These are the types of each field, and how to use them for manual filters.
-
Date and Time - Values for dates in this format "<year>-<month>-<day>T<hour>:<minute>:<second>.<millisecond>Z", for example "2021-01-01T12:10:30.591Z"
-
IP - Filter for an IP addresses using the CIDR notation: [ip_address]/[prefix_length]
-
Keyword - Enter text strings, you can only search for Keyword fields with the exact value
-
Link - Link to an external reference
-
Number - Enter numbers as integers
-
Text - Event description, can't include in a filter
|
Name |
Type |
Description |
|---|---|---|
|
Categories |
keyword |
The default Cato categories (Configuration > Categories) |
|
Source name |
keyword |
For all traffic, the name of the source site or SDP user |
|
Event sub type |
keyword |
Event sub-type of Network, Security, Health, or System types |
|
Event type |
keyword |
Event type: Network, Security, Health, or System |
|
Type |
keyword |
Event type: Network, Security, Health, or System |
|
User email |
keyword |
Email address for the user in the Cato Management Application |
|
Name |
Type |
Description |
|---|---|---|
|
Action |
keyword |
Action that is relevant to the event type, for example: Firewall - the rule action taken for this event, only rules with track enabled generate events. Monitor events are for matching allow rules. QoS - alert or clear BGP - BGP route ignore, see Event Message below for more information. |
|
Active Directory name |
keyword |
Name of Active Directory instance |
|
Anti malware reference |
link |
Link to anti-malware database for the suspicious file |
|
Application |
keyword |
Applications that are used in the Internet Firewall, for example: Facebook, CNN |
|
Authentication type |
keyword |
Authentication method that is connected to this event, for example: MFA or password |
|
BGP Cato ASN |
keyword |
The BGP ASN for the Cato BGP peer (local connection) |
|
BGP Cato IP |
IP |
The BGP IP address for the Cato BGP peer (local connection) |
|
BGP error code |
keyword |
Error message for the BGP disconnect event |
|
BGP peer ASN |
keyword |
The BGP ASN for the BGP peer (remote connection) |
|
BGP peer description |
keyword |
For BGP events, description of the BGP neighbor from the Cato Management Application |
|
BGP peer IP |
IP |
The BGP IP address for the BGP peer (remote connection) |
|
BGP route CIDR |
keyword |
The CIDR for the BGP route |
|
BGP suberror code |
keyword |
Error message that is connected to the BGP disconnect event |
|
Client version |
keyword |
Version number for the Socket or VPN client |
|
Configured host name |
keyword |
Name configured in the Cato Management Application for a host with a Static IP address |
|
Custom categories |
keyword |
The Custom Categories for your account (Configuration > Categories) |
|
Dest country |
country |
For Internet traffic, IP address based location of the destination server |
|
Dest IP |
IP |
For Internet traffic, IP address of the destination server |
|
Dest is site or VPN |
keyword |
For WAN traffic, destination type: site or SDP user |
|
Dest port |
number |
For Internet traffic, port number for the destination server |
|
Dest site name |
keyword |
For WAN traffic, the name of the destination site or SDP user |
|
Device name |
keyword |
Name of the host connected to the event |
|
Directory host name |
keyword |
For LDAP events, the host name |
|
Directory IP |
IP |
For LDAP events, IP address of the Domain Controller |
|
Directory sync type |
keyword |
LDAP event generated because there was a sync with the Domain Controller |
|
Directory sync result |
keyword |
For LDAP events, result of sync with the Domain Controller |
|
Domain name |
keyword |
SSL SNI, HTTP host name, DNS name |
|
Event count |
number |
Count for events that are repeated multiple times during one minute |
|
Event message |
text |
Cato's description of the event BGP route ignore action:
|
|
File hash |
keyword |
For anti-malware events, hash of the relevant file |
|
File name |
keyword |
For anti-malware events, name of the relevant file |
|
File size |
number |
For anti-malware events, size (in bytes) of the relevant file |
|
IP protocol |
keyword |
Network protocol for this event |
|
ISP name |
keyword |
The ISP used for this event When the IP address isn't provided by the ISP, then the event message is IP Addresses are assigned statically |
|
Link health is congested |
keyword |
Data that measures the congestion for a specific link |
|
Link health jitter |
keyword |
Data that measures the jitter for a specific link |
|
Link health latency |
keyword |
Data that measures the latency for a specific link |
|
Link health pkt loss |
keyword |
Data that measures the packet loss for a specific link |
|
Link type |
keyword |
Link type for this connection, for example: Cato, or Alt. WAN |
|
Login type |
keyword |
Login action, values are: User portal (myvpn.catonetworks.com) or VPN client (VPN or site traffic) |
|
Mitre attack fields |
keyword |
For relevant IPS events, shows data based on the comprehensive Mitre Att&ck knowledge base of cyber adversaries
|
|
OS type |
keyword |
Type of host operating system, or tunnel device |
|
OS version |
keyword |
Version number of host operating system, or tunnel device |
|
PoP name |
keyword |
Name of PoP that is connected to this event |
|
QoS reported time |
date |
For QoS, the time that this QoS event started. The event is generated when the QoS event finishes. |
|
Risk level |
keyword |
IPS event and indicates the overall impact of a threat for the host or network: Risk level low – minimal risk for network, such as adware Risk level medium – medium risk for the network, such as network scans Risk level high – significant risk for network, such as spyware or worms |
|
Rule name |
keyword |
Name in Cato Management Application for the firewall rule |
|
Socket interface |
keyword |
Name in Cato Management Application for the Socket port (interface) |
|
Socket new version |
keyword |
For Socket upgrade events, version number for the new version |
|
Socket old version |
keyword |
For Socket upgrade events, version number for the previous version |
|
Socket reset |
keyword |
For Socket reset events, indicates a hardware or software reset |
|
Socket role |
keyword |
For Socket high availability events, indicates if the Socket is primary or secondary |
|
Socket serial |
keyword |
Serial number of the physical Socket |
|
Src country |
country |
For VPN clients and sites, the physical location for the public IP address that is outside the tunnel |
|
Src IP |
IP |
The IP address that Cato assigns to the host or VPN client |
|
Src ISP IP |
IP |
The ISP IP address that is outside the tunnel that connects the Cato Cloud |
|
Src port |
number |
The internal port number for the client, site, or host for the network connection |
|
Src is site or VPN |
keyword |
For all traffic, the name of the source site or VPN ID |
|
Src site name |
keyword |
For all traffic, the name of the source site or SDP user |
|
Subnet name |
keyword |
Name of subnet that is defined in the Cato Management Application |
|
Threat name |
keyword |
For anti-malware events, malware name For IPS events, explains the reason why the traffic was blocked |
|
Threat type |
keyword |
For anti-malware events, malware type |
|
Threat verdict |
keyword |
For anti-malware events, result of the malware scan. For files that are safe, value is clean. |
|
Throttled event subtype |
keyword |
For events that are repeated multiple times, there is a quota limit for this event type. When this event type passes the quota limit, the event is throttled. The subtype value shows the type of event that was throttled. |
|
Time |
date |
Time stamp for this event |
|
Traffic direction |
keyword |
Direction of network traffic for this event, values are inbound or outbound |
|
Tunnel protocol |
keyword |
Protocol for the tunnel connection |
|
URL |
keyword |
For Internet traffic, URL connected to the event |
|
Windows domain name |
keyword |
For LDAP sync events, name of the AD domain |
MDR (Managed Detection and Response) customers of Cato Networks can view the events for security incidents in the Event Discovery window (Analytics > Event Discovery). The following table explains the event fields for these incidents in the event subtype MDR.
|
Name |
Type |
Description |
|---|---|---|
|
Client Class |
keyword |
Type of client applications that run on the operating system that created this network flow (for example, Chrome) |
|
Flows Cardinality |
number |
Number of network flows that were included in this security incident |
|
Incident Aggregation |
number |
A true/false value that indicates if this event is:
|
|
Incident ID |
keyword |
ID that identifies this security incident. You can use this ID to follow up for more information with the MDR team. |
|
Targets Cardinality |
number |
Number of servers that were included in this security incident |
For more about the SDP events and fields, see SDP Portal Overview - Securing Remote Access to Applications.
Comments
0 comments
Article is closed for comments.