Generating Custom Analytics Using Cato CLI for API Queries

The Cato CLI provides simple command line syntax methods of accessing the Cato GraphQL API endpoints. Several of the query endpoints can provide rich custom analytics reports beyond the predefined dashboards and reports in the Cato Management Application (CMA). These queries let admins extract raw performance and security data, streamlining the process to analyze bandwidth consumption for users and applications, Socket traffic and jitter, and many other data points. It also supports integrating with external analytics, SIEM, or reporting tools.

By using these Core Analytics Queries with the Cato CLI, you can automate data collection for network monitoring, trend analysis, and compliance use cases. Each query retrieves specific types of telemetry from the Cato Cloud, such as site performance, application usage, or threat activity, giving NOC and SOC teams greater flexibility in analyzing operational metrics.

These are some of the custom analytics for the Cato CLI:

For the complete list of supported fields, filters, and aggregation options, see the Cato CLI documentation on GitHub: Cato CLI - Custom Report Query Operations

The Risk Analysis query provides visibility into applications with elevated risk scores, based on usage across your organization. This query helps SOC teams identify users accessing high-risk applications and evaluate exposure to shadow IT or data-sharing risks.

catocli query appStats '{
    "appStatsFilter": [
        {
            "fieldName": "risk_score",
            "operator": "gte",
            "values": ["7"]
        }
    ],
    "dimension": [
        {"fieldName": "application_name"},
        {"fieldName": "risk_score"},
        {"fieldName": "user_name"}
    ],
    "measure": [
        {"aggType": "sum", "fieldName": "traffic"},
        {"aggType": "sum", "fieldName": "flows_created"}
    ],
    "timeFrame": "last.P7D"
}'