Cato Networks Knowledge Base

Analyzing Events in Your Network

Discovering and Filtering Events

The Events screen shows all the events for the specific site in your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.

Often there are thousands, if not millions, of events for a selected time range. The goal of the Events screen is to continue adding filters to the query until you can see a few events to analyze. The screen shows you all the fields and you can easily add a field to the filter to refine the events shown. There are several preset filters you can use, or manually define the values for a filter.

The screen shows up to 100 of the most recent events that match the filter. We recommend that you continue to add filters, until you find the events that give you the relevant information.

Note

Notes:

  • After an event is generated, there can be delays of up to 2-3 minutes before that event is shown in the Events screen
  • Changes to entity names (such as policy rules) can take up to 24 hours to be reflected in events

Understanding the Event Types

These are the types of events in the Events screen:

  • Security - Events generated by Threat Protection and Firewall engines

    • Security events are related to potential security issues, and can help you to fine-tune rules for the firewall

  • Connectivity - Events related to connectivity for LAN monitoring, sites, and VPN Clients in the account

    • Connectivity events are related to issues with the site connection, for example link quality related to packet loss

  • System - Events related to LDAP, User Awareness, license, and users accounts

    • System events are related to the status of a Directory Services sync

  • Routing - Routing, and BGP events

    • Routing events are related to the status of BGP sessions and routes

  • Sockets Management - Events related to Sockets, such as firmware updates

    • Socket management events are related to a Socket successfully updating to the newest version

Showing the Events for a Site

The Events screen shows all the events for a site. You can choose one of these tabs to review the events:

  • Events - shows all the event data in the condensed row, when you expand the row each item of data is on a separate line.

  • Smart View - shows the event data in an easy-to-read format that provides quick insights. When you expand a row the data is shown in the same way as the Events tab.

  • Top Distributions - shows seven pie charts for the event distributions, for example Top Source IPs or Top Security Events.

To show the Events screen for a site:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, select Site Monitoring > Events. The Events screen for the selected site is displayed.

Overview of Events and Smart View

The following example and table explain the sections of the Events screen with the Events tab:

Events_callouts.png

Item

Name

Description

1

Select Presets menu

Drop-down menu with preset filter options to show the events for common scenarios.

Click star.png to save the filter and time range as a custom preset. See below, Creating Custom Presets.

2

Events filter bar

Shows the filters that are applied to the events. Click Add2.png (Add) to manually configure the settings for a filter.

3

Refresh

Refreshes data for events on the screen (takes about 5 seconds to refresh)

4

Time range

Select the time range for the events that are shown in the screen.

The default time range is Last 2 Days, which shows events for the previous 48 hours. For more information, see Setting the Time Range Filter.

Note: The maximum date range for the Events screen is 31 days.

5

Export events menu

Exports events in the current filter to a file. You can export all the fields (columns), or only the ones that you selected.

6

Events timeline

Shows the number of filtered events. Each event type is represented by a different color.

7

Total number of events

Shows the total number of events for the current time range and filter settings.

8

Event type quick filters

Click an event type to hide the events for that type. For example, when you click Network, the Network events aren't shown in the screen.

9

Event data view tabs

Select the tab to choose the view for the event data.

10

Event fields

All fields that are in the raw data for the filtered events. You can easily add or exclude a field in the filter.

Shows the cardinality (distinct values) of events that match each field category. When you expand the category, it shows the total number of events for each event type.

11

Time and Raw Data for an event

Shows the time stamp when the event was generated and the raw data for each field in the event. You can also add the fields as new columns to this table.

Overview of Top Distributions

The Top Distributions tab shows the percentage of events according to these charts:

  • Event Type Distribution - Shows the total number of events and the percentage for each of the event types

  • Top Connectivity Events - Shows the top action for connectivity events

  • Top Security Events - Shows the top action for security events

  • Top Source Sites and SDP Users - Shows the top traffic sources from sites and SDP usernames

  • Top Source IPs - Shows the top traffic sources based on IP address

  • Top Target Host Names - Shows the top traffic target (destination) based on host name

  • Commonly Inspected Files OR Top Inspected - Shows the top file names inspected by the Threat Protection engines

Filtering and Sorting Events

Adding Event Values to the Events Filter

The left-hand section of the Events screen shows the fields and values that are included in the events (item 5 in the previous example). You can easily add a field value to the events filter to drill-down and identify the relevant events.

The following table explains the buttons in the events fields:

Item

Description

Add_button.png

Adds the field to the table of events as a new column that replaces the Raw Data column. Click X at the top of the column to remove it.

Include_button.png

Adds the specific value for the field to the filter. The Events screen automatically updates and shows events that match the new filter.

Exclude_button.png

Adds an exclusion for this specific value of this field to the filter. The Events screen automatically updates and shows events that do NOT match this value.

In addition, you can add a new column that shows event data for the specific field. The following table explains the buttons in the events fields:

To add an event value to the filter:

  1. In the Events screen, click the field to expand the values.

    EventValue.png
  2. For the specific value, click the button to add the value or the exclusion to the filter.

    The Events screen refreshes and shows the events that match the new filter. The field value shows the number of matching events.

Using the Select Preset Filters

The Select Presets drop-down menu contains predefined event filters for common analytics scenarios. When you select a preset option, the filters are automatically added to the events filter bar and the screen is updated to show the events that match the filter.

These are the explanations for each preset filter:

Preset Name

Description

Default

Removes all the filters from the events filter bar.

Internet firewall

Shows all events generated by the Internet firewall rules.

Internet firewall (high-risk domains)

Shows all events generated by the Internet firewall rules where the destination is considered a high-risk domain. This filter includes traffic that matches these Cato categories: Anonymizers, Compromised, Phishing, Parked domains, Questionable, Spam, Uncategorized.

WAN firewall

Shows all events generated by the WAN firewall rules.

Apps Security

Shows all events generated by the Application Control Policy.

IPS

Shows all events generated by IPS protections, for inbound, outbound, and WAN traffic.

Anti-malware

Shows all events generated by the Unified Anti-Malware policy, for WAN and Internet traffic.

RPF

Shows all events generated by Remote Port Forwarding (RPF) rules (Network > Remote Port Forwarding).

Sites connectivity status

Shows all connectivity events generated by sites and SDP users.

SDP active users

Shows all events related to SDP user logins.

SDP authentication issue

Shows all events generated because SDP users failed to authenticate.

SDP registration code

Shows events related to registration codes used to provision SDP users.

Client certificate about to expire

For Device Authentication, shows events related to certificates that will expire soon.

SCIM

Shows events related to SCIM provisioning for SDP users

Creating Custom Presets

In addition to the predefined presets, you can create a custom preset to filter the events and set the time frame that is displayed. When you save the custom preset, all the filters and the time frame are saved to the Select Preset drop-down menu for that user. The time frame can be dynamic, such as Last Week, or with exact From and To dates.

  • The custom presets are saved for each admin’s account and are only available to that admin 

  • Custom presets are available for Cato Management Application users with editor permissions

ListPresets.png

To create a custom preset:

  1. Set the event filters and time frame for your query.

  2. Click the save preset icon star.png.

    The Custom Preset panel opens.

    CustomPreset.png
  3. Enter the Name for the preset.

  4. The Details section shows the filters, fields, and time frame that are included in the custom preset.

  5. Click Apply.

    The preset is added to the Custom Presets drop-down menu.

Manually Configuring a Filter

You can manually configure the event filter for greater granularity to analyze the events. After you configure the filter, it is added to the events filter bar and the screen is automatically updated to show the events that match the new filter.

The following table explains the sections in the Add Filter pop-up window:

Events_ManualFilter.png

Name

Description

Field

Select the field for this filter. The available fields are based on the filtered events for the time range.

Operator

Select the operator that defines the filter

Value

After you select the operators, you can choose the value for the filter.

To create a manual filter for the events:

  1. In the events filter bar, click the Add icon.

    The Add Filter window opens.

  2. From Field, select the field for this filter. You can enter the name of the field and the options in the drop-down menu are dynamically updated.

  3. From Operator, select the operator for the filter.

  4. If necessary, from Value select the value for the filter. The in and not in operators support selecting multiple values.

  5. Click OK. The filter is added to the events filter bar.

Note

Note: When you are creating a manual filter for a Field, the Value drop-down menu shows a maximum of 99 results. You can enter the entire name of a Value, and it is added to the filter.

Using the Event Type Quick Filter

Use the event type quick filter buttons under the event timeline to to exclude the event type, and then automatically update the filter bar in the Events screen.

Events_QuickFilter.png

To filter for an event type:

  1. From the Events screen, click the name of the event type under the timeline. The event type is added to the filter and excluded from the results.

  2. To clear the event type filter:

    • Click the X for the filter icon.

    • Click the name of the event type.

      (The filter icon in the above example is event type is Connectivity.)

Exporting Events to a File

You can easily export the event data in the Events screen to a file for additional analysis. You have the option to export all the fields for each event, or only the fields that you selected. All the events in the current filter are exported to the file. You can change the time range filter screen to change the number of exported events. You can export up to 250,000 events at one time to a file.

Note

Note: Only Cato Management Application admins with Editor role have permissions to export events. For more about configuring admin roles, see Managing Administrators.

To export events to a CSV file:

  1. From the Events screen, click Export Events.

  2. Select the scope of the export: All fields in the events, or only the Selected fields in the filter.

  3. Click OK. The events are exported to the CSV file and the file is downloaded according to the settings of your Internet browser.

Was this article helpful?

2 out of 2 found this helpful

Comments

2 comments

  • Comment author
    Yaakov Simon

    Updated to include Custom Presets feature

    1
  • Comment author
    Yaakov Simon

    Updated to include, only admins with the Editor role have permissions to export events.

    0

Please sign in to leave a comment.