The Events page shows all the events that occur in your account, such as when sites and remote users connect to the Cato Cloud and block actions by a firewall or security engine.
Events provide you with detailed data and logs of account activity to help you monitor and manage their environments efficiently.
There are often millions of events for the selected time range, and the page displays up to 100 events at a time.
Cato provides a number of ways to filter the results. We recommend that you continue to add or modify filters until you find the events that give you the relevant information.
Event data is stored in Cato's Data Lake. For more information, see Guide to Cato Data Lake.
Note
Notes:
-
After an event is generated, typically within a 5 minute time frame the data for that event is shown in the Events page. However, it is possible that some events will be delayed up to 30 minutes.
-
Changes to entity names (such as policy rules) can take up to 24 hours to be reflected in the relevant event fields.
Quick View is an option that displays fewer fields for each Event in order to improve page performance. It is enabled by default, and displays the fields that are most commonly required for analysis. It significantly improves the performance of the Events page as well as the export performance when you select the Quick View export option.
Any fields that are manually selected or mentioned in a filter are also displayed when Quick View is enabled.
You can disable Quick View at any time to load all fields, however this may impact performance.
The following fields are displayed for each event when Quick View is enabled. The list of fields is based on customer usage data.
-
Always-On
-
App Activity Category
-
Application
-
Application Activity
-
Application Risk
-
Authentication Method
-
BGP Disconnect Error Code
-
Bypass Method
-
Bypass Reason
-
Category
-
Cato App
-
Client Certificate Name
-
Client Class
-
Client Version
-
Configured Host Name
-
Connector Type
-
Custom Category
-
Destination Country
-
Destination IP
-
Destination is Site or SDP User
-
Destination Port
-
Destination Site
-
Device Certificate
-
Device Name
-
Device OS Type
-
Device Posture Profiles
-
Directory IP
-
Directory Sync Result
-
DLP Profiles
-
DNS Protection Category
-
DNS Query
-
Domain Name
-
Egress PoP Name
-
Event Type
-
event_message
-
Failure Reason
-
File Hash
-
File Type
-
Full Path URL
-
HA Role
-
Host IP
-
Host MAC Address
-
Interface ID
-
IP Protocol
-
Is Sanction App
-
ISP Name
-
LAN Acess
-
Link Health - Packet Loss
-
Link Type
-
Logged In User
-
Login Type
-
Network Rule
-
OS Type
-
PoP Name
-
Public Source IP
-
QoS Priority
-
Reference URL
-
Related Apps
-
Risk Level
-
Rule
-
Rule ID
-
SAM Account Name
-
Severity
-
Signature ID
-
Socket Reset
-
Source Country
-
Source IP
-
Source is Site or SDP User
-
Source ISP IP
-
Source Port
-
Source Site
-
Split Tunnel
-
Status
-
Subnet Name
-
Sub-Type
-
TCP Acceleration
-
Threat Name
-
Threat Type
-
Thread Verdict
-
Time
-
TLS Certificate Error
-
TLS Error Description
-
TLS Error Type
-
TLS Rule Name
-
Traffic Direction
-
Trusted Networks
-
Tunnel Protocol
-
URL
-
User Agent
-
User Display Nae
-
User Email
-
User Name
-
User Principal Name
-
Windows Domain Name
You can view events for your whole account in the Home > Events page.
The following image and table explain the elements of the Events page with the Events tab:
|
Item |
Name |
Description |
|---|---|---|
|
1 |
Select Presets menu |
Drop-down menu with preset filter options to show the events for common scenarios as well as any custom presets you manually saved. |
|
2 |
Events filter bar |
Shows the filters that are applied to the events. Click |
|
3 |
Refresh |
Refreshes data for events on the page (takes about 5 seconds to refresh) |
|
4 |
Time range |
Select the time range for the events that are shown in the page. The default time range is Last 2 Days, which shows events for the previous 48 hours. For more information, see Setting the Time Range Filter. Note: The maximum date range for the Events page is 31 days. |
|
5 |
Export events menu |
Exports events in the current filter to a file. You can export all the fields (columns), or only the ones that you selected. |
|
6 |
Add to custom presets |
Add the current filter to your custom presents so you can easily use the filter again. |
|
7 |
Natural Language Search |
Filter the events list using natural language filters. For more information, see Filtering Events with Natural Language Search. |
|
8 |
Manual Filter Toggle |
After you have used a natural language search, this button toggles back to the manual filter options. |
|
9 |
Events timeline |
Shows the number of filtered events. Each event type is represented by a different color. |
|
10 |
Total number of events |
Shows the total number of events for the current time range and filter settings. |
|
11 |
Event type quick filters |
Click an event type to hide the events for that type. For example, when you click Network, the Network events aren't shown in the page. |
|
12 |
Event data view tabs |
Select the tab to choose the view for the event data.
|
|
13 |
Event fields |
All fields that are in the raw data for the filtered events. You can easily add or exclude a field in the filter. Shows the cardinality (distinct values) of events that match each field category. When you expand the category, it shows the total number of events for each event type. |
|
14 |
Time and Raw Data for an event |
Shows the time stamp when the event was generated and the raw data for each field in the event. You can also add the fields as new columns to this table. |
|
15 |
QuickView |
QuickView is enabled by default, displaying all the fields that are typically required for analysis for each Event. This significantly improves the page performance. This also improves the export performance when you select the QuickView export option. |
These are the types of events on the Events page:
-
Security - Events generated by Threat Protection and Firewall engines
-
Security events are related to potential security issues, and can help you to fine-tune rules for the firewall
-
-
Connectivity - Events related to connectivity for LAN monitoring, sites, and VPN Clients in the account
-
Connectivity events are related to issues with the site connection, for example link quality related to packet loss
-
-
System - Events related to LDAP, User Awareness, license, and user accounts
-
System events are related to the status of a Directory Services sync
-
-
Routing - Routing, and BGP events
-
Routing events are related to the status of BGP sessions and routes
-
-
Sockets Management - Events related to Sockets, such as firmware updates
-
Socket management events are related to a Socket successfully updating to the newest version
-
The left-hand section of the Events page shows the fields and values that are included in the events (item 5 in the previous example). You can easily add a field value to the events filter to drill-down and identify the relevant events.
The following table explains the buttons in the events fields:
|
Item |
Description |
|---|---|
|
|
Adds the field to the Selected Fields section, and the page only shows event data for these fields. Click X at the top of the column to remove it. |
|
|
Adds the specific value for the field to the filter. The Events page automatically updates and shows events that match the new filter. |
|
|
Adds an exclusion for this specific value of this field to the filter. The Events page automatically updates and shows events that do NOT match this value. |
In addition, you can add a new column that shows event data for the specific field. The following table explains the buttons in the events fields:
To add an event value to the filter:
-
In the Events page, click the field to expand the values.
-
For the specific value, click the button to add the value or the exclusion to the filter.
The Events page refreshes and shows the events that match the new filter. The field value shows the number of matching events.
The Select Presets drop-down menu contains predefined event filters for common analytics scenarios. When you select a preset option, the filters are automatically added to the events filter bar, and the page is updated to show the events that match the filter.
In addition to the predefined presets you can create a custom preset to filter the events and set the time frame that is displayed. When you save the custom preset, all the filters and the time frame are saved to the Select Preset drop-down menu for that user. The time frame can be dynamic, such as Last Week, or with exact From and To dates.
-
The custom presets are saved for each admin’s account and are only available to that admin
-
Custom presets are available for Cato Management Application users with editor permissions
To create a custom preset:
-
Set the event filters and time frame for your query.
-
Click the bookmark icon.
The Custom Preset panel opens.
-
Enter the Name for the preset.
-
The Details section shows the filters, fields, and time frame that are included in the custom preset.
-
Click Apply.
The preset is added to the Custom Presets drop-down menu.
You can manually configure the event filter for greater granularity to analyze the events. After you configure the filter, it is added to the events filter bar and the page is automatically updated to show the events that match the new filter. When there are multiple Fields, there is an AND relationship between them.
The following table explains the sections in the Add Filter pop-up window:
|
Name |
Description |
|---|---|
|
Field |
Select the field for this filter. The available fields are based on the filtered events for the time range. |
|
Operator |
Select the operator that defines the filter For multiple values within the same Field, use the IN operator (this applies an OR logic) |
|
Value |
After you select the operators, you can choose the value for the filter. |
To create a manual filter for the events:
-
In the events filter bar, click the Add icon.
The Add Filter window opens.
-
From Field, select the field for this filter. You can enter the name of the field and the options in the drop-down menu are dynamically updated.
-
From Operator, select the operator for the filter.
-
If necessary, from Value select the value for the filter. The in and not in operators support selecting multiple values.
-
Click OK. The filter is added to the events filter bar.
Use the event type quick filter buttons under the event timeline to exclude the event type, and then automatically update the filter bar in the Events page.
To filter for an event type:
-
From the Events page, click the name of the event type under the timeline. The event type is added to the filter and excluded from the results.
-
To clear the event type filter:
-
Click the X for the filter icon.
-
Click the name of the event type.
(The filter icon in the above example is event type is Connectivity)
-
You can export the event data in the Events page to a file for additional analysis. You can export up to 250,000 events at one time to a file. All Events in the current filter and time range are included in the export. You can use the following three options to control which event fields are included in the export:
-
All fields: Include all fields for every event in the export.
-
Selected Fields: Only include fields that you added in the export.
-
QuickView: When QuickView is enabled, this only includes QuickView fields as well as any fields that were added manually or mentioned explicitly in the filter. This option is designed to improve export performance.
Note
Notes:
-
Only CMA admins with an Editor role have permission to export to a CSV file. For more about configuring admin roles, see Managing Administrators.
-
Sometimes, trying to export events will fail because the query takes too long and the request times out. You can reduce the time frame of the event filter or use the QuickView export option and then try again.
-
The number of events in the Events page can be rounded up. For example, the Events page shows 2K events, and the actual number of events is 1952.
-
After exporting the events, the events_count column in the CSV file can show multiple events for each row, this happens when the same event occurred more than once over the time span of one minute. The COUNT of this column can show a different number than the total exported events. To show the total number of exported events, use the SUM of the events_count column.
To export events to a CSV file:
-
(Optional) Click Add for the fields that you are exporting.
-
From the Events page, click Export Events.
-
Select the scope of the export: All fields in the events, the Selected fields in the filter, or the fields included in QuickView.
-
All fields in the events
-
Selected fields in the filter
-
Fields included in QuickView
-
-
Click OK. The events are exported to the CSV file and the file is downloaded according to the settings of your Internet browser.
9 comments
Updated to include Custom Presets feature
Updated to include, only admins with the Editor role have permissions to export events.
Can you search for events with a wildcard in the filter? For example search for events from any IP starting with 192.168.* or URL that contains *bbc*
Sasika Perera Currently wildcards are not supported for the events filter. It's a future enhancement that we are researching. Thanks!
Is there a way to see pre-login events? A host that is set for pre-login should talk to the allowed destinations, are those events created somewhere and under which Event name?
I find another challenge with the events when I want to find a block event for example, but cannot see the flow events (sorted by timestamp) as there are more than 100 events within that minute which I am filtering for and interested in. Is there a workaround for this? I cannot drill down to the specific second in the timestamp from the filter either. Thanks
Is there a way to set up email alerts for events if/when they meet a filter's criteria?
As an example, if we have an SDP user who only connects from a machine named ‘EmployeeLegitimateMachine’ can we configure CATO to email us if a successful SDP connection for that employee's account is recorded from any machine name that's not ‘EmployeeLegitimateMachine’?
Patrick, I don't know if all event types will be able to send emails/subscription notifications. I tried looking in Reports/User Experience (I don't have Device Management) but didn't seem to do the trick.
I just looked and there's a Preset event query/table that provides the type of information that I think you're looking for. Personally, I would do this out of my logging system/SIEM. I would use a combination of the event type/sub-type, user email (or UPN, whichever works for you), and Device Name and some if-then query language to see deviations of connections from anything other than the known good device name. Of course, doing this at scale and dynamically or in real-time just won't work without a lot more thought. I mean, you could do a real-time search in the SIEM but that could get resources expensive fast. depending on the volume of log ingest and other reports/alerts running.
Cato, (enhancement request) maybe you guys could write in a button on the Home>Events page next to Export that is something like, Schedule Report; where you take the query you just wrote and it creates a schedule report to a mailing list subscriber. Just a thought…
Hope that helps in some capacity.
Yup a scheduled report would work too. We put preventative controls in place to prevent unneeded or unauthorized things from happening but I still also like the idea of having an alert (or report) in place for if they do happen just as a backup for if someone found a way around those controls or if whoops we didn't think of x,y,z scenario in those controls.
Please sign in to leave a comment.