Starting on the 22nd August 2021, a new field has been added to Event Discovery called 'is sanctioned app'. This field is visible within individual events and in the left-hand categorization pane:
What is this field?
The 'Sanctioned App' field classification is a component of an upcoming Product Enhancement. Over the next coming weeks, we will be starting the Early Availability program for the Cato Cloud Access Security Broker (CASB) feature. This will provide our customers with improved enterprise security, and greater awareness of risks associated with cloud application usage.
Currently the 'is sanctioned app' field is expected to return 'false' values, and you should not be concerned at this time.
As part of the Cato CASB offering, we will be providing the ability for customers to define specific applications as 'Sanctioned'. Any applications which have not had explicit permission to operate within a corporate environment will be represented as 'unsanctioned.' This field within Event Discovery will provide additional insight into application risk, and will help you understand the scope of unsanctioned application usage across your corporate network.
For more information about Cato's CASB service, see these articles.