Recent Content
Defender for Identity - VPN Integration
Hi, We frequently get false positives from Microsoft Defender for Identity because it's unable to map the IP address Cato assigns a remote user with their laptop hostname. I guess our on prem Microsoft sensors are unaware of the Cato client range. I think the only way to fix it is to send RADIUS accounting events from Cato to the Microsoft sensor, but I don't think this can be done? https://learn.microsoft.com/en-us/defender-for-identity/vpn-integration1View0likes0CommentsError when attempting to add pooled license to site via Terraform
Hi, I'm trying to use the new cato_license resource in terraform to automatically add license to a site from our pooled license, but I'm getting the following error message. While investigating, I ran an API call to show all our licenses and noticed that our pooled licenses have an ID of "null" is this perhaps an issue with my licenses?17Views0likes1CommentTerraform vSocket 2-NIC Module issues
We are in the process of deploying a 2 NIC vSocket cluster in Azure with Terraform. In doing so, we have encountered hurdles, some of which have been solved by a newly published terraform module from cato: https://github.com/catonetworks/terraform-cato-vsocket-azure-ha-vnet-2nic/ However, there is no 2-Nic module that only deploys the VSockets without deploying additional resources. The current 2-NIC module does not allow resource groups or VNETs to be created, but other resources such as subnets, public IP, interfaces, NSG, routing tables etc. are still created. This means that we have to take the module apart and adapt it to our requirements. However, we would like to be able to fall back on a standard module from CATO and not maintain a customized module. Interestingly, this module is already available for the 3-NIC Solution: https://github.com/catonetworks/terraform-cato-vsocket-azure/blob/main/main.tf (Standalone) https://github.com/catonetworks/terraform-cato-vsocket-azure-ha/blob/main/main.tf (HA) What we need is a 2-NIC module, which is analogous to the above without additional Azure resources deployed. Furthermore, the 2-NIC module also limits which options can be used for the azurerm_linux_virtual_machine resource. The following options are missing: - Naming Convention (the option to use completely custom names for the vSockets) - Use of availability zones Is there any information on whether and when something like this is coming?12Views1like1CommentMicrosoft Defender for Endpoint alerts no longer showing in Stories Workbench
I'm seeking advice regarding the integration between Cato XDR and Microsoft Defender for Endpoint (MDE). Previously, MDE alerts were being displayed correctly in Cato XDR (Home > Stories Workbench), but since yesterday, new incidents detected in MDE are no longer appearing in XDR. Below is the current status of our investigation: When an incident occurs on a device, it is properly detected and displayed in MDE. The integration with MDE was successfully completed, and the corresponding application in Entra ID has been granted the following application permissions with admin consent: SecurityAlert.Read.All SecurityIncident.Read.All ThreatHunting.Read.All User.Read (delegated) User.Read.All (application) In Microsoft Entra ID, the Sign-in logs show that all sign-ins by the service principal are marked as "successful." We tried deleting "Microsoft Defender" once from Security > Endpoint Connector and re-integrating it, but the alerts still do not appear in XDR. I would greatly appreciate any advice or insights to help resolve this issue. Thank you very much in advance.9Views0likes0CommentsQuestion regarding EntityID
Hi Team, We are working with a customer who needs to retrieve a list of users whose last connection exceeds one month. As advised by our Cato regional Sales Engineer, we are attempting to achieve this using the API in two steps: Use query entityLookup to obtain the EntityID (userID) Use query accountSnapshot to retrieve each user's last connection timestamp However, we're encountering a challenge due to API rate limits. The entityLookup query is limited to 30 requests per minute (or 1500 over 5 hours), which makes it impractical to retrieve EntityIDs for all 2600+ users in a reasonable timeframe. Below is the Python code we are currently using in our attempt: import requests import json from datetime import datetime, timedelta # Cato GraphQL endpoint URL url = "https://api.catonetworks.com/api/v1/graphql2" # HTTP headers와 API key headers = { "Content-Type": "application/json", "x-api-key": "Our client API key" } # Query 1: EntityID(UserID) API 명령문 query1 = """ query AllMyRemoteUsers { entityLookup(accountID:4265, type: vpnUser) { items { entity { id name } description } total } } """ # Query 1 실행 payload = { "query": query1 } response = requests.post(url, json=payload, headers=headers) data = response.json() # EntityID 추출 userIDs = [] try: items = data['data']['entityLookup']['items'] for item in items: user_id = int(item['entity']['id']) userIDs.append(user_id) except KeyError as e: print(f"Error parsing response: {e}") print(json.dumps(data, indent=2)) print(userIDs) # GraphQL EntityID list string으로 생성 user_id_list_str = ",".join(str(uid) for uid in userIDs) print("EntityID 추출 완료") # Query 2: accountSnapshot API 명령문 query2 = f""" query accountSnapshot {{ accountSnapshot(accountID: 4265) {{ users(userIDs:[{user_id_list_str}]) {{ info {{ name email phoneNumber status authMethod origin }} lastConnected version }} }} }} """ # Query 2 실행 payload = { "query": query2 } response = requests.post(url, json=payload, headers=headers) from datetime import datetime, timedelta # query2 Json reponse 파싱 result = response.json() # 한달간 접속이력이 없었던 사용자 정보 출력 cutoff_date = datetime.utcnow() - timedelta(days=30) import csv # Prepare list to hold all rows to be saved csv_rows = [] try: users = result['data']['accountSnapshot']['users'] for user in users: last_connected_str = user.get('lastConnected') if last_connected_str: last_connected = datetime.strptime(last_connected_str, "%Y-%m-%dT%H:%M:%SZ") if last_connected > cutoff_date: name = user['info']['name'] email = user['info']['email'] csv_rows.append([name, email, last_connected.strftime("%Y-%m-%d %H:%M:%S")]) except KeyError as e: print(f"Error extracting user data: {e}") # Save to CSV csv_file_path = "한달간 접속이력 없는 사용자.csv" with open(csv_file_path, mode='w', newline='', encoding='utf-8') as file: writer = csv.writer(file) writer.writerow(["Name", "Email", "Last Connected"]) writer.writerows(csv_rows) print(f"\nCSV file이 저장되었습니다: {csv_file_path}") On line 57, you can see that we need to put all the EntityID(UserID) to check each Users Last connection info. But because of entityLookup's limit, it only put 30 SDP user's EntityID. Could you please provide us if there is any other way to get all the EntityID(userID) by using API so we can list the users according to the Last connection? Best regards,35Views0likes2CommentsDevice posture basis domain name
One of the issue we raised during Cato Connect program was around device posture policy basis domain and it was clarified that this falls under advanced configuration and can be done by support/CSM team. I raised ticket for the same and the response was that they can apply but from backend and at account level. I want to exclude some of my senior management from this policy but it is not feasible now since done at account level. Also I cant do testing by applying this device posture basis domain for some 2-3 users to see if it works properly and also no option from frontend to disable if there is any issue and totally depend on service ticket and backend team. This makes this good policy not to be deployed as it has potential risk since neither testing can be done nor exclusion can be done unlike any other device posture policy since policy deployed from backend and deployed at account level.37Views0likes4CommentsAPI call to return number of current SDP sessions?
I was wondering if there is an API call to return the number of current SDP sessions? I am able to return the list of connected sessions and count them, but I was wondering if there is a more direct way to just return the number directly. Thanks.42Views2likes1Comment