sase.cato
Introduction
The tags begin with sase.cato
identify events generated by Cato Networks.
Valid tags and data tables
The full tag must have 4 levels. The first two are fixed as sase.cato
. The third level indicates the product.
These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
Cato Networks |
|
|
| ||
| ||
| ||
| ||
| ||
| ||
|
| |
| ||
| ||
| ||
| ||
| ||
| ||
|
For more information, read more About Devo tags.
Table structure
These are the fields displayed in these tables:
sase.cato.security
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| Â | Â |
subtype |
| vsubtype | Â |
isp_name |
| Â | Â |
account_id |
| Â | Â |
action |
| Â | Â |
app_stack |
| Â | Â |
application |
| Â | Â |
categories |
| Â | Â |
destination_ip |
| Â | Â |
destination_ipv4 |
| Â | Â |
destination_ipv6 |
| Â | Â |
dest_is_site_or_vpn |
| Â | Â |
destination_port |
| Â | Â |
dest_site |
| Â | Â |
dest_site_name |
| Â | Â |
dest_user_id |
| Â | Â |
event_count |
| Â | Â |
event_sub_type |
| Â | Â |
event_type |
| Â | Â |
internal_id |
| Â | Â |
ip_protocol |
| Â | Â |
os_type |
| Â | Â |
pop_name |
| Â | Â |
rule |
| Â | Â |
rule_id |
| Â | Â |
rule_name |
| Â | Â |
source_geo_country_name |
| Â | Â |
src_country_code |
| Â | Â |
source_ip |
| Â | Â |
source_ipv4 |
| Â | Â |
source_ipv6 |
| Â | Â |
src_is_site_or_vpn |
| Â | Â |
src_isp_ip |
| Â | Â |
src_isp_ipv4 |
| Â | Â |
src_isp_ipv6 |
| Â | Â |
src_site |
| Â | Â |
src_site_name |
| Â | Â |
subnet_name |
| Â | Â |
time |
| Â | Â |
time_str |
| Â | Â |
user_id |
| Â | Â |
destination_geo_country_name |
| Â | Â |
dest_country_code |
| Â | Â |
device_name |
| Â | Â |
domain_name |
| Â | Â |
http_host_name |
| Â | Â |
cato_app |
| Â | Â |
full_path_url |
| Â | Â |
http_request_method |
| Â | Â |
mitre_attack_subtechniques |
| Â | Â |
mitre_attack_tactics |
| Â | Â |
mitre_attack_techniques |
| Â | Â |
risk_level |
| Â | Â |
signature_id |
| Â | Â |
source_port |
| Â | Â |
threat_name |
| Â | Â |
threat_reference |
| Â | Â |
threat_type |
| Â | Â |
traffic_direction |
| Â | Â |
xff |
| Â | Â |
ad_name |
| Â | Â |
tls_error_description |
| Â | Â |
tls_error_type |
| Â | Â |
tls_version |
| Â | Â |
vpn_user_email |
| Â | Â |
configured_host_name |
| Â | Â |
dns_protection_category |
| Â | Â |
dns_query |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
|  | ✓ |
sase.cato.connectivity
Field | Type | Source field name | Extra fields |
---|---|---|---|
eventdate |
| Â | Â |
machine |
| Â | Â |
subtype |
| vsubtype | Â |
account_id |
| Â | Â |
device_name |
| Â | Â |
event_count |
| Â | Â |
event_message |
| Â | Â |
event_sub_type |
| Â | Â |
event_type |
| Â | Â |
host_ip |
| Â | Â |
host_ipv4 |
| Â | Â |
host_ipv6 |
| Â | Â |
host_mac |
| Â | Â |
internal_id |
| Â | Â |
pop_name |
| Â | Â |
socket_interface |
| Â | Â |
src_is_site_or_vpn |
| Â | Â |
src_site |
| Â | Â |
src_site_name |
| Â | Â |
subnet_name |
| Â | Â |
time |
| Â | Â |
time_str |
| Â | Â |
action |
| Â | Â |
ad_name |
| Â | Â |
always_on_configuration |
| Â | Â |
auth_method |
| Â | Â |
client_version |
| Â | Â |
confidence_level |
| Â | Â |
connect_on_boot |
| Â | Â |
destination_ip |
| Â | Â |
destination_ipv4 |
| Â | Â |
destination_ipv6 |
| Â | Â |
device_certificate |
| Â | Â |
device_posture_profile |
| Â | Â |
network_access |
| Â | Â |
office_mode |
| Â | Â |
os_type |
| Â | Â |
os_version |
| Â | Â |
pac_file |
| Â | Â |
rule |
| Â | Â |
rule_id |
| Â | Â |
rule_name |
| Â | Â |
split_tunnel_configuration |
| Â | Â |
source_geo_country_name |
| Â | Â |
src_country_code |
| Â | Â |
source_ip |
| Â | Â |
source_ipv4 |
| Â | Â |
source_ipv6 |
| Â | Â |
trusted_networks |
| Â | Â |
tunnel_ip_protocol |
| Â | Â |
user_id |
| Â | Â |
visible_device_id |
| Â | Â |
vpn_lan_access |
| Â | Â |
vpn_user_email |
| Â | Â |
isp_name |
| Â | Â |
client_cert_expires |
| Â | Â |
client_cert_name |
| Â | Â |
link_type |
| Â | Â |
src_isp_ip |
| Â | Â |
src_isp_ipv4 |
| Â | Â |
src_isp_ipv6 |
| Â | Â |
tunnel_protocol |
| Â | Â |
api_name |
| Â | Â |
api_type |
| Â | Â |
authentication_type |
| Â | Â |
key_name |
| Â | Â |
login_type |
| Â | Â |
username |
| Â | Â |
hostchain |
|  | ✓ |
tag |
|  | ✓ |
rawMessage |
|  | ✓ |
Â
Â
Â