This article explains how to use natural language queries to drill-down and identify relevant data on the Events page, and also includes information about the new default page filter.
Note
Note: This is an Early Availability (EA) feature that is only available for limited release. For more information, contact your Cato Networks representative or send an email to ea@catonetworks.com.
Natural language search lets users find relevant data using everyday language instead of complex queries, commands, or filters. This is important for network and security monitoring because it simplifies the process of querying vast amounts of data, and lets admins more easily focus on the most relevant information while requiring less technical expertise. Searching with everyday language improves response times and enhances the overall effectiveness of admin teams by making access to data more intuitive.
The Cato Management Application (CMA) integrates generative AI with the Events page to enable natural language search as part of the powerful search tools that let you drill down and identify the events that contain the relevant data you need.
There are two methods of filtering the page:
-
Natural language search - Filter events by entering queries in everyday language to find the data you need. When you enter a natural language query, an advanced AI engine translates your query into filters that refine the data shown on the page to match what you're looking for. Then you can manually adjust the filters to further refine the results.
-
Using preset and manual filters - There are many preset filters you can use, or manually define the values for a filter. To manually define a filter, add event fields to the filter and the page refreshes with the matching events. This is the default method for filtering the page and will remain the default when the feature is released as General Availability.
The natural language search lets you use common words and phrases to request the data that you’re looking for. Enter the keywords or phrases for the query in the search bar and the AI search engine translates the query to the relevant filters and fields. Review the filters created by the AI engine and If the query isn’t quite right, you can enter a new query or manually edit the filters.
The AI engine also formats the table of event results to show the columns relevant to the query.
These are examples of queries you can enter and the resulting filters:
-
Show me Internet firewall security events from phishing category URLs
-
Show recent security incidents and alerts related to application vulnerabilities and threats
-
Show me a security alert where data was sent from computer 10.0.0.1 to computer 10.0.0.2 over the Internet
Note
Note: Avoid entering sensitive information in the search bar to prevent it from being submitted to an AI search engine.
To filter events with a natural language query:
-
Click to open the natural language search bar.
-
Type a query in everyday language in the search bar and press Enter.
The AI engine translates the query into the filters shown in the dropdown window, and the page is updated to show the events according to the filters.
-
If necessary, refine the filters manually:
-
Click to open the filter bar.
-
Add new filters to refine the results. For more about adding filters, see Analyzing Events in Your Network.
-
Use the preset drop-down to set any of the preset filters to be the Default preset filter. The Default preset determines the filters applied when the page is first opened, and can also be selected from the preset drop-down menu.
How does the natural language search feature work?
When you type a query in everyday language, it's sent to an AI engine (provided by Amazon Bedrock or OpenAI) that translates it into specific filters and fields relevant to the Events page. These filters are then applied to refine the event data displayed. The AI engine only processes the query you enter and doesn’t have access to your event data.
What data is sent to the AI engine when I use this feature?
Only the natural language query that you type into the search bar is sent to the AI engine. No customer data, event logs, or any other account information is shared with the AI service. The AI engine processes your query in isolation, without any context of your specific data.
How is my company's data protected when using this feature?
Your company's data remains within the CMA environment and is not exposed to the AI engine. The engine only receives and processes the text of your query. It then returns instructions on how to create filters that match your query, which are applied within your secure CMA environment. This approach ensures that your sensitive information never leaves your protected infrastructure.
Does Cato use my queries or data to train the AI engine?
No, Cato does not use your queries or any of your data to train the AI engine. The AI engines we use (from Amazon Bedrock and OpenAI) are pre-trained. For each query, we send specific instructions to the AI along with your input to guide its interpretation, but this is done in real-time and is neither used for training nor stored for future use.
Can I choose not to use the natural language search feature?
Yes, the natural language search is an optional feature. You can continue to use the traditional preset and manual filters for event searching and analysis if you prefer. The system allows you to switch between natural language search and traditional filtering methods based on your preference and security requirements.
For the EA, natural language search supports a limited set of event fields. Support for the other fields will be gradually added. The following lists detail which event fields are currently supported, and which ones will be added.
-
action
-
ad_name
-
always_on_configuration
-
api_name
-
app_activity_type
-
application
-
application_risk
-
auth_method
-
authentication_type
-
categories
-
client_class
-
client_version
-
dest_country
-
dest_country_code
-
dest_ip
-
dest_is_site_or_vpn
-
dest_port
-
dest_site_name
-
device_name
-
directory_ip
-
directory_sync_result
-
dns_protection_category
-
dns_query
-
domain_name
-
event_count
-
event_sub_type
-
event_type
-
file_hash
-
file_name
-
file_size
-
file_type
-
flows_cardinality
-
host_mac
-
internalId
-
ip_protocol
-
is_sanctioned_app
-
ISP_name
-
link_type
-
login_type
-
matched_data_types
-
mitre_attack_subtechniques
-
mitre_attack_tactics
-
mitre_attack_techniques
-
os_type
-
os_version
-
pop_name
-
risk_level
-
signature_id
-
socket_role
-
src_country
-
src_country_code
-
src_ip
-
src_is_site_or_vpn
-
src_isp_ip
-
src_port
-
src_site_name
-
subnet_name
-
targets_cardinality
-
threat_name
-
threat_type
-
threat_verdict
-
time
-
tls_error_type
-
tls_inspection
-
tls_version
-
traffic_direction
-
url
-
user_name
-
vpn_user_email
-
always_on_configuration
-
analyst_verdict
-
api_type
-
app_activity
-
app_activity_category
-
bgp_cato_asn
-
bgp_cato_ip
-
bgp_error_code
-
bgp_peer_asn
-
bgp_peer_description
-
bgp_peer_ip
-
bgp_route_cidr
-
bgp_suberror_code
-
bypass_duration_sec
-
bypass_method
-
client_cert_expires
-
client_cert_name
-
collaborator_name
-
collaborators
-
confidence_level
-
configured_host_name
-
congestion_algorithm
-
connect_on_boot
-
connector_name
-
connector_status
-
connector_type
-
criticality
-
device_certificate
-
directory_host_name
-
directory_sync_type
-
dlp_fail_mode
-
dlp_profiles
-
dlp_scan_types
-
dst_pid
-
dst_process_cmdline
-
dst_process_parent_path
-
dst_process_parent_pid
-
dst_process_path
-
egress_pop_name
-
egress_site_name
-
email_subject
-
endpoint_id
-
epp_engine_type
-
epp_profile
-
final_object_status
-
http_request_method
-
incident_id
-
key_name
-
link_health_is_congested
-
link_health_jitter
-
link_health_latency
-
link_health_pkt_loss- W39
-
network_access
-
network_rule
-
office_mode
-
out_of_band_access
-
owner
-
pac_file
-
producer
-
prompt_action
-
public_ip
-
qos_priority
-
quarantine_folder_path
-
rule
-
severity
-
sharing_scope
-
sign_in_event_types
-
socket_interface
-
socket_interface_id
-
socket_new_version
-
socket_old_version
-
socket_reset
-
split_tunnel_configuration
-
src_pid
-
src_process_cmdline
-
src_process_parent_path
-
src_process_parent_pid
-
src_process_path
-
story_id
-
tcp_acceleration
-
threat_confidence
-
threat_score
-
tls_certificate_error
-
tls_error_description
-
tls_rule_name
-
trusted_networks
-
tunnel_ip_protocol
-
tunnel_protocol
-
upgrade_end_time
-
upgrade_initiated_by
-
upgrade_start_time
-
user_agent
-
user_awareness_method
-
user_id
-
user_reference_id
-
user_sid
-
visible_device_id
-
vpn_lan_access
-
windows_domain_name
-
xff
0 comments
Article is closed for comments.