Analyzing Events in Your Network

The Events page shows all the events that occur in your account, such as when sites and remote users connect to the Cato Cloud and block actions by a firewall or security engine.

Overview

Events provide you with detailed data and logs of account activity to help you monitor and manage their environments efficiently. 

There are often millions of events for the selected time range, and the page displays up to 100 events at a time.

Cato provides a number of ways to filter the results. We recommend that you continue to add or modify filters until you find the events that give you the relevant information.

Event data is stored in Cato's Data Lake. For more information, see Guide to Cato Data Lake.

Note

Notes:

  • After an event is generated, typically within a 5 minute time frame the data for that event is shown in the Events page. However, it is possible that some events will be delayed up to 30 minutes.

  • Changes to entity names (such as policy rules) can take up to 24 hours to be reflected in the relevant event fields.

Viewing Event Fields using Quick View

Quick View is an option that displays fewer fields for each Event in order to improve page performance. It is enabled by default, and displays the fields that are most commonly required for analysis. It significantly improves the performance of the Events page as well as the export performance when you select the Quick View export option.

Any fields that are manually selected or mentioned in a filter are also displayed when Quick View is enabled.

You can disable Quick View at any time to load all fields, however this may impact performance.

Fields Included in Quick View

The following fields are displayed for each event when Quick View is enabled. The list of fields is based on customer usage data.

  • Always-On

  • App Activity Category

  • Application

  • Application Activity

  • Application Risk

  • Authentication Method

  • BGP Disconnect Error Code

  • Bypass Method

  • Bypass Reason

  • Category

  • Cato App

  • Client Certificate Name

  • Client Class

  • Client Version

  • Configured Host Name

  • Connector Type

  • Custom Category

  • Destination Country

  • Destination IP

  • Destination is Site or SDP User

  • Destination Port

  • Destination Site

  • Device Certificate

  • Device Name

  • Device OS Type

  • Device Posture Profiles

  • Directory IP

  • Directory Sync Result

  • DLP Profiles

  • DNS Protection Category

  • DNS Query

  • Domain Name

  • Egress PoP Name

  • Event Type

  • event_message

  • Failure Reason

  • File Hash

  • File Type

  • Full Path URL

  • HA Role

  • Host IP

  • Host MAC Address

  • Interface ID

  • IP Protocol

  • Is Sanction App

  • ISP Name

  • LAN Acess

  • Link Health - Packet Loss

  • Link Type

  • Logged In User

  • Login Type

  • Network Rule

  • OS Type

  • PoP Name

  • Public Source IP

  • QoS Priority

  • Reference URL

  • Related Apps

  • Risk Level

  • Rule

  • Rule ID

  • SAM Account Name

  • Severity

  • Signature ID

  • Socket Reset

  • Source Country

  • Source IP

  • Source is Site or SDP User

  • Source ISP IP

  • Source Port

  • Source Site

  • Split Tunnel

  • Status

  • Subnet Name

  • Sub-Type

  • TCP Acceleration

  • Threat Name

  • Threat Type

  • Thread Verdict

  • Time

  • TLS Certificate Error

  • TLS Error Description

  • TLS Error Type

  • TLS Rule Name

  • Traffic Direction

  • Trusted Networks

  • Tunnel Protocol

  • URL

  • User Agent

  • User Display Nae

  • User Email

  • User Name

  • User Principal Name

  • Windows Domain Name

Viewing the Events Page

You can view events for your whole account in the Home > Events page.

Elements on the Events Page

The following image and table explain the elements of the Events page with the Events tab:

events_elements_on_page.jpg

Item

Name

Description

1

Select Presets menu

Drop-down menu with preset filter options to show the events for common scenarios as well as any custom presets you manually saved.

2

Events filter bar

Shows the filters that are applied to the events. Click Add2.png (Add) to manually configure the settings for a filter.

3

Refresh

Refreshes data for events on the page (takes about 5 seconds to refresh)

4

Time range

Select the time range for the events that are shown in the page.

The default time range is Last 2 Days, which shows events for the previous 48 hours. For more information, see Setting the Time Range Filter.

Note: The maximum date range for the Events page is 31 days.

5

Export events menu

Exports events in the current filter to a file. You can export all the fields (columns), or only the ones that you selected.

6

Add to custom presets

Add the current filter to your custom presents so you can easily use the filter again.

7

Natural Language Search

Filter the events list using natural language filters. For more information, see Using Natural Language Search.

8

Manual Filter Toggle

After you have used a natural language search, this button toggles back to the manual filter options.

9

Events timeline

Shows the number of filtered events. Each event type is represented by a different color.

10

Total number of events

Shows the total number of events for the current time range and filter settings.

11

Event type quick filters

Click an event type to hide the events for that type. For example, when you click Network, the Network events aren't shown in the page.

12

Event data view tabs

Select the tab to choose the view for the event data.

  • Events: Shows all the event data in a condensed row. When you expand the row each item of data is on a separate line.

  • Smart View: Shows the event data in an easy-to-read format that provides quick insights. When you expand a row the data is shown in the same way as the Events tab.

  • Top Distributions: Shows the percentage of events according to these charts:

    • Event Type Distribution - Shows the total number of events and the percentage for each of the event types

    • Top Connectivity Events - Shows the top action for connectivity events

    • Top Security Events - Shows the top action for security events

    • Top Source Sites and SDP Users - Shows the top traffic sources from sites and SDP usernames

    • Top Source IPs - Shows the top traffic sources based on IP address

    • Top Target Host Names - Shows the top traffic target (destination) based on host name

    • Commonly Inspected Files OR Top Inspected - Shows the top file names inspected by the Threat Protection engines

13

Event fields

All fields that are in the raw data for the filtered events. You can easily add or exclude a field in the filter.

Shows the cardinality (distinct values) of events that match each field category. When you expand the category, it shows the total number of events for each event type.

14

Time and Raw Data for an event

Shows the time stamp when the event was generated and the raw data for each field in the event. You can also add the fields as new columns to this table.

15

QuickView

QuickView is enabled by default, displaying all the fields that are typically required for analysis for each Event. This significantly improves the page performance. This also improves the export performance when you select the QuickView export option.

Understanding the Event Types

These are the types of events on the Events page:

  • Security - Events generated by Threat Protection and Firewall engines

    • Security events are related to potential security issues, and can help you to fine-tune rules for the firewall

  • Connectivity - Events related to connectivity for LAN monitoring, sites, and VPN Clients in the account

    • Connectivity events are related to issues with the site connection, for example link quality related to packet loss

  • System - Events related to LDAP, User Awareness, license, and user accounts

    • System events are related to the status of a Directory Services sync

  • Routing - Routing, and BGP events

    • Routing events are related to the status of BGP sessions and routes

  • Sockets Management - Events related to Sockets, such as firmware updates

    • Socket management events are related to a Socket successfully updating to the newest version

Filtering and Sorting Events

You can filter events to help you quickly find relevant information.

FIltering Events Using Natural Language Search

You can easily search for events using everyday language to drill-down and identify relevant data on the page. For more details, see Using Natural Language Search

Filtering Events Using Present or Custom Filters

You can use Cato's preset filters or create a custom filters to help you find the relevant events. For details, see Filtering Data on a Page

Adding Event Values to the Events Filter

The left-hand section of the Events page shows the fields and values that are included in the events (item 5 in the previous example). You can easily add a field value to the events filter to drill-down and identify the relevant events.

The following table explains the buttons in the events fields:

Item

Description
Add_button.png

Adds the field to the Selected Fields section, and the page only shows event data for these fields. Click X at the top of the column to remove it.
Include_button.png

Adds the specific value for the field to the filter. The Events page automatically updates and shows events that match the new filter.
Exclude_button.png

Adds an exclusion for this specific value of this field to the filter. The Events page automatically updates and shows events that do NOT match this value.

In addition, you can add a new column that shows event data for the specific field. The following table explains the buttons in the events fields:

To add an event value to the filter:

  1. In the Events page, click the field to expand the values.

    EventValue.png

  2. For the specific value, click the button to add the value or the exclusion to the filter.

    The Events page refreshes and shows the events that match the new filter. The field value shows the number of matching events.

Exporting Events to a File

You can export the event data in the Events page to a file for additional analysis. You can export up to 250,000 events at one time to a file. All Events in the current filter and time range are included in the export. You can use the following three options to control which event fields are included in the export:

  • All fields: Include all fields for every event in the export. 

  • Selected Fields: Only include fields that you added in the export. 

  • QuickView: When QuickView is enabled, this only includes QuickView fields as well as any fields that were added manually or mentioned explicitly in the filter. This option is designed to improve export performance.

Note

Notes:

  • Only CMA admins with an Editor role have permission to export to a CSV file. For more about configuring admin roles, see Managing Admins.

  • Sometimes, trying to export events will fail because the query takes too long and the request times out. You can reduce the time frame of the event filter or use the QuickView export option and then try again.

  • The number of events in the Events page can be rounded up. For example, the Events page shows 2K events, and the actual number of events is 1952.

  • After exporting the events, the events_count column in the CSV file can show multiple events for each row, this happens when the same event occurred more than once over the time span of one minute. The COUNT of this column can show a different number than the total exported events. To show the total number of exported events, use the SUM of the events_count column.

To export events to a CSV file:

  1. (Optional) Click Add for the fields that you are exporting.

  2. From the Events page, click Export Events.

  3. Select the scope of the export: All fields in the events, the Selected fields in the filter, or the fields included in QuickView.

    • All fields in the events

    • Selected fields in the filter

    • Fields included in QuickView

  4. Click OK. The events are exported to the CSV file and the file is downloaded according to the settings of your Internet browser.

Was this article helpful?

3 out of 3 found this helpful

9 comments

Date Votes
  • Comment author
    Yaakov Simon

    Updated to include Custom Presets feature

  • Comment author
    Yaakov Simon

    Updated to include, only admins with the Editor role have permissions to export events.

  • Comment author
    Sasika Perera
    • Edited

    Can you search for events with a wildcard in the filter? For example search for events from any IP starting with 192.168.* or URL that contains *bbc*

  • Comment author
    Yaakov Simon

    Sasika Perera  Currently wildcards are not supported for the events filter. It's a future enhancement that we are researching. Thanks!

  • Comment author
    Philip Mcdougal

    Is there a way to see pre-login events? A host that is set for pre-login should talk to the allowed destinations, are those events created somewhere and under which Event name?

  • Comment author
    Sasika Perera

    I find another challenge with the events when I want to find a block event for example, but cannot see the flow events (sorted by timestamp) as there are more than 100 events within that minute which I am filtering for and interested in. Is there a workaround for this? I cannot drill down to the specific second in the timestamp from the filter either. Thanks

  • Comment author
    Patrick King

    Is there a way to set up email alerts for events if/when they meet a filter's criteria?

    As an example, if we have an SDP user who only connects from a machine named ‘EmployeeLegitimateMachine’ can we configure CATO to email us if a successful SDP connection for that employee's account is recorded from any machine name that's not ‘EmployeeLegitimateMachine’?

  • Comment author
    Philip Mcdougal

    Patrick, I don't know if all event types will be able to send emails/subscription notifications. I tried looking in Reports/User Experience (I don't have Device Management) but didn't seem to do the trick.  

     I just looked and there's a Preset event query/table that provides the type of information that I think you're looking for.  Personally, I would do this out of my logging system/SIEM. I would use a combination of the event type/sub-type, user email (or UPN, whichever works for you), and Device Name and some if-then query language to see deviations of connections from anything other than the known good device name.  Of course, doing this at scale and dynamically or in real-time just won't work without a lot more thought.  I mean, you could do a real-time search in the SIEM but that could get resources expensive fast. depending on the volume of log ingest and other reports/alerts running.

    Cato, (enhancement request) maybe you guys could write in a button on the Home>Events page next to Export that is something like, Schedule Report; where you take the query you just wrote and it creates a schedule report to a mailing list subscriber.  Just a thought…

    Hope that helps in some capacity.

  • Comment author
    Patrick King

    Yup a scheduled report would work too. We put preventative controls in place to prevent unneeded or unauthorized things from happening but I still also like the idea of having an alert (or report) in place for if they do happen just as a backup for if someone found a way around those controls or if whoops we didn't think of x,y,z scenario in those controls.