sase.cato

Introduction

The tags begin with sase.cato identify events generated by Cato Networks.

The full tag must have 4 levels. The first two are fixed as sase.cato. The third level indicates the product.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service	Tags	Data tables

Product / Service	Tags	Data tables
Cato Networks	`sase.cato.security.wan_firewall`	`sase.cato.security`
	`sase.cato.security.internet_firewall`
	`sase.cato.security.rpf`
	`sase.cato.security.ips`
	`sase.cato.security.suspicious_activity`
	`sase.cato.security.tls`
	`sase.cato.security.dns_protection`
	`sase.cato.connectivity.dhcp_lease`	`sase.cato.connectivity`
	`sase.cato.connectivity.client_connectivity_policy`
	`sase.cato.connectivity.apikey`
	`sase.cato.connectivity.disconnected`
	`sase.cato.connectivity.connected`
	`sase.cato.connectivity.reconnected`
	`sase.cato.connectivity.cato_management_application`
	`sase.cato.connectivity.changed_pop`

For more information, read more About Devo tags.

These are the fields displayed in these tables:

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`
subtype	`str`	vsubtype
isp_name	`str`
account_id	`str`
action	`str`
app_stack	`str`
application	`str`
categories	`str`
destination_ip	`str`
destination_ipv4	`ip4`
destination_ipv6	`ip6`
dest_is_site_or_vpn	`str`
destination_port	`str`
dest_site	`str`
dest_site_name	`str`
dest_user_id	`str`
event_count	`str`
event_sub_type	`str`
event_type	`str`
internal_id	`str`
ip_protocol	`str`
os_type	`str`
pop_name	`str`
rule	`str`
rule_id	`str`
rule_name	`str`
source_geo_country_name	`str`
src_country_code	`str`
source_ip	`str`
source_ipv4	`ip4`
source_ipv6	`ip6`
src_is_site_or_vpn	`str`
src_isp_ip	`str`
src_isp_ipv4	`ip4`
src_isp_ipv6	`ip6`
src_site	`str`
src_site_name	`str`
subnet_name	`str`
time	`str`
time_str	`timestamp`
user_id	`str`
destination_geo_country_name	`str`
dest_country_code	`str`
device_name	`str`
domain_name	`str`
http_host_name	`str`
cato_app	`str`
full_path_url	`str`
http_request_method	`str`
mitre_attack_subtechniques	`str`
mitre_attack_tactics	`str`
mitre_attack_techniques	`str`
risk_level	`str`
signature_id	`str`
source_port	`str`
threat_name	`str`
threat_reference	`str`
threat_type	`str`
traffic_direction	`str`
xff	`str`
ad_name	`str`
tls_error_description	`str`
tls_error_type	`str`
tls_version	`str`
vpn_user_email	`str`
configured_host_name	`str`
dns_protection_category	`str`
dns_query	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓

Field	Type	Source field name	Extra fields

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
machine	`str`
subtype	`str`	vsubtype
account_id	`str`
device_name	`str`
event_count	`str`
event_message	`str`
event_sub_type	`str`
event_type	`str`
host_ip	`str`
host_ipv4	`ip4`
host_ipv6	`ip6`
host_mac	`str`
internal_id	`str`
pop_name	`str`
socket_interface	`str`
src_is_site_or_vpn	`str`
src_site	`str`
src_site_name	`str`
subnet_name	`str`
time	`str`
time_str	`timestamp`
action	`str`
ad_name	`str`
always_on_configuration	`str`
auth_method	`str`
client_version	`str`
confidence_level	`str`
connect_on_boot	`str`
destination_ip	`str`
destination_ipv4	`ip4`
destination_ipv6	`ip6`
device_certificate	`str`
device_posture_profile	`str`
network_access	`str`
office_mode	`str`
os_type	`str`
os_version	`str`
pac_file	`str`
rule	`str`
rule_id	`str`
rule_name	`str`
split_tunnel_configuration	`str`
source_geo_country_name	`str`
src_country_code	`str`
source_ip	`str`
source_ipv4	`ip4`
source_ipv6	`ip6`
trusted_networks	`str`
tunnel_ip_protocol	`str`
user_id	`str`
visible_device_id	`str`
vpn_lan_access	`str`
vpn_user_email	`str`
isp_name	`str`
client_cert_expires	`str`
client_cert_name	`str`
link_type	`str`
src_isp_ip	`str`
src_isp_ipv4	`ip4`
src_isp_ipv6	`ip6`
tunnel_protocol	`str`
api_name	`str`
api_type	`str`
authentication_type	`str`
key_name	`str`
login_type	`str`
username	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓