    • API Permission — Select Downgrade to View.
    • Allow access from IPs — Select Any IP.
    • Expires on — Select an expiry date that meets your security governance requirements.
  6. Click Apply.

    The API key is added and the Create API Key - Success dialog appears.

  7. Save the API key in a safe, encrypted location to provide to Arctic Wolf later.
  8. Click OK.

Find the account ID

  1. Sign in to the Cato Management Application.
  2. In the URL, copy the integer, and then save it in a safe, encrypted location.
    This integer typically appears after /account/ in the URL. For example: organization_name.catonetworks.com/#/account/account_id/

    You will provide this value to Arctic Wolf later.

Provide Cato SSE 360 credentials to Arctic Wolf

Note:

Time-based events are polled with a delay to make sure that data is available. For new deployments, Arctic Wolf begins polling and reviewing activity from approximately one hour prior to configuration success. If API credentials fail, for example due to expired credentials, Arctic Wolf notifies you and requests a new set of credentials. After receiving refreshed credentials, Arctic Wolf can only retrieve data from the previous 12 hours. Provide refreshed credentials within 12 hours of expiry to enable complete data polling and coverage.

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Data Collection > Cloud Sensors.
  3. Click Add Account +.
  4. On the Add Account page, click Cato Networks.
  5. Configure these settings:

    • Account Name — Enter a unique and descriptive name for the account.

    • Account ID — Enter the integer obtained in Find the account ID.

    • API Key — Enter the API key obtained in Create an API key.
    • API URL — Select the appropriate option based on your region.

    • Credential Expiry — (Optional) Enter the credential expiration date, if applicable.

  6. Click Test and submit credentials.