Explaining the Event Fields

Understanding the Types of Fields

These are the types of each field, and how to use them for manual filters.

  • Date and Time - Values for dates in this format "<year>-<month>-<day>T<hour>:<minute>:<second>.<millisecond>Z", for example "2021-01-01T12:10:30.591Z"

  • IP - Filter for an IP addresses using the CIDR notation: [ip_address]/[prefix_length]

  • Keyword - Enter text strings, you can only search for Keyword fields with the exact value

  • Link - Link to an external reference

  • Number - Enter numbers as integers

  • Text - Event description, can't include in a filter

Explaining the Popular Fields

Name

Type

Description

Categories

keyword

The default Cato categories (Configuration > Categories)

Source name

keyword

For all traffic, the name of the source site or SDP user

Event sub type

keyword

Event sub-type of Network, Security, Health, or System types

Event type

keyword

Event type: Network, Security, Health, or System

Type

keyword

Event type: Network, Security, Health, or System

User email

keyword

Email address for the user in the Cato Management Application

Explaining the Available Fields

Name

Type

Description

Action

keyword

Action that is relevant to the event type, for example:

Firewall - the rule action taken for this event, only rules with track enabled generate events. Monitor events are for matching allow rules.

QoS - alert or clear

BGP - BGP route ignore, see Event Message below for more information.

Active Directory name

keyword

Name of Active Directory instance

Anti malware reference

link

Link to anti-malware database for the suspicious file

Application

keyword

Applications that are used in the different policies, for example: Facebook, CNN

Authentication type

keyword

Authentication method that is connected to this event, for example: MFA or password

BGP Cato ASN

keyword

The BGP ASN for the Cato BGP peer (local connection)

BGP Cato IP

IP

The BGP IP address for the Cato BGP peer (local connection)

BGP error code

keyword

Error message for the BGP disconnect event

BGP peer ASN

keyword

The BGP ASN for the BGP peer (remote connection)

BGP peer description

keyword

For BGP events, description of the BGP neighbor from the Cato Management Application

BGP peer IP

IP

The BGP IP address for the BGP peer (remote connection)

BGP route CIDR

keyword

The CIDR for the BGP route

BGP suberror code

keyword

Error message that is connected to the BGP disconnect event

Client version

keyword

Version number for the Socket or VPN client

Configured host name

keyword

Name configured in the Cato Management Application for a host with a Static IP address

Custom categories

keyword

The Custom Categories for your account (Configuration > Categories)

Dest country

country

For Internet traffic, IP address based location of the destination server

Dest IP

IP

For Internet traffic, IP address of the destination server

Dest is site or VPN

keyword

For WAN traffic, destination type: site or SDP user

Dest port

number

For Internet traffic, port number for the destination server

Dest site name

keyword

For WAN traffic, the name of the destination site or SDP user

Device name

keyword

Name of the host connected to the event

Directory host name

keyword

For LDAP events, the host name

Directory IP

IP

For LDAP events, IP address of the Domain Controller

Directory sync type

keyword

LDAP event generated because there was a sync with the Domain Controller

Directory sync result

keyword

For LDAP events, result of sync with the Domain Controller

Domain name

keyword

SSL SNI, HTTP host name, DNS name

Event count

number

Count for events that are repeated multiple times during one minute

Event message

text

Cato's description of the event

BGP route ignore action:

  • Too Many Routes - Exceeded the maximum number of allowed BGP routes. Any routes after route number 1024 are ignored.

  • Route Collision - The BGP route is ignored because it collided with a BGP range that Cato blocks.

  • Zero Length Route -The default route (0.0.0.0/0) was ignored.

File hash

keyword

For anti-malware events, hash of the relevant file

File name

keyword

For anti-malware events, name of the relevant file

File size

number

For anti-malware events, size (in bytes) of the relevant file

IP protocol

keyword

Network protocol for this event

ISP name

keyword

The ISP used for this event

When the IP address isn't provided by the ISP, then the event message is IP Addresses are assigned statically

Link health is congested

keyword

Data that measures the congestion for a specific link

Link health jitter

keyword

Data that measures the jitter for a specific link

Link health latency

keyword

Data that measures the latency for a specific link

Link health pkt loss

keyword

Data that measures the packet loss for a specific link

Link type

keyword

Link type for this connection, for example: Cato, or Alt. WAN

Login type

keyword

Login action, values are: User portal (myvpn.catonetworks.com) or VPN client (VPN or site traffic)

Mitre attack fields

keyword

For relevant IPS events, shows data based on the comprehensive Mitre Att&ck knowledge base of cyber adversaries

  • mitre attack subtechniques

  • mitre attack tactics

  • mitre attack techniques

OS type

keyword

Type of host operating system, or tunnel device

OS version

keyword

Version number of host operating system, or tunnel device

PoP name

keyword

Name of PoP that is connected to this event

QoS reported time

date

For QoS, the time that this QoS event started. The event is generated when the QoS event finishes.

Related Apps

keyword

A list of applications identified in the traffic flow for this event, as part of the application identification process.

This process analyzes the traffic at different stages of the flow, gathering information on all the protocols, services, and applications to make an accurate final determination of the application. This field provides context for the app identification by showing the various apps identified throughout the stages of the process.

Risk level

keyword

IPS event and indicates the overall impact of a threat for the host or network:

Risk level low – minimal risk for network, such as adware

Risk level medium – medium risk for the network, such as network scans

Risk level high – significant risk for network, such as spyware or worms

Rule name

keyword

Name in Cato Management Application for the firewall rule

Socket interface

keyword

Name in Cato Management Application for the Socket port (interface)

Socket new version

keyword

For Socket upgrade events, version number for the new version

Socket old version

keyword

For Socket upgrade events, version number for the previous version

Socket reset

keyword

For Socket reset events, indicates a hardware or software reset

Socket role

keyword

For Socket high availability events, indicates if the Socket is primary or secondary

Socket serial

keyword

Serial number of the physical Socket

Src country

country

For VPN clients and sites, the physical location for the public IP address that is outside the tunnel

Src IP

IP

The IP address that Cato assigns to the host or VPN client

Src ISP IP

IP

The ISP IP address that is outside the tunnel that connects the Cato Cloud

Src port

number

The internal port number for the client, site, or host for the network connection

Src is site or VPN

keyword

For all traffic, the name of the source site or VPN ID

Src site name

keyword

For all traffic, the name of the source site or SDP user

Subnet name

keyword

Name of subnet that is defined in the Cato Management Application

Threat name

keyword

For anti-malware events, malware name

For IPS events, explains the reason why the traffic was blocked

Threat type

keyword

For anti-malware events, malware type

Threat verdict

keyword

For anti-malware events, result of the malware scan. For files that are safe, value is clean.

Throttled event subtype

keyword

For events that are repeated multiple times, there is a quota limit for this event type. When this event type passes the quota limit, the event is throttled. The subtype value shows the type of event that was throttled.

Time

date

Time stamp for this event

TLS Error Description

N/A

Explanation of the TLS error in this event, values are:

close notify, unexpected message, bad record mac, decompression failure, handshake failure, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown, illegal parameter, decryption failed, record overflow, unknown CA, access denied, decode error, decrypt error, export restriction, protocol version, insufficient security, internal error, user canceled, no renegotiation, unknown PSK identity, unknown

For explanations of these errors, see this document

TLS Error Type

N/A

The type of TLS error for this event, values are: warning, fatal, unknown

For explanations of these errors, see this document

TLS Version

N/A

TLS protocol version number for this event

Traffic direction

keyword

Direction of network traffic for this event, values are inbound or outbound

Tunnel protocol

keyword

Protocol for the tunnel connection

URL

keyword

For Internet traffic, URL connected to the event

Windows domain name

keyword

For LDAP sync events, name of the AD domain

Explaining Fields for MDR Customers

MDR (Managed Detection and Response) customers of Cato Networks can view the events for security incidents in the Event Discovery window (Analytics > Event Discovery). The following table explains the event fields for these incidents in the event subtype MDR.

Name

Type

Description

Client Class

keyword

Type of client applications that run on the operating system that created this network flow (for example, Chrome)

Flows Cardinality

number

Number of network flows that were included in this security incident

Incident Aggregation

number

A true/false value that indicates if this event is:

  • A summary that aggregates many events (true)

  • Raw network flows for a single event (false)

Incident ID

keyword

ID that identifies this security incident. You can use this ID to follow up for more information with the MDR team.

Targets Cardinality

number

Number of servers that were included in this security incident

Explaining Fields for the SDP Portal

For more about the SDP events and fields, see SDP Portal Overview - Securing Remote Access to Applications.

Was this article helpful?

4 comments

  • Comment author
    JM

    Are all fields supposed to be documented here? I am missing an explanation of the field “Device Posture Profiles”.

  • Comment author
    Dermot - Community Manager The chief of community conversations. Community manager

    The Cato Networks GraphQL API Reference is the definitive source of this sort of information for the API.  I will check with the documentation team to get this article updated.

  • Comment author
    JM

    Thanks Dermot - a bit more detail than what is in the API documentation would helpful.

     

  • Comment author
    Dermot - Community Manager The chief of community conversations. Community manager

    I have already been talking to R&D about this.  We are working on adding more detail.  I will start posting news about this effort in the Cato Community ‘Cato API’ topic.

    Kind Regards,

    Dermot

Add your comment