These are the types of each field, and how to use them for manual filters.
-
Date and Time - Values for dates in this format "<year>-<month>-<day>T<hour>:<minute>:<second>.<millisecond>Z", for example "2021-01-01T12:10:30.591Z"
-
IP - Filter for an IP addresses using the CIDR notation: [ip_address]/[prefix_length]
-
Keyword - Enter text strings, you can only search for Keyword fields with the exact value
-
Link - Link to an external reference
-
Number - Enter numbers as integers
-
Text - Event description, can't include in a filter
Name |
Type |
Description |
---|---|---|
Categories |
keyword |
The default Cato categories (Configuration > Categories) |
Source name |
keyword |
For all traffic, the name of the source site or SDP user |
Event sub type |
keyword |
Event sub-type of Network, Security, Health, or System types |
Event type |
keyword |
Event type: Network, Security, Health, or System |
Type |
keyword |
Event type: Network, Security, Health, or System |
User email |
keyword |
Email address for the user in the Cato Management Application |
Name |
Type |
Description |
---|---|---|
Action |
keyword |
Action that is relevant to the event type, for example: Firewall - the rule action taken for this event, only rules with track enabled generate events. Monitor events are for matching allow rules. QoS - alert or clear BGP - BGP route ignore, see Event Message below for more information. |
Active Directory name |
keyword |
Name of Active Directory instance |
Anti malware reference |
link |
Link to anti-malware database for the suspicious file |
Application |
keyword |
Applications that are used in the Internet Firewall, for example: Facebook, CNN |
Authentication type |
keyword |
Authentication method that is connected to this event, for example: MFA or password |
BGP Cato ASN |
keyword |
The BGP ASN for the Cato BGP peer (local connection) |
BGP Cato IP |
IP |
The BGP IP address for the Cato BGP peer (local connection) |
BGP error code |
keyword |
Error message for the BGP disconnect event |
BGP peer ASN |
keyword |
The BGP ASN for the BGP peer (remote connection) |
BGP peer description |
keyword |
For BGP events, description of the BGP neighbor from the Cato Management Application |
BGP peer IP |
IP |
The BGP IP address for the BGP peer (remote connection) |
BGP route CIDR |
keyword |
The CIDR for the BGP route |
BGP suberror code |
keyword |
Error message that is connected to the BGP disconnect event |
Client version |
keyword |
Version number for the Socket or VPN client |
Configured host name |
keyword |
Name configured in the Cato Management Application for a host with a Static IP address |
Custom categories |
keyword |
The Custom Categories for your account (Configuration > Categories) |
Dest country |
country |
For Internet traffic, IP address based location of the destination server |
Dest IP |
IP |
For Internet traffic, IP address of the destination server |
Dest is site or VPN |
keyword |
For WAN traffic, destination type: site or SDP user |
Dest port |
number |
For Internet traffic, port number for the destination server |
Dest site name |
keyword |
For WAN traffic, the name of the destination site or SDP user |
Device name |
keyword |
Name of the host connected to the event |
Directory host name |
keyword |
For LDAP events, the host name |
Directory IP |
IP |
For LDAP events, IP address of the Domain Controller |
Directory sync type |
keyword |
LDAP event generated because there was a sync with the Domain Controller |
Directory sync result |
keyword |
For LDAP events, result of sync with the Domain Controller |
Domain name |
keyword |
SSL SNI, HTTP host name, DNS name |
Event count |
number |
Count for events that are repeated multiple times during one minute |
Event message |
text |
Cato's description of the event BGP route ignore action:
|
File hash |
keyword |
For anti-malware events, hash of the relevant file |
File name |
keyword |
For anti-malware events, name of the relevant file |
File size |
number |
For anti-malware events, size (in bytes) of the relevant file |
IP protocol |
keyword |
Network protocol for this event |
ISP name |
keyword |
The ISP used for this event When the IP address isn't provided by the ISP, then the event message is IP Addresses are assigned statically |
Link health is congested |
keyword |
Data that measures the congestion for a specific link |
Link health jitter |
keyword |
Data that measures the jitter for a specific link |
Link health latency |
keyword |
Data that measures the latency for a specific link |
Link health pkt loss |
keyword |
Data that measures the packet loss for a specific link |
Link type |
keyword |
Link type for this connection, for example: Cato, or Alt. WAN |
Login type |
keyword |
Login action, values are: User portal (myvpn.catonetworks.com) or VPN client (VPN or site traffic) |
Mitre attack fields |
keyword |
For relevant IPS events, shows data based on the comprehensive Mitre Att&ck knowledge base of cyber adversaries
|
OS type |
keyword |
Type of host operating system, or tunnel device |
OS version |
keyword |
Version number of host operating system, or tunnel device |
PoP name |
keyword |
Name of PoP that is connected to this event |
QoS reported time |
date |
For QoS, the time that this QoS event started. The event is generated when the QoS event finishes. |
Risk level |
keyword |
IPS event and indicates the overall impact of a threat for the host or network: Risk level low – minimal risk for network, such as adware Risk level medium – medium risk for the network, such as network scans Risk level high – significant risk for network, such as spyware or worms |
Rule name |
keyword |
Name in Cato Management Application for the firewall rule |
Socket interface |
keyword |
Name in Cato Management Application for the Socket port (interface) |
Socket new version |
keyword |
For Socket upgrade events, version number for the new version |
Socket old version |
keyword |
For Socket upgrade events, version number for the previous version |
Socket reset |
keyword |
For Socket reset events, indicates a hardware or software reset |
Socket role |
keyword |
For Socket high availability events, indicates if the Socket is primary or secondary |
Socket serial |
keyword |
Serial number of the physical Socket |
Src country |
country |
For VPN clients and sites, the physical location for the public IP address that is outside the tunnel |
Src IP |
IP |
The IP address that Cato assigns to the host or VPN client |
Src ISP IP |
IP |
The ISP IP address that is outside the tunnel that connects the Cato Cloud |
Src port |
number |
The internal port number for the client, site, or host for the network connection |
Src is site or VPN |
keyword |
For all traffic, the name of the source site or VPN ID |
Src site name |
keyword |
For all traffic, the name of the source site or SDP user |
Subnet name |
keyword |
Name of subnet that is defined in the Cato Management Application |
Threat name |
keyword |
For anti-malware events, malware name For IPS events, explains the reason why the traffic was blocked |
Threat type |
keyword |
For anti-malware events, malware type |
Threat verdict |
keyword |
For anti-malware events, result of the malware scan. For files that are safe, value is clean. |
Throttled event subtype |
keyword |
For events that are repeated multiple times, there is a quota limit for this event type. When this event type passes the quota limit, the event is throttled. The subtype value shows the type of event that was throttled. |
Time |
date |
Time stamp for this event |
Traffic direction |
keyword |
Direction of network traffic for this event, values are inbound or outbound |
Tunnel protocol |
keyword |
Protocol for the tunnel connection |
URL |
keyword |
For Internet traffic, URL connected to the event |
Windows domain name |
keyword |
For LDAP sync events, name of the AD domain |
MDR (Managed Detection and Response) customers of Cato Networks can view the events for security incidents in the Event Discovery window (Analytics > Event Discovery). The following table explains the event fields for these incidents in the event subtype MDR.
Name |
Type |
Description |
---|---|---|
Client Class |
keyword |
Type of client applications that run on the operating system that created this network flow (for example, Chrome) |
Flows Cardinality |
number |
Number of network flows that were included in this security incident |
Incident Aggregation |
number |
A true/false value that indicates if this event is:
|
Incident ID |
keyword |
ID that identifies this security incident. You can use this ID to follow up for more information with the MDR team. |
Targets Cardinality |
number |
Number of servers that were included in this security incident |
For more about the SDP events and fields, see SDP Portal Overview - Securing Remote Access to Applications.
Comments
0 comments
Article is closed for comments.