Generating a Security Events Report

This article describes how to generate Cato Security events reports that highlight the significant data and information related to Cato's Security services for your account.

Overview of Security Events Reports

Cato provides Predefined Report templates that summarize activities in your account for events generated by the Security services in your account.

Create the template for the Scheduled or One-Time report with the sites and SDP users that are included in the report over the defined time range. By default, the Predefined Report template for the Security Events report shows traffic and data for all sites and SDP users for the past week.

For more about working with Predefined Reports, see Cato Reports.

Creating a Scheduled Security Events Report

Create a new Scheduled report, and define the Filters for the items included in the report. Then define the Report Schedule which defines how often the report is generated - daily, weekly, or monthly. Generated reports are stored in the Cato Cloud, and they can be automatically emailed or downloaded. The Report Schedule also defines the time range that is covered by each report. The time range starts on 00:00 UTC (inclusive) at the start of each period, and ends on 00:00 UTC (non-inclusive) at the end of the period.

You can select the Mailing List of email addresses for the recipients, the list can include Cato Management Application admins and external users.

For more information about Mailing Lists, see Working with Mailing Lists.

To create a scheduled Security Events report:

From the navigation pane, select Home > Reports.
From the Predefined Reports tab, click New > Scheduled report. The Scheduled Report panel opens.
Enter the Report Name for the Predefined Report.
In Type, select Security Events.
(Optional) In Filters, select specific sites or users for the Predefined Report.

By default, the Predefined Report includes all sites and users.

To include multiple sites or users in the report, use the IN operator.
In Report Schedule, configure these settings:
1. Select the Frequency that the report is automatically sent: Daily, Weekly, or Monthly.
2. For Weekly and Monthly Scheduled reports, in Every select the day that the report is sent.
In Subscriptions, select the Mailing List that receives the report.

You can click New to create a new mailing list.
Click Save. The report template is added to the Predefined Reports tab.

Manually Generating a Scheduled Report

A new Scheduled report is generated based on the Report Schedule settings. For example, a weekly report configured for Monday, is generated every Monday. You can also choose to manually generate a Predefined Report, and the generated report uses the same time range based on the current day. If an admin manually generates a weekly report on a Tuesday, the time range for the report is the previous 7 days starting from that Tuesday, regardless of the starting day of the Scheduled report.

To manually generate a Scheduled report:

From the navigation pane, select Home > Reports.
From the Predefined Reports tab, find the Scheduled report and click Generate.
From the Generated Reports tab, find the report and click Download.

Creating a One-Time Security Events Report

Create a new One-time report template, and define the Filters for the items included in the report. Then define the Time Range that the report covers.

To create a Predefined Report:

From the navigation pane, select Home > Reports.
From the Predefined Reports tab, click New > One-time report. The One-time report panel opens.
Enter the Report Name for the Predefined Report.
In Type, select Security Report.
(Optional) In Filters, select specific sites or users for the Predefined Report.

By default, the Predefined Report includes all sites and users.

To include multiple sites or users in the report, use the IN operator.
Select the Time Range of the report.

For a Custom range, select the start date (From) and the end date (To) for the Predefined Report.
Click Save. The report template is added to the Predefined Reports tab.

You can also click Save & Generate, and then the report is generated and you can download it from the Generated Reports tab.

Understanding the Security Report

The sections in the report that show the top events for a Security service, show up to the top 12 items for that section.

These are the sections in the Security report:

Security Events Summary
- Blocked Security Events: Graph showing all the block events for the Security engines enabled for your account
- Top Blocked Events: The top Security engines according to the block events, and the number of events for each engine
- Top Sites - Security Events (Blocked): Top sites with traffic that generated block events
- Top Users - Security Events (Blocked): Top users that generated block events
Internet Firewall
- Block and Prompt Events: Graph showing events according to the Prompt, Block, or RBI rule action for the Internet Firewall
- Allowed Events: Graph showing events for rules with Monitor action that generates events when the Internet Firewall rule is matched
- Top Blocked Apps: Top apps blocked by the Internet Firewall with the hit count
- Top Blocked Categories: Top categories blocked by the Internet Firewall with the hit count
- Top Blocked Domains: Top domains blocked by the Internet Firewall with the hit count
WAN Firewall
- Blocked and Prompt Events: Graph showing block events according to the Prompt or Block rule action for the WAN Firewall
- Allowed Events: Graph showing events for WAN Firewall rule with Monitor action that generates events when the rule is matched
- Top Blocked Apps: Top apps blocked by the WAN Firewall with the hit count
- Top Blocked Categories: Top categories blocked by the WAN Firewall with the hit count
- Top Blocked Domains: Top domains blocked by the WAN Firewall with the hit count
IPS Events
- Top Threats: Top Threat Names blocked by the IPS service with the number of events for each threat
- Blocked Events: Graph showing all the block events for the IPS service over the time range of the report
- Threat Types: Chart showing the percentage of the IPS Threat Types that were blocked
- Risk Level: Chart showing percentage of the Risk Levels for the IPS block events
- Traffic Direction: Chart showing percentage of the Traffic Direction for the IPS block events
Anti-Malware Events
- Top Detections: Top Threat Names blocked by the Anti-Malware service with the number of events for each threat
- Blocked Events: Graph showing all the block events for the Anti-Malware service over the time range of the report
- Threat Types: Chart showing the percentage of Threat Type identified by the Anti-Malware service
- Anti-Malware Actions: Chart showing percentage of actions by the Anti-Malware service
- Sources with positive detections: List of sources (site or SDP user) for threats detected by the Anti-Malware service
Suspicious Activity Events
- Top Threats: Top Threat Names identified by the SAM engine for the IPS service with the number of events for each threat
- Monitored Events: Graph showing all the Monitor events for the SAM engine over the time range of the report
- Threat Types: Chart showing the percentage of the Threat Types that were identified by the SAM engine
- Risk Level: Chart showing the percentage of the Risk Levels for the SAM events
- Traffic Direction: Chart showing percentage of the Traffic Direction for the SAM events
DNS Protection Events
- Threat Types: Chart showing the percentage of the Threat Types that were blocked by the DNS Protection engine
- Top Domains: Top domains blocked by the DNS Protection engine with the hit count
- DNS Protection Top Hosts: Top hosts that had DNS Protection block events with the hit count