Understanding Applications Analytics

This article discusses how to use the Applications Analytics page to drill down and analyze the network and application usage for your entire account, a specific site, or a specific user.

Overview of Applications Analytics

The Applications Analytics The Application Analytics page is typically up-to-date within a 5 minutes time frame. However, it is possible that some data will be delayed up to 30 minutes. lets you view the application and network usage data for your entire account as well as for specific sites, users, and applications. The page contains a number of widgets that provide visibility for network and application usage. The page also lets you add items to the analytics filter to drill-down and focus on the relevant analytics and data in your account.

When you manually create a filter or add an item to the update filter, the data and analytics on the Applications Analytics page is automatically updated. The Application Analytics page is typically up-to-date within a 5 minutes time frame. However, it is possible that some data will be delayed up to 30 minutes.

You can choose to show the Application Analytics page for the data in the entire account. You can also select a specific site or user, and show the data only for that site or user.

Note

Note: The Application Analytics page includes data for blocked apps. This is because the PoP allows the client device trying to access the app to send multiple packets to the PoP, so it can identify the app and apply the block rule. This request and response traffic between the client device and PoP is included in Application Analytics data. For more about how the Internet Firewall blocks traffic, see Internet and WAN Firewall Policies – Best Practices

Getting Started with Application Analytics

The Application Analytics page shows the total network usage over the time range. There are widgets that show analytics for users, applications, and sites according to their geographical location. The analytics table at the bottom half of the page shows the data for the top items according to the current filter.

Item	Name	Description
1	Events filter bar	Shows the filters that are applied to the events. Click (Add) to manually configure the settings for a filter.
2	Time range	Select the time range for the events that are shown in the page. The maximum date range for the Applications Analytics page is 90 days. For more about using the Time range, see Setting the Time Range Filter.
3	Network usage timeline	Timeline that shows the total upstream and downstream network usage over the time range. Hover over a bar to show the exact usage for that time bucket.
4	Top Users	Top users based on total network usage.
5	Top Applications	Top applications based on total bandwidth used and shows the percentage of total bandwidth for each application.
6	Top Sites	Map of the top sites based on selected filters. When there are no filters, all the sites for the account are shown. Hover over a site to show name, location and, total bandwidth usage for the site.
7	Analytics type tabs	Each tab shows the analytics and data for that entity in your network: sites, categories, applications, users, or domains.
8	Analytics data table	Shows the data for the that Analytics type , and you can expand the row to drilldown and see analytics in a sortable table.

Using the Analytics Data Table

The Analytics data table shows usage data for these entities in your account:

Sites
Applications
Categories
Users
Destinations

Once you select a tab, you can click to expand the row and see more data for that item. The data shown in the expanded areas is based on the current filter for the page. You can click on the columns to sort the data in ascending or descending order.

By combining inline filters or creating specific filters in the filter bar, you can investigate anomalies you see on the timeline or drill-down to understand specific instances. For example, you can easily investigate the cause for a spike in upstream bandwidth.

The following table explains the data that is shown in each tab. The Available for column shows which tabs are available for the entire account, specific sites or users (see below Accessing the Applications Analytics Page).

Name	Description	Available for
Sites	Shows all the sites that match the current filter. The default view with no filter shows all sites in the account. Expand a site to show the analytics for all the users behind the site. There is a separate row for Remote Users, who are connecting with the Cato Client and aren't behind a site.	Account
Applications	Shows all the applications that match the current filter. The default view with no filter shows all applications used during the time range. Cato provides a risk score for each application between 0 (no risk) to 10 (very high risk). The risk score is calculated based on the analysis of millions of data flows. A high risk score (typically 7 or 8) indicates that Cato detected high levels of vulnerabilities for this application. Expand an application to show the analytics and usage data for each user. Note: Custom apps don't show a risk score.	Account, sites, users
Categories	Shows all the categories (as defined in Assets > Categories) that match the current filter. The default view with no filter shows all the categories used during the time range. Expand a category to show the each application in the category that was used during the time range. It also shows the total usage data for the application. Tip: To drill-down for an application in the category, hover over the application and click . The application is added to the filter, and you can select a different tab for more granular data.	Account, sites, users
Users	Shows all the users that match the current filter. The default view with no filter shows all users that are connected to your account during the time range. Expand a user to show the applications analytic and usage data for that user.	Account, sites
Destinations	Shows all the destination apps according to their top level domains (TLDs) that match the current filter. The default view with no filter shows all the app domains that were accessed during the time range.	Account, sites, users

Filtering the Application Analytics Page

There are two ways to filter the data in the Application Analytics page: automatically update the filter with the selected item, or manually configure the filter.

Automatically Filtering for an Item

As you hover over an item or field where a filter option is available, the button appears, click the icon to add the item to the filter. The Application Analytics page now only shows data that includes this item. For example, if you filter for the Zoom application, the page only shows analytics and data that are related to using the Zoom application. No other application data is available until you change or clear the filter.

You can continue to add items to the filter, click again to update the filter and drill-down further.

Manually Configuring the Filter

You can manually configure the event filter for greater granularity to analyze the application usage. After you configure the filter, it is added to the filter bar and the page is automatically updated to show the analytics and data that match the new filter.

To create a filter:

In the filter bar, click .
Start typing or select the Field (for example: Site Name or Risk Level).
Select the Operator, which determines the relationship between the Field and the Value you are searching for.
Select the Value.
Click Add Filter.

The filter is added to the filter bar and the Applications Analytics page is updated to show results based on the filters.

Clearing the Filter

You can remove each item in the filter separately, or clear the entire filter.

To clear the filters for the Applications Analytics:

To clear a single filter, click next to the filter (item 1 above).
To clear all the filters, click X at the right end of the filter bar (item 2 above).

Accessing the Applications Analytics Page

The Application Analytics page is available at the account, site and, user levels. To show the page for a specific site or user, select it and then open the Application Analytics page from the navigation menu.

Accessing Account-level Applications Analytics

To access account-level analytics:

From the navigation menu, click Monitoring > Applications Analytics. The Applications Analytics page for the account is displayed.

Accessing Site-level Applications Analytics

The Applications Analytics page shows the data for the specific site. You can't edit the filter to show data for a different site.

To access site-level analytics:

From the navigation menu, click Network > Sites and select the site.
From the navigation menu, click Site Monitoring > Applications Analytics.

The Applications Analytics page for the selected site is displayed.

Accessing User-level Application Analytics

The Applications Analytics page shows the data for the specific user. You can't edit the filter to show data for a different user.

To access user-level analytics:

From the navigation menu, click Access > Users and select a user.
From the navigation menu, click User Monitoring > Applications Analytics.

The Applications Analytics page for the selected user is displayed.

Comparing Application Analytics and Network Analytics

The analytics and metrics for the Application Analytics page and the pages for network analytics (such as Monitoring > Sites Overview) can have a small discrepancy because the data is calculated differently.

For network analytics data (including the account Metrics API query):
- Upstream and downstream bytes are counted for encapsulated packets (including DTLS headers overhead)
- Upstream and downstream data for all flows related to the given tunnel are aggregated together
For the Application Analytics data:
- Upstream and downstream bytes are counted for non-encapsulated packets (before DTLS encapsulation).
- Upstream and downstream data is displayed per application