These are the types of each field, and how to use them for manual filters.
-
Date and Time - Values for dates in this format "<year>-<month>-<day>T<hour>:<minute>:<second>.<millisecond>Z", for example "2021-01-01T12:10:30.591Z"
-
IP - Filter for an IP addresses using the CIDR notation: [ip_address]/[prefix_length]
-
Keyword - Enter text strings, you can only search for Keyword fields with the exact value
-
Link - Link to an external reference
-
Number - Enter numbers as integers
-
Text - Event description, can't include in a filter
|
Name |
Type |
Description |
|---|---|---|
|
Categories |
keyword |
The default Cato categories (Configuration > Categories) |
|
Source name |
keyword |
For all traffic, the name of the source site or SDP user |
|
Event sub type |
keyword |
Event sub-type of Network, Security, Health, or System types |
|
Event type |
keyword |
Event type: Network, Security, Health, or System |
|
Type |
keyword |
Event type: Network, Security, Health, or System |
|
User email |
keyword |
Email address for the user in the Cato Management Application |
|
Name |
Type |
Description |
|---|---|---|
|
Action |
keyword |
Action that is relevant to the event type, for example: Firewall - the rule action taken for this event, only rules with track enabled generate events. Monitor events are for matching allow rules. QoS - alert or clear BGP - BGP route ignore, see Event Message below for more information. |
|
Active Directory name |
keyword |
Name of Active Directory instance |
|
Anti malware reference |
link |
Link to anti-malware database for the suspicious file |
|
Application |
keyword |
Applications that are used in the different policies, for example: Facebook, CNN |
|
Authentication type |
keyword |
Authentication method that is connected to this event, for example: MFA or password |
|
BGP Cato ASN |
keyword |
The BGP ASN for the Cato BGP peer (local connection) |
|
BGP Cato IP |
IP |
The BGP IP address for the Cato BGP peer (local connection) |
|
BGP error code |
keyword |
Error message for the BGP disconnect event |
|
BGP peer ASN |
keyword |
The BGP ASN for the BGP peer (remote connection) |
|
BGP peer description |
keyword |
For BGP events, description of the BGP neighbor from the Cato Management Application |
|
BGP peer IP |
IP |
The BGP IP address for the BGP peer (remote connection) |
|
BGP route CIDR |
keyword |
The CIDR for the BGP route |
|
BGP suberror code |
keyword |
Error message that is connected to the BGP disconnect event |
|
Client version |
keyword |
Version number for the Socket or VPN client |
|
Configured host name |
keyword |
Name configured in the Cato Management Application for a host with a Static IP address |
|
Custom categories |
keyword |
The Custom Categories for your account (Configuration > Categories) |
|
Dest country |
country |
For Internet traffic, IP address based location of the destination server |
|
Dest IP |
IP |
For Internet traffic, IP address of the destination server |
|
Dest is site or VPN |
keyword |
For WAN traffic, destination type: site or SDP user |
|
Dest port |
number |
For Internet traffic, port number for the destination server |
|
Dest site name |
keyword |
For WAN traffic, the name of the destination site or SDP user |
|
Device name |
keyword |
Name of the host connected to the event |
|
Directory host name |
keyword |
For LDAP events, the host name |
|
Directory IP |
IP |
For LDAP events, IP address of the Domain Controller |
|
Directory sync type |
keyword |
LDAP event generated because there was a sync with the Domain Controller |
|
Directory sync result |
keyword |
For LDAP events, result of sync with the Domain Controller |
|
Domain name |
keyword |
SSL SNI, HTTP host name, DNS name |
|
Event count |
number |
Count for events that are repeated multiple times during one minute |
|
Event message |
text |
Cato's description of the event BGP route ignore action:
|
|
File hash |
keyword |
For anti-malware events, hash of the relevant file |
|
File name |
keyword |
For anti-malware events, name of the relevant file |
|
File size |
number |
For anti-malware events, size (in bytes) of the relevant file |
|
IP protocol |
keyword |
Network protocol for this event |
|
ISP name |
keyword |
The ISP used for this event When the IP address isn't provided by the ISP, then the event message is IP Addresses are assigned statically |
|
Link health is congested |
keyword |
Data that measures the congestion for a specific link |
|
Link health jitter |
keyword |
Data that measures the jitter for a specific link |
|
Link health latency |
keyword |
Data that measures the latency for a specific link |
|
Link health pkt loss |
keyword |
Data that measures the packet loss for a specific link |
|
Link type |
keyword |
Link type for this connection, for example: Cato, or Alt. WAN |
|
Login type |
keyword |
Login action, values are: User portal (myvpn.catonetworks.com) or VPN client (VPN or site traffic) |
|
Mitre attack fields |
keyword |
For relevant IPS events, shows data based on the comprehensive Mitre Att&ck knowledge base of cyber adversaries
|
|
OS type |
keyword |
Type of host operating system, or tunnel device |
|
OS version |
keyword |
Version number of host operating system, or tunnel device |
|
PoP name |
keyword |
Name of PoP that is connected to this event |
|
QoS reported time |
date |
For QoS, the time that this QoS event started. The event is generated when the QoS event finishes. |
|
Related Apps |
keyword |
A list of applications identified in the traffic flow for this event, as part of the application identification process. This process analyzes the traffic at different stages of the flow, gathering information on all the protocols, services, and applications to make an accurate final determination of the application. This field provides context for the app identification by showing the various apps identified throughout the stages of the process. |
|
Risk level |
keyword |
IPS event and indicates the overall impact of a threat for the host or network: Risk level low – minimal risk for network, such as adware Risk level medium – medium risk for the network, such as network scans Risk level high – significant risk for network, such as spyware or worms |
|
Rule name |
keyword |
Name in Cato Management Application for the firewall rule |
|
Socket interface |
keyword |
Name in Cato Management Application for the Socket port (interface) |
|
Socket new version |
keyword |
For Socket upgrade events, version number for the new version |
|
Socket old version |
keyword |
For Socket upgrade events, version number for the previous version |
|
Socket reset |
keyword |
For Socket reset events, indicates a hardware or software reset |
|
Socket role |
keyword |
For Socket high availability events, indicates if the Socket is primary or secondary |
|
Socket serial |
keyword |
Serial number of the physical Socket |
|
Src country |
country |
For VPN clients and sites, the physical location for the public IP address that is outside the tunnel |
|
Src IP |
IP |
The IP address that Cato assigns to the host or VPN client |
|
Src ISP IP |
IP |
The ISP IP address that is outside the tunnel that connects the Cato Cloud |
|
Src port |
number |
The internal port number for the client, site, or host for the network connection |
|
Src is site or VPN |
keyword |
For all traffic, the name of the source site or VPN ID |
|
Src site name |
keyword |
For all traffic, the name of the source site or SDP user |
|
Subnet name |
keyword |
Name of subnet that is defined in the Cato Management Application |
|
Threat name |
keyword |
For anti-malware events, malware name For IPS events, explains the reason why the traffic was blocked |
|
Threat type |
keyword |
For anti-malware events, malware type |
|
Threat verdict |
keyword |
For anti-malware events, result of the malware scan. For files that are safe, value is clean. |
|
Throttled event subtype |
keyword |
For events that are repeated multiple times, there is a quota limit for this event type. When this event type passes the quota limit, the event is throttled. The subtype value shows the type of event that was throttled. |
|
Time |
date |
Time stamp for this event |
|
TLS Error Description |
N/A |
Explanation of the TLS error in this event, values are: close notify, unexpected message, bad record mac, decompression failure, handshake failure, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown, illegal parameter, decryption failed, record overflow, unknown CA, access denied, decode error, decrypt error, export restriction, protocol version, insufficient security, internal error, user canceled, no renegotiation, unknown PSK identity, unknown For explanations of these errors, see this document |
|
TLS Error Type |
N/A |
The type of TLS error for this event, values are: warning, fatal, unknown For explanations of these errors, see this document |
|
TLS Version |
N/A |
TLS protocol version number for this event |
|
Traffic direction |
keyword |
Direction of network traffic for this event, values are inbound or outbound |
|
Tunnel protocol |
keyword |
Protocol for the tunnel connection |
|
URL |
keyword |
For Internet traffic, URL connected to the event |
|
Windows domain name |
keyword |
For LDAP sync events, name of the AD domain |
MDR (Managed Detection and Response) customers of Cato Networks can view the events for security incidents in the Event Discovery window (Analytics > Event Discovery). The following table explains the event fields for these incidents in the event subtype MDR.
|
Name |
Type |
Description |
|---|---|---|
|
Client Class |
keyword |
Type of client applications that run on the operating system that created this network flow (for example, Chrome) |
|
Flows Cardinality |
number |
Number of network flows that were included in this security incident |
|
Incident Aggregation |
number |
A true/false value that indicates if this event is:
|
|
Incident ID |
keyword |
ID that identifies this security incident. You can use this ID to follow up for more information with the MDR team. |
|
Targets Cardinality |
number |
Number of servers that were included in this security incident |
For more about the SDP events and fields, see SDP Portal Overview - Securing Remote Access to Applications.
4 comments
Are all fields supposed to be documented here? I am missing an explanation of the field “Device Posture Profiles”.
The Cato Networks GraphQL API Reference is the definitive source of this sort of information for the API. I will check with the documentation team to get this article updated.
Thanks Dermot - a bit more detail than what is in the API documentation would helpful.
I have already been talking to R&D about this. We are working on adding more detail. I will start posting news about this effort in the Cato Community ‘Cato API’ topic.
Kind Regards,
Dermot
Please sign in to leave a comment.