Name |
Description |
---|---|
Action |
Action that is relevant to the event type, for example:
|
Active Directory name |
Name of Active Directory instance |
API Key Name |
Name defined for the public API Key in the Cato Management Application |
Application |
Applications that are used in the different policies, for example: Facebook, CNN |
Authentication type |
Authentication method that is connected to this event, for example: MFA or password |
BGP Cato ASN |
The BGP ASN for the Cato BGP peer (local connection) |
BGP Cato IP |
The BGP IP address for the Cato BGP peer (local connection) |
BGP error code |
Error message for the BGP disconnect event |
BGP peer ASN |
The BGP ASN for the BGP peer (remote connection) |
BGP peer description |
For BGP events, description of the BGP neighbor from the Cato Management Application |
BGP peer IP |
The BGP IP address for the BGP peer (remote connection) |
BGP route CIDR |
The CIDR for the BGP route |
BGP suberror code |
Error message that is connected to the BGP disconnect event |
Category |
Default system Cato categories |
Cato App |
App data related to this traffic flow |
Certificate Expiration Date |
Expiration date for Client certificate |
Client Class |
Type of process generating this traffic |
Client Version |
Version number for the Socket or Cato Client |
Collaborators |
For SaaS Security API, email addresses of the users that received the file |
Configured Host Name |
Name configured in the Cato Management Application for a host with a static IP address |
Congestion Algorithm |
The TCP congestion control algorithm for the traffic in the event. Possible values: CUBIC, NewReno, BBR |
Connector Name |
For SaaS Security API, name of the connector |
Connector Type |
For SaaS Security API, SaaS app for the connector |
Criticality |
For XDR events, 0 (no risk/impact) to 10 (very high risk/impact) |
Custom categories |
The Custom Categories for your account (Configuration > Categories) |
Destination Country |
For Internet traffic, IP address based location of the destination server |
Destination Country Code |
For Internet traffic, the two letter country code where the destination host is located (based on ISO 3166-1 alpha-2) |
Destination IP |
For Internet traffic, IP address of the destination server |
Destination is Site or SDP User |
For WAN traffic, destination type: site or SDP user |
Destination Port |
For Internet traffic, port number for the destination server |
Destination Site |
For WAN traffic, the name of the destination site or SDP user |
Device Name |
Name of the host connected to the event |
Device Posture Profiles |
Profiles that matched this event |
Directory Host Name |
For LDAP events, the host name |
Directory IP |
For LDAP events, IP address of the Domain Controller |
Directory Sync Result |
For LDAP events, result of sync with the Domain Controller |
Directory Sync Type |
LDAP event generated because there was a sync with the Domain Controller |
Display Name |
The name of the user |
DLP Profiles |
DLP profiles related to the event |
DNS Protection Category |
Cato’s DNS Protection type that matched the DNS request |
DNS Query |
Domain queried in the DNS request |
Domain Name |
SSL SNI, HTTP host name, DNS name |
Egress PoP Name |
Name of the PoP the traffic egresses from, as defined in a Network Rule using a NAT or Route via configuration The field is shown only when traffic egresses from a PoP other than the one the site is connected to |
Egress Site |
Name of the egress site for backhauling traffic |
Event Count |
Count for events that are repeated multiple times during one minute |
Event Message |
Cato's description of the event For BGP route ignore action:
|
Event Type |
Type of event: Connectivity, Security, Routing, System, Sockets Management, or Detection and Response |
File Hash |
For anti-malware events, hash of the relevant file |
File Name |
For anti-malware events, name of the relevant file |
File Size |
For anti-malware events, size (in bytes) of the relevant file |
File Type |
For anti-malware events, file type |
Flows Cardinality |
Number of flows for a given incident |
Full Path URL |
Full path URL for app activity |
Host IP |
IP address of host related to the event |
Host MAC Address |
MAC address of the host for this event |
IP Protocol |
Network protocol for this event |
ISP Name |
The ISP used for this event When the IP address isn't provided by the ISP, then the event message is IP Addresses are assigned statically Note: For sites with multiple active WAN interfaces that use different ISPs, the ISP Name value might not be accurate because the interfaces can change over the lifetime of the traffic flow |
Link Health is Congested |
Data that measures the congestion for a specific link |
Link Health Jitter |
Data that measures the jitter for a specific link |
Link Health Latency |
Data that measures the latency for a specific link |
Link Health Packet Loss |
Data that measures the packet loss for a specific link |
Link Type |
Link type for this connection, for example: Cato, or Alt. WAN |
Login Type |
Login action, values are: Admin Login (myvpn.catonetworks.com) or VPN client (remote access or site traffic) |
Matched Data Types |
Matched DLP data types related to the event |
Mitre Attack fields |
For relevant IPS events, shows data based on the comprehensive Mitre Att&ck knowledge base of cyber adversaries
|
Network Rule |
Name of the Network Rule matched by the traffic in this event A value of 0 indicates that the flow experienced packet corruption issues, or was a system flow such as accessing the Socket WebUI |
OnPrem SID |
Unique identifier assigned to a user object in Microsoft's Azure Active Directory (Azure AD), used to distinctly identify and manage the user across various Azure services |
OS Type |
Type of host operating system, or tunnel device |
OS Version |
Version number of host operating system, or tunnel device |
PoP Name |
Name of PoP location that is connected to this event |
Public Source IP |
The public IP address assigned by the PoP the traffic egressed from. For sites that are using Internet Traffic Backhauling as the routing method, this field shows the Local IP address of the Native Range for the site. The field is not shown for traffic that doesn't egress from the PoP to the Internet, such as internal DNS requests and FTP traffic. |
QoS Priority |
The QoS priority value defined in the Network Rule matched by the traffic |
QoS Reported time |
For QoS, the time that this QoS event started. The event is generated when the QoS event finishes. |
Registration Code |
Registration code used the first time that a SDP user authenticates (the code is partially obfuscated) |
Related Apps |
A list of applications identified in the traffic flow for this event, as part of the application identification process. This process analyzes the traffic at different stages of the flow, gathering information on all the protocols, services, and applications to make an accurate final determination of the application. This field provides context for the app identification by showing the apps identified throughout the stages of the process. |
Request Method |
HTTP request method (ie. GET, POST) |
Risk Level |
IPS event indicating the overall impact of a threat for the host or network: Risk level low – minimal risk for network, such as adware Risk level medium – medium risk for the network, such as network scans Risk level high – significant risk for the network, such as spyware or worms |
Rule |
Name of the Firewall Rule matched by the traffic in this event |
Rule ID |
Unique Cato ID for the security rule related to the event |
SAM Account Name |
Logon name used to on versions of Windows prior to Windows 2000, used within a Windows Active Directory |
Severity |
Severity defined for the security rule |
Sharing Scope |
Sharing Options for the file (such as SharePoint) |
Signature ID |
For IPS and SAM, ID of the IPS signature |
Socket Interface ID |
Unique Cato ID for the Socket interface |
Socket Interface Name |
Name in Cato Management Application for the Socket port (interface) |
Socket New Version |
For Socket upgrade events, the version number for the new version |
Socket Old Version |
For Socket upgrade events, version number for the previous version |
Socket Reset |
For Socket reset events, indicates a hardware or software reset |
Socket Role |
For Socket high availability events, indicates if the Socket is primary or secondary |
Source Country |
For Clients and sites, the physical location for the public IP address that is outside the tunnel (detected via public IP address) |
Source Country Code |
Country Code of the country in which the source host is located (detected via public IP address) |
Source IP |
The IP address that Cato assigns to the host or Client |
Source ISP IP |
The ISP IP address that is outside the tunnel that connects the Cato Cloud |
Source is Site or SDP User |
For WAN traffic, source type: site or SDP user |
Source |
For all traffic, the name of the source site or SDP user |
Source Port |
The internal port number for the Client, site, or host for the network connection |
Source Site |
For all traffic, the name of the source site or SDP user |
Subnet name |
Name of the subnet that is defined in the Cato Management Application |
Sub-Type |
Subtype for an Event Type, such as Internet Firewall, SDP Activity, Apps Security |
Targets Cardinality |
Number of targets (servers) associated with this event |
TCP Acceleration |
Shows if traffic in the event was TCP accelerated. Values are 1 (accelerated) and 0 (not accelerated) The field appears only for TCP-based traffic flows |
Threat Name |
For anti-malware events, malware name For IPS events, explains the reason why the traffic was blocked |
Threat Reference |
Link to anti-malware threat database for the suspicious file |
Threat Type |
Type of malware event |
Threat Verdict |
Result of the malware scan. For files that are safe, the value is clean. |
Time |
Time stamp for this event (Linux epoch format) |
TLS Error Description |
Explanation of the TLS error in this event, values are: close notify, unexpected message, bad record mac, decompression failure, handshake failure, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown, illegal parameter, decryption failed, record overflow, unknown CA, access denied, decode error, decrypt error, export restriction, protocol version, insufficient security, internal error, user canceled, no renegotiation, unknown PSK identity, unknown For explanations of these errors, see this document |
TLS Error Type |
The type of TLS error related to this event, values are:
|
TLS Inspection |
Shows if traffic in the event was TLS. Values are 1 (inspected) and 0 (not inspected) The field appears only for TLS traffic flows |
TLS Version |
TLS protocol version number for this event |
Traffic Direction |
Direction of network traffic for this event, values are inbound or outbound |
Tunnel Protocol |
Protocol for the tunnel connection |
Upgrade End Time |
Socket upgrade end time (Linux epoch format) |
Upgrade Initiated By |
Indicates if the Socket upgrade occurred during the maintenance window or initiated by Support (value is Cato Admin) |
Upgrade Start Time |
Socket upgrade start time (Linux epoch format) |
URL |
For Internet traffic, URL for the event |
User Awareness Method |
Method used to get identity with User Awareness (such as Identity Agent) |
User email |
Email address for the user |
User Name |
User that generated the event |
User Object ID |
Unique identifier assigned to a user object within Azure Active Directory, used to distinctly identify and manage user accounts |
User Principal Name |
Login name for a user in a Microsoft Active Directory environment, formatted as an email address (e.g., user@domain.com), and used for sign-in purposes |
User Reference ID |
For Block/Prompt page, reference ID to report incorrect category |
User SID |
Unique identifier assigned to each user on a Windows device system to manage permissions and access rights |
Windows Domain Name |
For LDAP sync events, name of the AD domain |
XFF |
XFF HTTP header indicates the original IP address for the connections |
MDR (Managed Detection and Response) customers of Cato Networks can view the events for security incidents in the Events page. The following table explains the event fields for these incidents in the event subtype MDR.
Name |
Type |
Description |
---|---|---|
Client Class |
keyword |
Type of client applications that run on the operating system that created this network flow (for example, Chrome) |
Flows Cardinality |
number |
Number of network flows that were included in this security incident |
Incident Aggregation |
number |
A true/false value that indicates if this event is:
|
Incident ID |
keyword |
ID that identifies this security incident. You can use this ID to follow up for more information with the MDR team. |
Targets Cardinality |
number |
Number of servers that were included in this security incident |
This is a list of the event sub-types:
-
Connectivity
-
API Key
-
Cato Management Application
-
Changed PoP
-
Client Connectivity Policy
-
Connected
-
DHCP Lease
-
Disconnected
-
LAN Monitoring
-
Last-Mile Quality
-
Link-Aggregation
-
Off-Cloud Transport Connect
-
Off-Cloud Transport Disconnect
-
Passive Connect
-
Passive Disconnect
-
Reconnected
-
Recovery via Alt. WAN
-
Registration Code
-
SDP Portal
-
Socket Fail-Over
-
-
Detection and Response
-
XDR Endpoint
-
XDR Network
-
XDR Threat
-
-
Routing
-
BGP Routing
-
BGP Session
-
VPN Never-Off Bypass
-
-
Security
-
Application Sign in
-
Apps Security
-
DNS Protection
-
Endpoint Protection
-
Identity Alert
-
Internet Firewall
-
IPS
-
LAN Firewall
-
MAC Address Authentication
-
Misclassification
-
NG Anti Malware
-
RPF
-
Saas Security API Anti Malware
-
Saas Security API Data Protection
-
SDP Activity
-
Suspicious Activity
-
TLS
-
WAN Firewall
-
-
Sockets Management
-
Socket Password Reset
-
Socket Upgrade
-
Socket WebUI Access
-
-
System
-
DC Connectivity Failure
-
Directory Services
-
Multiple Users Detected
-
QUOTA LIMIT
-
SCIM Provisioning
-
SDP License
-
For more about the SDP events and fields, see Browser Access Portal Overview - Securing Remote Access to Applications.
These are the types of each field, and how to use them for manual filters.
-
Date and Time - Values for dates in this format
<year>-<month>-<day>T<hour>:<minute>:<second>.<millisecond>Z
, for example2021-01-01T12:10:30.591Z
-
IP - Filter for IP addresses using the CIDR notation:
[ip_address]/[prefix_length]
-
Keyword - Enter text strings, you can only search for Keyword fields with the exact value
-
Link - Link to an external reference
-
Number - Enter numbers as integers
-
Text - Event description, can't include in a filter
6 comments
Are all fields supposed to be documented here? I am missing an explanation of the field “Device Posture Profiles”.
The Cato Networks GraphQL API Reference is the definitive source of this sort of information for the API. I will check with the documentation team to get this article updated.
Thanks Dermot - a bit more detail than what is in the API documentation would helpful.
I have already been talking to R&D about this. We are working on adding more detail. I will start posting news about this effort in the Cato Community ‘Cato API’ topic.
Kind Regards,
Dermot
Thank you so much for adding the TLS Inspection and Network Rule fields, it's been a long wait.
How does the Cato Cloud determines the “ISP Name”? Because the “ISP Name” in our log is not familiar to our environment.
Please sign in to leave a comment.