Analyzing Events in Your Network

Discovering and Filtering Events

The Events screen shows all the events for the specific site in your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.

Often there are thousands, if not millions, of events for a selected time range. The goal of the Events screen is to continue adding filters to the query until you can see a few events to analyze. The screen shows you all the fields and you can easily add a field to the filter to refine the events shown. There are several preset filters you can use, or manually define the values for a filter.

The screen shows up to 100 of the most recent events that match the filter. We recommend that you continue to add filters, until you find the events that give you the relevant information.

For more information about Cato stored event data, see Guide to Cato Data Lake Storage.



  • After an event is generated, typically within a 5 minute time frame the data for that event is shown in the ​Events​ screen. However, it is possible that some events will be delayed up to 30 minutes.
  • Changes to entity names (such as policy rules) can take up to 24 hours to be reflected in events.

Understanding the Event Types

These are the types of events in the Events screen:

  • Security - Events generated by Threat Protection and Firewall engines

    • Security events are related to potential security issues, and can help you to fine-tune rules for the firewall

  • Connectivity - Events related to connectivity for LAN monitoring, sites, and VPN Clients in the account

    • Connectivity events are related to issues with the site connection, for example link quality related to packet loss

  • System - Events related to LDAP, User Awareness, license, and users accounts

    • System events are related to the status of a Directory Services sync

  • Routing - Routing, and BGP events

    • Routing events are related to the status of BGP sessions and routes

  • Sockets Management - Events related to Sockets, such as firmware updates

    • Socket management events are related to a Socket successfully updating to the newest version

Showing the Events for a Site

The Events screen shows all the events for a site. You can choose one of these tabs to review the events:

  • Events - shows all the event data in the condensed row, when you expand the row each item of data is on a separate line.

  • Smart View - shows the event data in an easy-to-read format that provides quick insights. When you expand a row the data is shown in the same way as the Events tab.

  • Top Distributions - shows seven pie charts for the event distributions, for example Top Source IPs or Top Security Events.

To show the Events screen for a site:

  1. From the navigation menu, click Network > Sites and select the site.

  2. From the navigation menu, select Site Monitoring > Events. The Events screen for the selected site is displayed.

Overview of Events and Smart View

The following example and table explain the sections of the Events screen with the Events tab:






Select Presets menu

Drop-down menu with preset filter options to show the events for common scenarios.

Click star.png to save the filter and time range as a custom preset. See below, Creating Custom Presets.


Events filter bar

Shows the filters that are applied to the events. Click Add2.png (Add) to manually configure the settings for a filter.



Refreshes data for events on the screen (takes about 5 seconds to refresh)


Time range

Select the time range for the events that are shown in the screen.

The default time range is Last 2 Days, which shows events for the previous 48 hours. For more information, see Setting the Time Range Filter.

Note: The maximum date range for the Events screen is 31 days.


Export events menu

Exports events in the current filter to a file. You can export all the fields (columns), or only the ones that you selected.


Events timeline

Shows the number of filtered events. Each event type is represented by a different color.


Total number of events

Shows the total number of events for the current time range and filter settings.


Event type quick filters

Click an event type to hide the events for that type. For example, when you click Network, the Network events aren't shown in the screen.


Event data view tabs

Select the tab to choose the view for the event data.


Event fields

All fields that are in the raw data for the filtered events. You can easily add or exclude a field in the filter.

Shows the cardinality (distinct values) of events that match each field category. When you expand the category, it shows the total number of events for each event type.


Time and Raw Data for an event

Shows the time stamp when the event was generated and the raw data for each field in the event. You can also add the fields as new columns to this table.

Overview of Top Distributions

The Top Distributions tab shows the percentage of events according to these charts:

  • Event Type Distribution - Shows the total number of events and the percentage for each of the event types

  • Top Connectivity Events - Shows the top action for connectivity events

  • Top Security Events - Shows the top action for security events

  • Top Source Sites and SDP Users - Shows the top traffic sources from sites and SDP usernames

  • Top Source IPs - Shows the top traffic sources based on IP address

  • Top Target Host Names - Shows the top traffic target (destination) based on host name

  • Commonly Inspected Files OR Top Inspected - Shows the top file names inspected by the Threat Protection engines

Filtering and Sorting Events

Adding Event Values to the Events Filter

The left-hand section of the Events screen shows the fields and values that are included in the events (item 5 in the previous example). You can easily add a field value to the events filter to drill-down and identify the relevant events.

The following table explains the buttons in the events fields:




Adds the field to the table of events as a new column that replaces the Raw Data column. Click X at the top of the column to remove it.


Adds the specific value for the field to the filter. The Events screen automatically updates and shows events that match the new filter.


Adds an exclusion for this specific value of this field to the filter. The Events screen automatically updates and shows events that do NOT match this value.

In addition, you can add a new column that shows event data for the specific field. The following table explains the buttons in the events fields:

To add an event value to the filter:

  1. In the Events screen, click the field to expand the values.

  2. For the specific value, click the button to add the value or the exclusion to the filter.

    The Events screen refreshes and shows the events that match the new filter. The field value shows the number of matching events.

Using the Select Preset Filters

The Select Presets drop-down menu contains predefined event filters for common analytics scenarios. When you select a preset option, the filters are automatically added to the events filter bar and the screen is updated to show the events that match the filter.

These are the explanations for each preset filter:

Preset Name



Removes all the filters from the events filter bar.

Internet firewall

Shows all events generated by the Internet firewall rules.

Internet firewall (high-risk domains)

Shows all events generated by the Internet firewall rules where the destination is considered a high-risk domain. This filter includes traffic that matches these Cato categories: Anonymizers, Compromised, Phishing, Parked domains, Questionable, Spam, Uncategorized.

WAN firewall

Shows all events generated by the WAN firewall rules.

LAN firewall

Shows all events generated by the LAN Firewall rules.

Apps Security

Shows all events generated by the Application Control Policy.


Shows all events generated by IPS protections, for inbound, outbound, and WAN traffic.


Shows all events generated by the Unified Anti-Malware policy, for WAN and Internet traffic.


Shows all events generated by Remote Port Forwarding (RPF) rules (Network > Remote Port Forwarding).

Sites connectivity status

Shows all connectivity events generated by sites and SDP users.

Socket upgrade failed

Shows events for all Socket upgrade failed attempts.

LAN hosts unreachable

Shows events for LAN hosts that were unreachable for a specific configured threshold.

Site disconnected

Shows all sites disconnected events.

Site reconnected

Shows all sites reconnected events. These are events where the site got disconnected and reconnected in less than 2.5 minutes.

BGP peers disconnected

Shows all BGP peer disconnected events.

SDP active users

Shows all events related to SDP user logins.

SDP authentication issue

Shows all events generated because SDP users failed to authenticate.

SDP registration code

Shows events related to registration codes used to provision SDP users.

Client certificate about to expire

For Device Authentication, shows events related to certificates that will expire soon.


Shows events related to SCIM provisioning for SDP users

Creating Custom Presets

In addition to the predefined presets, you can create a custom preset to filter the events and set the time frame that is displayed. When you save the custom preset, all the filters and the time frame are saved to the Select Preset drop-down menu for that user. The time frame can be dynamic, such as Last Week, or with exact From and To dates.

  • The custom presets are saved for each admin’s account and are only available to that admin 

  • Custom presets are available for Cato Management Application users with editor permissions


To create a custom preset:

  1. Set the event filters and time frame for your query.

  2. Click the save preset icon star.png.

    The Custom Preset panel opens.

  3. Enter the Name for the preset.

  4. The Details section shows the filters, fields, and time frame that are included in the custom preset.

  5. Click Apply.

    The preset is added to the Custom Presets drop-down menu.

Manually Configuring a Filter

You can manually configure the event filter for greater granularity to analyze the events. After you configure the filter, it is added to the events filter bar and the screen is automatically updated to show the events that match the new filter. When there are multiple Fields, there is an AND relationship between them.

The following table explains the sections in the Add Filter pop-up window:





Select the field for this filter. The available fields are based on the filtered events for the time range.


Select the operator that defines the filter

For multiple values within the same Field, use the IN operator (this applies an OR logic)


After you select the operators, you can choose the value for the filter.

To create a manual filter for the events:

  1. In the events filter bar, click the Add icon.

    The Add Filter window opens.

  2. From Field, select the field for this filter. You can enter the name of the field and the options in the drop-down menu are dynamically updated.

  3. From Operator, select the operator for the filter.

  4. If necessary, from Value select the value for the filter. The in and not in operators support selecting multiple values.

  5. Click OK. The filter is added to the events filter bar.


Note: When you are creating a manual filter for a Field, the Value drop-down menu shows a maximum of 99 results. You can enter the entire name of a Value, and it is added to the filter.

Using the Event Type Quick Filter

Use the event type quick filter buttons under the event timeline to to exclude the event type, and then automatically update the filter bar in the Events screen.


To filter for an event type:

  1. From the Events screen, click the name of the event type under the timeline. The event type is added to the filter and excluded from the results.

  2. To clear the event type filter:

    • Click the X for the filter icon.

    • Click the name of the event type.

      (The filter icon in the above example is event type is Connectivity)

Exporting Events to a File

You can easily export the event data in the Events screen to a file for additional analysis. You have the option to export all the fields for each event, or only the fields that you selected. All the events in the current filter are exported to the file. You can change the time range filter screen to change the number of exported events. You can export up to 250,000 events at one time to a file.

The number of events in the Events screen can be rounded up. For example, the Events screen shows 2K events, and the actual number of events is 1952.

After exporting the events, the events_count column in the CSV file can show multiple events for each row, this happens when the same event occurred more than once over the time span of one minute. The COUNT of this column can show a different number than the total exported events. To show the total number of exported events, use the SUM of the events_count column.



  • Only Cato Management Application admins with Editor role have permissions to export to a CSV file. For more about configuring admin roles, see Managing Administrators.

  • Sometimes trying to export events will fail because the query takes too long and the request times out. You can reduce the time frame of the event filter and then try again to export the events.

To export events to a CSV file:

  1. From the Events screen, click Export Events.

  2. Select the scope of the export: All fields in the events, or only the Selected fields in the filter.

  3. Click OK. The events are exported to the CSV file and the file is downloaded according to the settings of your Internet browser.

Was this article helpful?

3 out of 3 found this helpful


  • Comment author
    Yaakov Simon

    Updated to include Custom Presets feature

  • Comment author
    Yaakov Simon

    Updated to include, only admins with the Editor role have permissions to export events.

  • Comment author
    Sasika Perera
    • Edited

    Can you search for events with a wildcard in the filter? For example search for events from any IP starting with 192.168.* or URL that contains *bbc*

  • Comment author
    Yaakov Simon

    Sasika Perera  Currently wildcards are not supported for the events filter. It's a future enhancement that we are researching. Thanks!

Add your comment