Discussions
Discussions and questions regarding Cato Networks and SASEBest Practices
Find Cato Networks best practices, tips, tricks, and other helpful information!
Recent Content
Microsoft Defender for Endpoint alerts no longer showing in Stories Workbench
I'm seeking advice regarding the integration between Cato XDR and Microsoft Defender for Endpoint (MDE). Previously, MDE alerts were being displayed correctly in Cato XDR (Home > Stories Workbench), but since yesterday, new incidents detected in MDE are no longer appearing in XDR. Below is the current status of our investigation: When an incident occurs on a device, it is properly detected and displayed in MDE. The integration with MDE was successfully completed, and the corresponding application in Entra ID has been granted the following application permissions with admin consent: SecurityAlert.Read.All SecurityIncident.Read.All ThreatHunting.Read.All User.Read (delegated) User.Read.All (application) In Microsoft Entra ID, the Sign-in logs show that all sign-ins by the service principal are marked as "successful." We tried deleting "Microsoft Defender" once from Security > Endpoint Connector and re-integrating it, but the alerts still do not appear in XDR. I would greatly appreciate any advice or insights to help resolve this issue. Thank you very much in advance.
Device posture basis domain name
One of the issue we raised during Cato Connect program was around device posture policy basis domain and it was clarified that this falls under advanced configuration and can be done by support/CSM team. I raised ticket for the same and the response was that they can apply but from backend and at account level. I want to exclude some of my senior management from this policy but it is not feasible now since done at account level. Also I cant do testing by applying this device posture basis domain for some 2-3 users to see if it works properly and also no option from frontend to disable if there is any issue and totally depend on service ticket and backend team. This makes this good policy not to be deployed as it has potential risk since neither testing can be done nor exclusion can be done unlike any other device posture policy since policy deployed from backend and deployed at account level.
Setting up SSO with IdPs other than the default nine?
I would like to ask about the possibilities of setting up SSO integration with Identity Providers (IdPs) that are not among the nine default options provided. What methods are available for establishing SSO connections with IdPs beyond the default nine? Is there a way to configure a generic IdP setting, or can we leverage the existing nine IdP configurations to connect with other IdPs? Additionally, is there a process to request a new IdP to be officially supported or added as a connection option? Any insights or guidance on this would be greatly appreciated. Thank you. Sincerely, hisashi
Cato Connect Event: AMA with Professional Services
Ever wish you could get direct time with the experts? On June 3rd, 2025 at 11:00 AM EDT, you’ll get just that — a live AMA with two of our Principal Consultants from the Cato Professional Services team. We’ll cover topics like: Designing and implementing a CMA deployment Best practices we’ve seen across real-world environments Your questions — seriously, bring them Here’s how to get the most out of it: Click here to register and get the calendar invite and join us live Post your questions below in the comments — we’ll answer pre-submitted ones first, before tackling live chat during the session + See a question you like? Give it a “like” to help it rise to the top Note: We won’t be able to look at specific CMA instances — demos will be done using internal environments. That’s it — register, post your questions, and we’ll see you there! Presenters: Principal Consultant Professional Services, Italy Principal Consultant Professional Services, USA If you run into any issues, @mention me or email us at community@catonetworks.com
Reporting the wrong category goes nowhere
As per https://support.catonetworks.com/hc/en-us/articles/4413280530449-Customizing-the-Warning-Block-Page: "The Cato Security team regularly reviews reported wrong categories and validates that the content for the category is correct. When websites or applications belong to the wrong category, the Cato Security team updates the definition of the category." Not so much. I just went through the last two months of such reports (filter for "Sub-Type Is Misclassification" in the Events log) and found 31 such requests from our users - most were for perfectly legit sites that for some reason were categorized as "Porn". And they still are - every single one of them. If the Cato security team is indeed not reviewing these submissions as originally intended, it would be great if that was communicated so that we can remove that misleading reporting link and take care of the Brightcloud submissions ourselves.
