These are descriptions of event fields for the Cato Management Application (CMA). Event fields are frequently updated, for the full list of event fields, please refer to the Cato GraphQL API Reference for EventFieldName.
For customers that use the Cato API for event data, see Cato API Potentially Breaking Changes and EoL for notifications on potentially breaking changes and end-of-life (EoL) announcements for the Cato GraphQL API schema. We recommend that you follow the article to automatically receive email notifications for updates and changes.
| Name | Description |
|---|---|
| Action |
Action that is relevant to the event type, for example:
|
| Active Directory name | Active Directory User Awareness name associated with the device behind a socket |
| API Key Name | Name defined for the public API Key in the Cato Management Application |
| Application | Applications that are used in the different policies, for example: Facebook, CNN |
| Authentication type | Authentication method that is connected to this event, for example: MFA or password |
| BGP Cato ASN | The BGP ASN for the Cato BGP peer (local connection) |
| BGP Cato IP | The BGP IP address for the Cato BGP peer (local connection) |
| BGP error code | Error message for the BGP disconnect event |
| BGP peer ASN | The BGP ASN for the BGP peer (remote connection) |
| BGP peer description | For BGP events, description of the BGP neighbor from the Cato Management Application |
| BGP peer IP | The BGP IP address for the BGP peer (remote connection) |
| BGP route CIDR | The CIDR for the BGP route |
| BGP suberror code | Error message that is connected to the BGP disconnect event |
| Category | Default system Cato categories |
| Cato App | App data related to this traffic flow |
| Certificate Expiration Date | Expiration date for Client certificate |
| Client Class | Type of process generating this traffic |
| Client Version | Version number for the Socket or Cato Client |
| Collaborators | For SaaS Security API, email addresses of the users that received the file |
| Configured Host Name | Name configured in the Cato Management Application for a host with a static IP address |
| Congestion Algorithm | The TCP congestion control algorithm for the traffic in the event. Possible values: CUBIC, NewReno, BBR |
| Connector Name | For SaaS Security API, name of the connector |
| Connector Type | For SaaS Security API, SaaS app for the connector |
| Criticality | For XDR events, 0 (no risk/impact) to 10 (very high risk/impact) |
| Custom categories | The Custom Categories for your account (Resources > Categories) |
| Destination Country | For Internet traffic, IP address based location of the destination server |
| Destination Country Code | For Internet traffic, the two letter country code where the destination host is located (based on ISO 3166-1 alpha-2) |
| Destination IP | For Internet traffic, IP address of the destination server |
| Destination is Site or SDP User | For WAN traffic, destination type: site or SDP user |
| Destination Port | For Internet traffic, port number for the destination server |
| Destination Site | For WAN traffic, the name of the destination site or SDP user |
| Device Name | Name of the host connected to the event |
| Device Posture Profiles | Profiles that matched this event |
| Directory Host Name | For LDAP events, the host name |
| Directory IP | For LDAP events, IP address of the Domain Controller |
| Directory Sync Result | For LDAP events, result of sync with the Domain Controller |
| Directory Sync Type | LDAP event generated because there was a sync with the Domain Controller |
| Display Name | The name of the user |
| DLP Profiles | DLP profiles related to the event |
| DNS Protection Category | Cato’s DNS Protection type that matched the DNS request |
| DNS Query | Domain queried in the DNS request |
| Domain Name | SSL SNI, HTTP host name, DNS name |
| Duration Ms |
Duration in milliseconds between the start and end of a transaction or operation. For example, in DNS or HTTP events, this reflects the time between the request and the corresponding response. For DNS event sub-types |
| Egress PoP Name |
Name of the PoP the traffic egresses from, as defined in a Network Rule using a NAT or Route via configuration The field is shown only when traffic egresses from a PoP other than the one the site is connected to |
| Egress Site | Name of the egress site for backhauling traffic |
| Event Count | Count for events that are repeated multiple times during one minute |
| Event Message |
Cato's description of the event For BGP route ignore action:
|
| Event Type | Type of event: Connectivity, Security, Routing, System, Sockets Management, or Detection and Response |
| File Hash | For anti-malware events, hash of the relevant file |
| File Name |
Name of the relevant file Note: If the PoP can't capture the actual file name at the time of detection, then it uses the last part of the URL for the file name, such as download |
| File Size | Size (in bytes) of the relevant file |
| File Type |
File content type (such as Archive or Microsoft Office) For File Control rules, form_data is a generic representation of data submitted through a web form, commonly used in HTTP requests (e.g., multipart form submissions). It doesn't indicate a distinct file type. |
| Flows Cardinality | Number of flows for a given incident |
| Full Path URL | Full path URL for app activity. Application Control must be enabled for this field to appear in Apps Security events. |
| Host IP | IP address of host related to the event |
| Host MAC Address | MAC address of the host for this event |
| HTTP Response Code |
HTTP status code returned (ie. for DNS request, DNS-over-HTTPS (DoH) server when DoH is used) For DNS and App Security event sub-types |
| IP Protocol | Network protocol for this event |
| ISP Name |
The ISP used for this event When the IP address isn't provided by the ISP, then the event message is IP Addresses are assigned statically Note: For sites with multiple active WAN interfaces that use different ISPs, the ISP Name value might not be accurate because the interfaces can change over the lifetime of the traffic flow |
| Link Health is Congested | Data that measures the congestion for a specific link |
| Link Health Jitter | Data that measures the jitter for a specific link |
| Link Health Latency | Data that measures the latency for a specific link |
| Link Health Packet Loss | Data that measures the packet loss for a specific link |
| Link Type | Link type for this connection, for example: Cato, or Alt. WAN |
| Login Type | Login action, values are: Admin Login or VPN client (remote access or site traffic) |
| Matched Data Types | Matched DLP data types related to the event |
| Mitre Attack fields |
For relevant IPS events, shows data based on the comprehensive Mitre Att&ck knowledge base of cyber adversaries
|
| NAT Error | Indicates the reason for connectivity issues related to NAT |
| Network Rule |
Name of the Network Rule matched by the traffic in this event A value of 0 indicates that the flow experienced packet corruption issues, or was a system flow such as accessing the Socket WebUI |
| Office Mode | Indicates if office mode is enabled for this user |
| OnPrem SID | Unique identifier assigned to a user object in Microsoft's Azure Active Directory (Azure AD), used to distinctly identify and manage the user across various Azure services |
| OS Type | Type of host operating system, or tunnel device |
| OS Version | Version number of host operating system, or tunnel device |
| PoP Name | Name of PoP location that is connected to this event |
| Public Source IP |
The public IP address assigned by the PoP that traffic egressed from. For sites that are using Internet Traffic Backauling as the routing method, this field shows the Local IP address of the Native Range for the site. The field is not shown for traffic that doesn't egress from the PoP to the Internet, such as internal DNS requests and FTP traffic. |
| QoS Priority | The QoS priority value defined in the Network Rule matched by the traffic |
| QoS Reported time | For QoS, the time at which this QoS event started. The event is generated when the QoS event finishes. |
| Record Types |
Type of query (ie. DNS query: A, AAAA, MX, or PTR) For DNS and App Security event sub-types |
| Registration Code | Registration code used the first time that a ZTNA user authenticates (the code is partially obfuscated) |
| Related Apps |
A list of applications identified in the traffic flow for this event, as part of the application identification process. This process analyzes the traffic at different stages of the flow, gathering information on all the protocols, services, and applications to make an accurate final determination of the application. This field provides context for the app identification by showing the apps identified throughout the stages of the process. |
| Request Method | HTTP request method (ie. GET, POST) |
| Request Size |
Request packet size in bytes (ie. DNS request packet) For DNS and App Security event sub-types |
| Response Size |
Response packet size in bytes (ie. DNS response packet) For DNS and App Security event sub-types |
| Risk Level |
IPS event indicating the overall impact of a threat for the host or network: Risk level low – minimal risk for network, such as adware Risk level medium – medium risk for the network, such as network scans Risk level high – significant risk for the network, such as spyware or worms |
| Rule | Name of the Firewall Rule matched by the traffic in this event |
| Rule ID | Unique Cato ID for the security rule related to the event |
| SAM Account Name | Logon name used to on versions of Windows prior to Windows 2000, used within a Windows Active Directory |
| Severity | Severity defined for the security rule |
| Sharing Scope | Sharing Options for the file (such as SharePoint) |
| Signature ID | For IPS and SAM, ID of the IPS signature |
| Socket Interface ID | Unique Cato ID for the Socket interface |
| Socket Interface Name | Name in Cato Management Application for the Socket port (interface) |
| Socket New Version | For Socket upgrade events, the version number for the new version |
| Socket Old Version | For Socket upgrade events, version number for the previous version |
| Socket Reset | For Socket reset events, indicates a hardware or software reset |
| Socket Role | For Socket high availability events, indicates if the Socket is primary or secondary |
| Source Country | For Clients and sites, the physical location for the public IP address that is outside the tunnel (detected via public IP address) |
| Source Country Code | Country Code of the country in which the source host is located (detected via public IP address) |
| Source IP | The IP address that Cato assigns to the host or Client |
| Source ISP IP | The ISP IP address that is outside the tunnel that connects the Cato Cloud |
| Source is Site or SDP User | For WAN traffic, source type: site or SDP user |
| Source | For all traffic, the name of the source site or SDP user |
| Source Port | The internal port number for the Client, site, or host for the network connection |
| Source Site | For all traffic, the name of the source site or SDP user |
| Subnet name | Name of the subnet that is defined in the Cato Management Application |
| Sub-Type | Subtype for an Event Type, such as Internet Firewall, SDP Activity, Apps Security |
| Targets Cardinality | Number of targets (servers) associated with this event |
| TCP Acceleration |
Shows if traffic in the event was TCP accelerated. Values are 1 (accelerated) and 0 (not accelerated) The field appears only for TCP-based traffic flows |
| Threat Name |
For anti-malware events, malware name For IPS events, explains the reason why the traffic was blocked |
| Threat Reference | Link to the anti-malware threat database for the suspicious file |
| Threat Type | Type of malware event |
| Threat Verdict |
Result of the anti-malware scan
|
| Time | Time stamp for this event (Linux epoch format) |
| TLS Error Description |
Explanation of the TLS error in this event, values are: close notify, unexpected message, bad record mac, decompression failure, handshake failure, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown, illegal parameter, decryption failed, record overflow, unknown CA, access denied, decode error, decrypt error, export restriction, protocol version, insufficient security, internal error, user canceled, no renegotiation, unknown PSK identity, unknown For explanations of these errors, see this document |
| TLS Error Type |
The type of TLS error for this event, values are:
|
| TLS Inspection |
Shows if traffic in the event was TLS. Values are 1 (inspected) and 0 (not inspected) The field appears only for TLS traffic flows |
| TLS Rule Name | When traffic in the event was TLS inspected, this field shows the name of the rule matched by the traffic (only when the traffic matches a rule other than default rules) |
| TLS Version | TLS protocol version number for this event |
| Traffic Direction | Direction of network traffic for this event, values are inbound or outbound |
| Transaction Size |
Total transaction size in bytes, including both the request and response For DNS and App Security event sub-types |
| Tunnel Protocol | Protocol for the tunnel connection |
| Upgrade End Time | Socket upgrade end time (Linux epoch format) |
| Upgrade Initiated By | Indicates if the Socket upgrade occurred during the maintenance window or was initiated by Support (value is Cato Admin) |
| Upgrade Start Time | Socket upgrade start time (Linux epoch format) |
| URL | For Internet traffic, URL for the event |
| User Agent |
The user agent used in the sign-in as it appears in the User Agent field in the HTTP header for the traffic. This field is only populated when the pop extracts its value from HTTP requests, which currently occurs in the following cases:
These are examples of user agent values:
|
| User Awareness Method | Method used to get identity with User Awareness (such as Identity Agent) |
| User email | Email address for the user |
| User Name | User that generated the event |
| User Object ID | Unique identifier assigned to a user object within Azure Active Directory, used to distinctly identify and manage user accounts |
| User Principal Name | Login name for a user in a Microsoft Active Directory environment, formatted as an email address (e.g., user@domain.com), and used for sign-in purposes |
| User Reference ID | For Block/Prompt page, reference ID to report the incorrect category |
| User SID | Unique identifier assigned to each user on a Windows device system to manage permissions and access rights |
| Windows Domain Name | For LDAP sync events, the name of the AD domain |
| XFF | XFF HTTP header indicates the original IP address for the connections |
This is a list of the event sub-types:
-
Connectivity
- API Key
- Cato Management Application
- Changed PoP
- Client Connectivity Policy
- Connected
- DHCP Lease
- Disconnected
- LAN Monitoring
- Last-Mile Quality
- Link-Aggregation
- Off-Cloud Transport Connect
- Off-Cloud Transport Disconnect
- Passive Connect
- Passive Disconnect
- Reconnected
- Recovery via Alt. WAN
- Registration Code
- SDP Portal
- Socket Fail-Over
-
Detection and Response
- XDR Endpoint
- XDR Network
- XDR Threat
-
Routing
- BGP Routing
- BGP Session
- VPN Never-Off Bypass
-
Security
- Application Sign in
- Apps Security
- DNS Protection
- Endpoint Protection
- Identity Alert
- Internet Firewall
- IPS
- LAN Firewall
- MAC Address Authentication
- Misclassification
- NG Anti Malware
- RPF
- Saas Security API Anti Malware
- Saas Security API Data Protection
- SDP Activity
- Suspicious Activity
- TLS
- WAN Firewall
-
Sockets Management
- Socket Password Reset
- Socket Upgrade
- Socket WebUI Access
-
System
- DC Connectivity Failure
- Directory Services
- Multiple Users Detected
- QUOTA LIMIT
- SCIM Provisioning
- SDP License
These are the types of each field and how to use them for manual filters.
- Date and Time - Values for dates in this format
<year>-<month>-<day>T<hour>:<minute>:<second>.<millisecond>Z, for example2021-01-01T12:10:30.591Z - IP - Filter for IP addresses using the CIDR notation:
[ip_address]/[prefix_length] - Keyword - Enter text strings, you can only search for Keyword fields with the exact value
- Link - Link to an external reference
- Number - Enter numbers as integers
- Text - Event description, can't include in a filter
MDR (Managed Detection and Response) customers of Cato Networks can view the events for security incidents in the Events page. The following table explains the event fields for these incidents in the event subtype MDR.
| Name | Type | Description |
|---|---|---|
| Client Class | keyword | Type of client applications that run on the operating system that created this network flow (for example, Chrome) |
| Flows Cardinality | number | Number of network flows that were included in this security incident |
| Incident Aggregation | number |
A true/false value that indicates if this event is:
|
| Incident ID | keyword | ID that identifies this security incident. You can use this ID to follow up for more information with the MDR team. |
| Targets Cardinality | number | Number of servers that were included in this security incident |
The IoT/OT Security service discovers and monitors devices connected to your network. The following table explains the event fields containing data related to this service.
| Name | Description |
|---|---|
| Device Categories | General categories that the device related to the event belongs to |
| Device ID | Unique Cato identifier for the device related to the event |
| Device Manufacturer | Company that manufactured the device related to the event |
| Device Model | Name of the model of the device related to the event |
| Device OS Type | The operating system on the device related to the event |
| Device Type | Specific type of device related to the event. It is possible that the Device Type includes multiple different models |
For more about the SDP events and fields, see Browser Access Portal Overview - Securing Remote Access to Applications.
7 comments
Are all fields supposed to be documented here? I am missing an explanation of the field “Device Posture Profiles”.
The Cato Networks GraphQL API Reference is the definitive source of this sort of information for the API. I will check with the documentation team to get this article updated.
Thanks Dermot - a bit more detail than what is in the API documentation would helpful.
Thank you so much for adding the TLS Inspection and Network Rule fields, it's been a long wait.
How does the Cato Cloud determines the “ISP Name”? Because the “ISP Name” in our log is not familiar to our environment.
What is Internal Event ID and how can I check meaning of it?
I noticed that you changed the names of certain event fields (you used to have one called application (which is still a field but in the event it's "Application") but you can't filter on "application" but you can on "Application". Plus there's a new field called Application Name. The Cato Predefined presets still use "application" as a selected field so you can't filter on it nor choose that field nor "Application" as a part of your query. Rule vs Rule Name is another example of your field name changes.
One, that's extremely annoying since I got used to how to filter and now I have to reprogram my brain on the new query fields.
Two, that broke a lot of custom alerts/reports I create in my SIEM because my SIEM query logic was based on the old field names so I had to rebuild all my queries after figuring out what the new field names are.
Three, your list of available fields listed here (https://support.catonetworks.com/hc/en-us/articles/5131416221085-Explaining-the-Event-Fields) is not accurate.
Does anyone know when or why they made this change? Support was no help.
Please sign in to leave a comment.