Cato Networks GraphQL API Reference
Reference documentation for Cato GraphQL API
Terms of Service
https://support.catonetworks.com/hc/en-us/articles/360014905938-Support-Policy-for-the-Cato-API
API Endpoints
https://api.catonetworks.com/api/v1/graphql2
Further readings
Find detailed examples here: https://support.catonetworks.com/hc/en-us/sections/360004049057-Cato-API
Download latest schema
GraphQL Introspection Query
Use the GraphQL Introspection system to learn more about queries and types with the Cato API schema.
For more information, see the GraphQL Documentation.
Queries
accountBySubdomain
Response
Returns [AccountDataPayload!]
Arguments
Name | Description |
---|---|
accountID - ID!
|
|
subdomains - [String!]!
|
a list of required subdomains |
Example
Query
query accountBySubdomain($accountID:ID!, $subdomains:[String!]!) {
accountBySubdomain(accountID:$accountID, subdomains:$subdomains) {
id
subdomain
}
}
Variables
{"accountID": "123", "subdomains": ["company"]}
Response
{"data": {"accountBySubdomain": [{"id": "123", "subdomain": "company"}]}}
accountMetrics
Description
The accountMetrics query helps you analyze the state and quality of the connections of sites and SDP users to the Cato Cloud. This data is for the traffic inside the DTLS tunnel between the site and the Cato Cloud. accountMetrics shows historical metrics, statics, and analytics for the account.
Response
Returns an AccountMetrics
Arguments
Name | Description |
---|---|
accountID - ID
|
Unique Identifier of Account. |
timeFrame - TimeFrame!
|
The time frame for the data that the query returns. The argument is in the format type.time value. This argument is mandatory. |
groupInterfaces - Boolean
|
When the boolean argument groupInterfaces is set to true, then the data for all the interfaces are aggregated to a single interface. |
groupDevices - Boolean
|
When the boolean argument groupDevices is set to true, then the analytics for all the Sockets (usually two in high availability) are aggregated as one result. For the best results for aggregated Sockets, we recommend that there is consistent names and functionality (for example Destination) for the links on both Sockets. Note: This argument is mandatory for queries of multiple sites and the only valid value for groupDevices value is true. |
Example
Query
query accountMetrics(
$accountID:ID!,
$timeFrame:TimeFrame!,
$groupInterfaces: Boolean,
$groupDevices: Boolean,
$siteIDs: [ID!]
) {
accountMetrics(
accountID:$accountID,
timeFrame: $timeFrame,
groupInterfaces: $groupInterfaces,
groupDevices: $groupDevices
) {
id
from
to
sites(siteIDs:$siteIDs) {
id
metrics {
bytesUpstream
bytesDownstream
}
interfaces {
name
metrics {
bytesUpstream
bytesDownstream
}
}
}
}
}
Variables
{
"accountID": "123",
"timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}",
"groupInterfaces": false,
"groupDevices": true,
"siteIDs": ["456", "789"]
}
Response
{
"data": {
"accountMetrics": {
"id": "123",
"from": "2023-02-28T00:00:00Z",
"to": "2023-02-28T23:59:59Z",
"sites": [
{
"id": "456",
"metrics": {"bytesUpstream": 122324400, "bytesDownstream": 8354720},
"interfaces": [
{
"name": "WAN 01",
"metrics": {
"bytesUpstream": 122324400,
"bytesDownstream": 8354720
}
}
]
},
{
"id": "789",
"metrics": {"bytesUpstream": 100254955, "bytesDownstream": 3907080},
"interfaces": [
{
"name": "WAN 01",
"metrics": {
"bytesUpstream": 100254955,
"bytesDownstream": 3907080
}
}
]
}
]
}
}
}
accountRoles
Response
Returns an AccountRolesResult!
Arguments
Name | Description |
---|---|
accountID - ID!
|
|
accountType - AccountType
|
Example
Query
query accountRoles($accountID:ID!){
accountRoles(accountID: $accountID) {
items {
name
isPredefined
}
total
}
}
Variables
{"accountID": "123"}
Response
{
"data": {
"accountRoles": {
"items": [
{"name": "Editor", "isPredefined": true},
{"name": "Viewer", "isPredefined": true},
{"name": "Network admin", "isPredefined": true},
{"name": "Security Admin", "isPredefined": true},
{"name": "Access Admin", "isPredefined": true}
],
"total": 5
}
}
}
accountSnapshot
Description
Current snapshot-based metrics that show near real‑time data for the account. Provides analytics that are similar to the Topology page for the account.
Response
Returns an AccountSnapshot
Arguments
Name | Description |
---|---|
accountID - ID
|
Unique Identifier of Account. |
Example
Query
query accountSnapshot($accountID:ID!) {
accountSnapshot(accountID:$accountID) {
sites {
connectivityStatus
haStatus{
readiness
wanConnectivity
keepalive
socketVersion
}
operationalStatus
lastConnected
connectedSince
devices {
connected
version
}
}
users {
connectivityStatus
connectedInOffice
name
deviceName
}
timestamp
}
}
Variables
{"accountID": "123"}
Response
{
"data": {
"accountSnapshot": {
"sites": [
{
"connectivityStatus": "connected",
"haStatus": {
"readiness": "ready",
"wanConnectivity": "ok",
"keepalive": "ok",
"socketVersion": "ok"
},
"operationalStatus": "active",
"lastConnected": "2023-02-28T13:21:05Z",
"connectedSince": "2023-02-27T15:10:06Z",
"devices": [
{"connected": true, "version": "17.0.16303"},
{"connected": true, "version": "17.0.16303"}
]
},
{
"connectivityStatus": "disconnected",
"haStatus": null,
"operationalStatus": "active",
"lastConnected": "2020-03-11T13:43:40Z",
"connectedSince": null,
"devices": [{"connected": false, "version": ""}]
}
],
"users": [
{
"connectivityStatus": "connected",
"connectedInOffice": false,
"name": "Employee Domywork",
"deviceName": "Employee’s MacBook Pro"
},
{
"connectivityStatus": "connected",
"connectedInOffice": false,
"name": "Alice Bobs",
"deviceName": "Alice’s MacBook Pro"
}
],
"timestamp": "2023-02-28T13:22:21Z"
}
}
}
admin
Response
Returns a GetAdminPayload
Example
Query
query admin($accountId:ID!, $adminID:ID!) {
admin(accountId:$accountId, adminID:$adminID) {
id
firstName
lastName
email
creationDate
mfaEnabled
managedRoles {
role {
name
}
}
}
}
Variables
{"accountId": "123", "adminID": "456"}
Response
{
"data": {
"admin": {
"id": "456",
"firstName": "Name",
"lastName": "Surname",
"email": "name.surname@company.org",
"creationDate": "Dec 27, 2020 9:30:34 AM",
"mfaEnabled": false,
"managedRoles": [{"role": {"name": "Viewer"}}]
}
}
}
admins
Response
Returns an AdminsResult
Example
Query
query admins($accountId:ID!, $limit: Int) {
admins(accountID:$accountId, limit: $limit) {
items {
id
email
managedRoles {
role {
name
}
}
}
total
}
}
Variables
{"accountId": "123", "limit": 2}
Response
{
"data": {
"admins": {
"items": [
{
"id": "1",
"email": "editor@company.org",
"managedRoles": [{"role": {"name": "Editor"}}]
},
{
"id": "2",
"email": "viewer@company.org",
"managedRoles": [{"role": {"name": "Viewer"}}]
}
],
"total": 3
}
}
}
appStats
Description
BETA
Response
Returns an AppStats
Arguments
Name | Description |
---|---|
accountID - ID!
|
Account ID |
timeFrame - TimeFrame!
|
|
measures - [Measure]
|
|
dimensions - [Dimension]
|
|
filters - [AppStatsFilter!]
|
|
sort - [AppStatsSort!]
|
Example
Query
query appStats(
$accountID:ID!,
$timeFrame:TimeFrame!,
$measures: [Measure],
$dimensions:[Dimension],
$sort:[AppStatsSort!],
$limit:Int,
$from:Int,
) {
appStats(
accountID: $accountID,
timeFrame: $timeFrame,
measures: $measures,
dimensions:$dimensions,
sort:$sort,
) {
from
to
records(limit:$limit, from:$from){
fieldsMap
fieldsUnitTypes
}
}
}
Variables
{
"accountID": "123",
"timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}",
"dimensions": [{"fieldName": "app"}],
"sort": [{"fieldName": "traffic", "order": "desc"}],
"measures": [
{"fieldName": "traffic", "aggType": "sum"},
{"fieldName": "application", "aggType": "any"}
],
"limit": 5,
"from": 0
}
Response
{
"data": {
"appStats": {
"from": "2023-02-28T00:00:00Z",
"to": "2023-03-01T00:00:00Z",
"records": [
{
"fieldsMap": {
"app": "zoom",
"application": "Zoom",
"traffic": "95138282696"
},
"fieldsUnitTypes": ["none", "none", "bytes"]
},
{
"fieldsMap": {
"app": "udp",
"application": "UDP",
"traffic": "45401221439"
},
"fieldsUnitTypes": ["none", "none", "bytes"]
},
{
"fieldsMap": {
"app": "Tech",
"application": "Technological apps",
"traffic": "13982474567"
},
"fieldsUnitTypes": ["none", "none", "bytes"]
},
{
"fieldsMap": {
"app": "AppleSoftwareupdate",
"application": "Apple software update",
"traffic": "11624258191"
},
"fieldsUnitTypes": ["none", "none", "bytes"]
}
]
}
}
}
appStatsTimeSeries
Description
BETA
Response
Returns an AppStatsTimeSeries
Arguments
Name | Description |
---|---|
accountID - ID!
|
Account ID |
timeFrame - TimeFrame!
|
|
measures - [Measure]
|
|
dimensions - [Dimension]
|
|
filters - [AppStatsFilter!]
|
Example
Query
query appStatsTimeSeries(
$accountID:ID!,
$timeFrame:TimeFrame!,
$measures: [Measure],
$buckets:Int!
) {
appStatsTimeSeries(
accountID:$accountID,
timeFrame:$timeFrame,
measures: $measures
) {
from
to
granularity
timeseries(buckets:$buckets) {
label
data
key {
measureFieldName
}
}
}
}
Variables
{
"accountID": "123",
"timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}",
"measures": [
{"fieldName": "upstream", "aggType": "sum"},
{"fieldName": "downstream", "aggType": "sum"}
],
"buckets": 5
}
Response
{
"data": {
"appStatsTimeSeries": {
"from": "2023-02-28T00:00:00Z",
"to": "2023-03-01T00:00:00Z",
"granularity": 14400,
"timeseries": [
{
"label": "sum(upstream)",
"data": [
[1677542400000, 77192],
[1677556800000, 742410],
[1677571200000, 5335372],
[1677585600000, 2239509],
[1677600000000, 0],
[1677614400000, 0]
],
"key": {"measureFieldName": "upstream"}
},
{
"label": "sum(downstream)",
"data": [
[1677542400000, 209763],
[1677556800000, 1713925],
[1677571200000, 7719290],
[1677585600000, 2573650],
[1677600000000, 0],
[1677614400000, 0]
],
"key": {"measureFieldName": "downstream"}
}
]
}
}
}
auditFeed
Description
Audit Feed for account changes
Response
Returns an AuditFeed
Arguments
Name | Description |
---|---|
accountIDs - [ID!]
|
List of Unique Account Identifiers. |
timeFrame - TimeFrame!
|
|
filters - [AuditFieldFilterInput!]
|
|
marker - String
|
Marker to use to get results from |
Example
Query
query auditFeed($accountID:ID!, $timeFrame: TimeFrame!){
auditFeed(accountIDs:[$accountID], timeFrame:$timeFrame) {
from
to
fetchedCount
accounts {
id
records{
admin {
name
}
object {
name
}
time
fields {
name
value {
... on Entity {
name
id
type
}
... on StringValue {
string
}
... on DateValue {
date
}
}
}
}
}
}
}
Variables
{"accountID": "123", "timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}"}
Response
{
"data": {
"auditFeed": {
"from": "2023-02-28T00:00:00Z",
"to": "2023-02-28T23:59:59Z",
"fetchedCount": 1,
"accounts": [
{
"id": "123",
"records": [
{
"time": "2023-02-28T08:48:21Z",
"fields": [
{
"name": "admin",
"value": {
"name": "admin@company.org",
"id": "456",
"type": "admin"
}
},
{
"name": "change.Before.description",
"value": {"string": "Description before change"}
},
{
"name": "change.After.description",
"value": {"string": "Description after change"}
},
{"name": "model_name", "value": {"string": "Site name"}},
{"name": "module", "value": {"string": "Configuration"}},
{"name": "change_type", "value": {"string": "MODIFIED"}},
{"name": "creation_date", "value": {"string": "1677574090000"}},
{"name": "model_type", "value": {"string": "Site"}},
{"name": "admin_id", "value": {"string": "456"}},
{
"name": "insertion_date",
"value": {"date": "2023-02-28T08:48:21Z"}
},
{"name": "account_id", "value": {"string": "123"}}
]
}
]
}
]
}
}
}
entityLookup
Description
Lookup entities with a specific type, potentially filtered and paged
Response
Returns an EntityLookupResult!
Arguments
Name | Description |
---|---|
accountID - ID!
|
The account ID (or 0 for non-authenticated requests) |
type - EntityType!
|
Type of entity to lookup for |
limit - Int
|
Sets the maximum number of items to retrieve. Default = 50 |
from - Int
|
Sets the offset number of items (for paging). Default = 0 |
parent - EntityInput
|
Return items under a parent entity (can be site, vpn user, etc), used to filter for networks that belong to a specific site for example |
search - String
|
Adds additional search parameters for the lookup. Available options: country lookup: "removeExcluded" to return only allowed countries countryState lookup: country code ("US", "CN", etc) to get country's states. Default = "" |
entityIDs - [ID!]
|
Adds additional search criteria to fetch by the selected list of entity IDs. This option is not universally available, and may not be applicable specific Entity types. If used on non applicable entity type, an error will be generated. |
sort - [SortInput]
|
Adds additional sort criteria(s) for the lookup. This option is not universally available, and may not be applicable specific Entity types. |
filters - [LookupFilterInput]
|
Custom filters for entityLookup |
helperFields - [String!]
|
Additional helper fields |
Example
Query
query entityLookup($accountID:ID!, $limit:Int, $type:EntityType!) {
entityLookup(accountID: $accountID, type:$type, limit: $limit) {
items {
entity{
id
name
}
}
total
}
}
Variables
{"accountID": "123", "limit": 2, "type": "site"}
Response
{
"data": {
"entityLookup": {
"items": [
{"entity": {"id": "45040", "name": "azure_test"}},
{"entity": {"id": "75791", "name": "esx_test"}}
],
"total": 5
}
}
}
events
Description
BETA
Response
Returns an Events
Arguments
Name | Description |
---|---|
accountID - ID!
|
Account ID |
timeFrame - TimeFrame!
|
|
measures - [EventsMeasure]
|
|
dimensions - [EventsDimension]
|
|
filters - [EventsFilter!]
|
|
sort - [EventsSort!]
|
Example
Query
query events($accountID:ID!, $timeFrame:TimeFrame!, ) {
events(accountID: $accountID, timeFrame:$timeFrame, measures: {fieldName: event_count, aggType: sum}) {
records {
flatFields
fieldsMap
}
}
}
Variables
{"accountID": "123", "timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}"}
Response
{
"data": {
"events": {
"records": [
{
"flatFields": [["event_count", "2"]],
"fieldsMap": {"event_count": "2"}
}
]
}
}
}
eventsFeed
Description
Event Feed for events paged by a topic partitions offsets marker
Response
Returns an EventsFeedData
Arguments
Name | Description |
---|---|
accountIDs - [ID!]
|
List of Unique Account Identifiers. |
filters - [EventFeedFieldFilterInput!]
|
|
marker - String
|
Marker to use to get results from |
Example
Query
query eventsFeed(
$accountIDs: [ID!],
$filters: [EventFeedFieldFilterInput!]
) {
eventsFeed(
accountIDs: $accountIDs,
filters: $filters,
) {
marker
fetchedCount
accounts {
id
errorString
records {
fieldsMap
}
}
}
}
Variables
{
"accountIDs": [123],
"filters": [
{
"fieldName": "event_type",
"operator": "is_not",
"values": ["Sockets Management"]
},
{
"fieldName": "event_sub_type",
"operator": "is",
"values": ["Disconnected"]
}
]
}
Response
{
"data": {
"eventsFeed": {
"marker": "W3siVG9waWMiOiIxODIiLCJQYXJ0aXRpb24iOjAsIk9mZnNldCI6MzIxNTM4fV0=",
"fetchedCount": 1,
"accounts": [
{
"id": "123",
"errorString": "",
"records": [
{
"fieldsMap": {
"ISP_name": "IP Addresses Are Assigned Statically",
"account_id": "123",
"client_version": "8.0.4127",
"event_count": "1",
"event_sub_type": "Disconnected",
"event_type": "Connectivity",
"internalId": "7r0c7xUYIf",
"link_type": "Cato",
"pop_name": "Amsterdam",
"socket_interface": "WAN1",
"src_country": "Israel",
"src_country_code": "IL",
"src_is_site_or_vpn": "Site",
"src_isp_ip": "1.2.3.4",
"src_site": "native-range",
"time": "1677170467000",
"tunnel_protocol": "DTLS"
}
}
]
}
]
}
}
}
eventsTimeSeries
Description
BETA
Response
Returns an EventsTimeSeries
Arguments
Name | Description |
---|---|
accountID - ID!
|
Account ID |
timeFrame - TimeFrame!
|
|
measures - [EventsMeasure]
|
|
dimensions - [EventsDimension]
|
|
filters - [EventsFilter!]
|
Example
Query
query eventsTimeSeries(
$accountID: ID!,
$filters: [EventsFilter!],
$timeFrame: TimeFrame!,
$measures: [EventsMeasure],
$buckets: Int!
) {
eventsTimeSeries(
accountID: $accountID,
filters: $filters,
timeFrame:$timeFrame,
measures: $measures
) {
id
from
to
granularity
timeseries(buckets:$buckets) {
label
data
}
}
}
Variables
{
"accountID": "4125",
"timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}",
"measures": [{"fieldName": "event_count", "aggType": "sum"}],
"buckets": 4
}
Response
{
"data": {
"eventsTimeSeries": {
"id": "4125",
"from": "2023-02-28T00:00:00Z",
"to": "2023-03-01T00:00:00Z",
"granularity": 21600,
"timeseries": [
{
"label": "sum(event_count)",
"data": [
[1677542400000, 5],
[1677564000000, 2],
[1677585600000, 0],
[1677607200000, 5]
]
}
]
}
}
}
subDomains
Description
The subdomain query helps you retrieve the URL of an account. The usage of this query supports 3 different scenarios:
- Regular account - Return only 1 subdomain relating to the regular account
- Reseller account - Return all subdomains including the reseller account subdomain
- Reseller account - Return only the reseller account subdomain
Response
Returns [SubDomain!]!
Example
Query
query subDomains($accountID:ID!, $managedAccount:Boolean) {
subDomains(accountID:$accountID, managedAccount:$managedAccount) {
accountId
accountName
accountType
subDomain
}
}
Variables
{"accountID": "123", "managedAccount": true}
Response
{
"data": {
"subDomains": [
{
"accountId": "123",
"accountName": "Gamma LLC",
"accountType": "Reseller",
"subdomain": "subdomain3"
},
{
"accountId": "1235",
"accountName": "Delta Inc.",
"accountType": "Regular",
"subdomain": "subdomain4"
}
]
}
}
XDR
stories
Description
Define the paging, sort, and filter arguments to define the XDR stories that are returned in the query
Response
Returns a StoriesData
Arguments
Name | Description |
---|---|
input - StoryInput!
|
Example
Query
query Stories($accountId: ID!, $from: Int!, $limit: Int!, $sort: [StorySortInput!], $filter: [StoryFilterInput!]!) {
xdr(accountID: $accountId) {
stories(
input: {paging: {from: $from, limit: $limit}, sort: $sort, filter: $filter}
) {
paging {
from
limit
total
__typename
}
items {
...StoryBrief
__typename
}
__typename
}
__typename
}
}
fragment StoryBrief on Story {
id
accountId
accountName
updatedAt
createdAt
analystName
incident {
__typename
id
status
lastSignal
firstSignal
producer
connectionType
indication
queryName
description
criticality
source
ticket
research
vendor
sourceIp
analystFeedback {
severity
__typename
}
... on Threat {
...ThreatIncidentBrief
__typename
}
... on ThreatPrevention {
...ThreatPreventionIncidentBrief
__typename
}
... on AnomalyStats {
...AnomalyStatsIncidentBrief
__typename
}
... on AnomalyEvents {
...AnomalyEventsIncidentBrief
__typename
}
... on NetworkIncident {
...NetworkIncidentBrief
__typename
}
... on NetworkXDRIncident {
...NetworkXDRIncidentBrief
__typename
}
}
__typename
}
fragment ThreatIncidentBrief on Threat {
__typename
site {
id
name
__typename
}
user {
id
name
__typename
}
direction
}
fragment ThreatPreventionIncidentBrief on ThreatPrevention {
__typename
site {
id
name
__typename
}
user {
id
name
__typename
}
direction
}
fragment AnomalyStatsIncidentBrief on AnomalyStats {
__typename
srcSiteId
subjectType
drillDownFilter {
name
value
__typename
}
}
fragment AnomalyEventsIncidentBrief on AnomalyEvents {
__typename
srcSiteId
subjectType
drillDownFilter {
name
value
__typename
}
}
fragment NetworkIncidentBrief on NetworkIncident {
__typename
siteId
confidence
internalSubType
resourceName
prioritySite
siteConnectionType
hostIp
availability
siteGeoLocation
eventsInternalIds
storyDuration
insights {
timestamp
insight
__typename
}
}
fragment NetworkXDRIncidentBrief on NetworkXDRIncident {
__typename
storyDuration
siteId
internalProducerId
storyType
incidentCount
siteConnectionType
siteConfigLocation
acknowledged
linkId
linkName
linkConfigPrecedence
deviceConfigHaRole
licenseRegion
licenseBandwidth
popLocation
isp
bgpConnection {
connectionName
peerIp
peerAsn
catoIp
catoAsn
__typename
}
networkIncidentTimeline {
created
validated
description
eventType
internalIncidentId
eventIds
acknowledged
networkEventSource
linkId
linkName
linkConfigPrecedence
linkStatus
linkConfigBandwidth
deviceConfigHaRole
deviceHaRoleState
popLocation
isp
bgpConnection {
connectionName
peerIp
peerAsn
catoIp
catoAsn
__typename
}
linkQualityIssue {
issueType
direction
current
threshold
__typename
}
__typename
}
}
Variables
{
"accountId": "123",
"from": 0,
"limit": 25,
"filter": [
{
"timeFrame": {"time": "last.P14D", "timeFrameModifier": "StoryUpdate"},
"producer": {
"in": [
"AnomalyEvents",
"AnomalyStats",
"ThreatHunt",
"ThreatPrevention",
"MicrosoftEndpointDefender",
"CatoEndpointAlert"
]
}
}
],
"sort": [{"fieldName": "updatedAt", "order": "desc"}]
}
Response
{
"data": {
"xdr": {
"__typename": "XDR",
"stories": {
"paging": {"from": 0, "limit": 25, "total": 5, "__typename": "Paging"},
"items": [
{
"id": "65ba47966e0c8517cf2de805",
"accountId": 123,
"accountName": "account",
"updatedAt": "2024-01-31T13:13:58Z",
"createdAt": "2024-01-31T13:13:58Z",
"analystName": "abc123",
"incident": {
"__typename": "CatoEndpoint",
"id": "29ebcff1",
"status": "PendingMoreInfo",
"lastSignal": "2024-01-18T01:48:25Z",
"firstSignal": "2024-01-18T01:48:25Z",
"producer": "CatoEndpointAlert",
"connectionType": null,
"indication": "Cato Endpoint Alert",
"queryName": null,
"description": null,
"criticality": 5,
"source": "source",
"ticket": null,
"research": false,
"vendor": "CATO",
"sourceIp": null,
"analystFeedback": {
"severity": "Medium",
"__typename": "AnalystFeedback"
}
},
"__typename": "Story"
}
]
}
}
}
}
story
Description
Define either the story ID, or the incident ID and producer arguments, to query the specific XDR story
Response
Returns a Story
Arguments
Name | Description |
---|---|
storyId - ID
|
|
producer - StoryProducerEnum
|
|
incidentId - ID
|
Example
Query
query StoryDetails($accountId: ID!, $storyId: ID!) {
xdr(accountID: $accountId) {
... on XDR {
story(storyId: $storyId) {
...StoryDetailed
__typename
}
__typename
}
__typename
}
}
fragment StoryDetailed on Story {
__typename
id
summary
updatedAt
createdAt
playbook
timeline {
...TimelineItem
__typename
}
incident {
__typename
id
status
producer
ticket
connectionType
indication
queryName
criticality
source
research
firstSignal
lastSignal
description
site {
id
name
__typename
}
user {
id
name
__typename
}
... on AnomalyStats {
...AnomalyStatsIncidentDetailed
__typename
}
... on AnomalyEvents {
...AnomalyEventsIncidentDetailed
__typename
}
... on Threat {
...ThreatIncidentDetailed
__typename
}
... on ThreatPrevention {
...ThreatPreventionIncidentDetailed
__typename
}
... on NetworkIncident {
...NetworkIncidentDetailed
__typename
}
... on NetworkXDRIncident {
...NetworkXDRIncidentDetailed
__typename
}
... on MicrosoftEndpoint {
...MicrosoftEndpointIncidentDetailed
__typename
}
... on CatoEndpoint {
...CatoEndpointIncidentDetailed
__typename
}
}
}
fragment TimelineItem on TimelineItem {
createdAt
type
descriptions
additionalInfo
analystInfo {
name
__typename
}
context
category
__typename
}
fragment AnomalyStatsIncidentDetailed on AnomalyStats {
__typename
srcSiteId
subjectType
metric {
name
value
__typename
}
drillDownFilter {
name
value
__typename
}
gaussian {
n
avg
__typename
}
mitres {
id
name
__typename
}
logonName
sourceIp
os
clientClass
deviceName
macAddress
breakdownField
predictedVerdict
predictedThreatType
similarStoriesData {
storyId
indication
threatTypeName
verdict
similarityPercentage
__typename
}
targets {
name
analysisScore
infectionSource
catoPopularity
threatFeeds
creationTime
categories
countryOfRegistration
searchHits
engines
eventData {
signatureId
eventType
threatType
threatName
severity
action
__typename
}
__typename
}
analystFeedback {
...AnalystFeedback
__typename
}
}
fragment AnalystFeedback on AnalystFeedback {
verdict
severity
threatType {
name
details
recommendedAction
__typename
}
threatClassification
additionalInfo
__typename
}
fragment AnomalyEventsIncidentDetailed on AnomalyEvents {
__typename
srcSiteId
subjectType
metric {
name
value
__typename
}
drillDownFilter {
name
value
__typename
}
gaussian {
n
avg
__typename
}
mitres {
id
name
__typename
}
logonName
sourceIp
os
clientClass
deviceName
macAddress
breakdownField
predictedVerdict
predictedThreatType
similarStoriesData {
storyId
indication
threatTypeName
verdict
similarityPercentage
__typename
}
targets {
name
analysisScore
infectionSource
catoPopularity
threatFeeds
creationTime
categories
countryOfRegistration
searchHits
engines
eventData {
signatureId
eventType
threatType
threatName
severity
action
__typename
}
__typename
}
analystFeedback {
...AnalystFeedback
__typename
}
}
fragment ThreatIncidentDetailed on Threat {
__typename
srcSiteId
flowsCardinality
storyDuration
os
deviceName
macAddress
sourceIp
logonName
direction
predictedVerdict
predictedThreatType
similarStoriesData {
storyId
indication
threatTypeName
verdict
similarityPercentage
__typename
}
queryName
events {
signatureId
eventType
threatType
threatName
severity
__typename
}
mitres {
id
name
__typename
}
timeSeries {
info
units
label
data(perSecond: false)
sum
key {
measureFieldName
dimensions {
fieldName
value
__typename
}
__typename
}
__typename
}
targets {
type
name
analysisScore
infectionSource
catoPopularity
threatFeeds
creationTime
categories
countryOfRegistration
searchHits
engines
eventData {
signatureId
eventType
threatType
threatName
severity
action
__typename
}
__typename
}
flows {
appName
clientClass
sourceIp
sourcePort
direction
createdAt
referer
userAgent
method
destinationCountry
destinationPort
destinationIp
destinationGeolocation
url
tunnelGeolocation
domain
target
httpResponseCode
dnsResponseIP
smbFileName
fileHash
ja3
__typename
}
analystFeedback {
...AnalystFeedback
__typename
}
}
fragment ThreatPreventionIncidentDetailed on ThreatPrevention {
__typename
srcSiteId
flowsCardinality
storyDuration
os
deviceName
macAddress
sourceIp
logonName
direction
predictedVerdict
predictedThreatType
similarStoriesData {
storyId
indication
threatTypeName
verdict
similarityPercentage
__typename
}
queryName
events {
signatureId
eventType
threatType
threatName
severity
__typename
}
mitres {
id
name
__typename
}
timeSeries {
info
units
label
data(perSecond: false)
sum
key {
measureFieldName
dimensions {
fieldName
value
__typename
}
__typename
}
__typename
}
targets {
type
name
analysisScore
infectionSource
catoPopularity
threatFeeds
creationTime
categories
countryOfRegistration
searchHits
engines
eventData {
signatureId
eventType
threatType
threatName
severity
action
__typename
}
__typename
}
threatPreventionsEvents {
appName
clientClass
sourceIp
sourcePort
direction
createdAt
referrer
userAgent
method
destinationCountry
destinationPort
destinationIp
destinationGeolocation
url
tunnelGeolocation
domain
target
httpResponseCode
dnsResponseIP
smbFileName
fileHash
ja3
__typename
}
analystFeedback {
...AnalystFeedback
__typename
}
}
fragment NetworkIncidentDetailed on NetworkIncident {
__typename
siteId
confidence
internalSubType
resourceName
prioritySite
siteConnectionType
hostIp
availability
siteGeoLocation
eventsInternalIds
storyDuration
insights {
timestamp
insight
__typename
}
analystFeedback {
... on AnalystFeedback {
severity
__typename
}
__typename
}
}
fragment NetworkXDRIncidentDetailed on NetworkXDRIncident {
__typename
storyDuration
storyType
occurrences
siteConnectionType
siteConfigLocation
acknowledged
description
linkId
linkName
linkConfigPrecedence
deviceConfigHaRole
licenseRegion
licenseBandwidth
pop
isp
hostIp
ruleName
bgpConnection {
connectionName
peerIp
peerAsn
catoIp
catoAsn
__typename
}
networkIncidentTimeline {
created
validated
description
eventType
incidentId
eventIds
acknowledged
networkEventSource
linkId
linkName
linkConfigPrecedence
linkStatus
linkConfigBandwidth
deviceConfigHaRole
deviceHaRoleState
pop
isp
hostIp
ruleName
tunnelResetCount
bgpConnection {
connectionName
peerIp
peerAsn
catoIp
catoAsn
__typename
}
linkQualityIssue {
issueType
direction
current
threshold
__typename
}
__typename
}
analystFeedback {
... on AnalystFeedback {
severity
__typename
}
__typename
}
}
fragment MicrosoftEndpointIncidentDetailed on MicrosoftEndpoint {
storyDuration
sourceIp
analystFeedback {
...AnalystFeedback
__typename
}
device {
deviceName
osDetails {
... on OsDetails {
...MicrosoftEndpointIncidentDeviceOsDetails
__typename
}
__typename
}
loggedOnUsers {
... on EndpointUser {
...MicrosoftEndpointIncidentDeviceLoggedOnUser
__typename
}
__typename
}
__typename
}
alerts {
... on MicrosoftDefenderEndpointAlert {
...StoryDetailsMicrosoftEndpointAlert
__typename
}
__typename
}
__typename
}
fragment MicrosoftEndpointIncidentDeviceOsDetails on OsDetails {
osType
osBuild
osVersion
__typename
}
fragment MicrosoftEndpointIncidentDeviceLoggedOnUser on EndpointUser {
... on MicrosoftEndpointUser {
...MicrosoftEndpointIncidentUserDetails
__typename
}
__typename
}
fragment MicrosoftEndpointIncidentUserDetails on MicrosoftEndpointUser {
name
domainName
__typename
}
fragment StoryDetailsMicrosoftEndpointAlert on MicrosoftDefenderEndpointAlert {
id
title
localIp
destinationIp
destinationUrl
mitreTechnique {
id
name
__typename
}
firstActivityDateTime
lastActivityDateTime
threatName
activities {
...StoryDetailsMicrosoftEndpointActivity
__typename
}
resources {
...StoryDetailsMicrosoftEndpointResource
__typename
}
... on MicrosoftDefenderEndpointAlert {
criticality
msStatus: status
__typename
}
__typename
}
fragment StoryDetailsMicrosoftEndpointActivity on MicrosoftActivity {
id
resourceId
parentResourceId
action
__typename
}
fragment StoryDetailsMicrosoftEndpointResource on MicrosoftEndpointResource {
id
remediationStatus
createdDateTime
verdict
roles
...StoryDetailsMicrosoftEndpointFileResource
...StoryDetailsMicrosoftEndpointProcessResource
...StoryDetailsMicrosoftEndpointRegistryResource
__typename
}
fragment StoryDetailsMicrosoftEndpointFileResource on MicrosoftFileResource {
detectionStatus
fileDetails {
...StoryDetailsMicrosoftEndpointFileDetails
__typename
}
__typename
}
fragment StoryDetailsMicrosoftEndpointFileDetails on FileDetails {
path
name
size
sha1
sha256
issuer
signer
__typename
}
fragment StoryDetailsMicrosoftEndpointProcessResource on MicrosoftProcessResource {
processId
processCommandLine
imageFile {
...StoryDetailsMicrosoftEndpointFileDetails
__typename
}
userAccount {
...StoryDetailsMicrosoftEndpointUserDetails
__typename
}
__typename
}
fragment StoryDetailsMicrosoftEndpointUserDetails on EndpointUser {
id
... on MicrosoftEndpointUser {
userSid
__typename
}
__typename
}
fragment StoryDetailsMicrosoftEndpointRegistryResource on MicrosoftRegistryResource {
valueName
valueType
value
key
hive
__typename
}
fragment CatoEndpointIncidentDetailed on CatoEndpoint {
storyDuration
sourceIp
analystFeedback {
...AnalystFeedback
__typename
}
device {
deviceName
macAddress
osDetails {
... on OsDetails {
...CatoEndpointIncidentDeviceOsDetails
__typename
}
__typename
}
loggedOnUsers {
... on EndpointUser {
...CatoEndpointIncidentDeviceLoggedOnUser
__typename
}
__typename
}
__typename
}
alerts {
... on CatoEndpointAlert {
...StoryDetailsCatoEndpointAlert
__typename
}
__typename
}
__typename
}
fragment CatoEndpointIncidentDeviceOsDetails on OsDetails {
osType
osBuild
osVersion
__typename
}
fragment CatoEndpointIncidentDeviceLoggedOnUser on EndpointUser {
... on CatoEndpointUser {
...CatoEndpointIncidentUserDetails
__typename
}
__typename
}
fragment CatoEndpointIncidentUserDetails on CatoEndpointUser {
name
__typename
}
fragment StoryDetailsCatoEndpointAlert on CatoEndpointAlert {
id
title
mitreTechnique {
id
name
__typename
}
createdDateTime
threatName
activities {
...StoryDetailsCatoEndpointActivity
__typename
}
resources {
...StoryDetailsCatoEndpointResource
__typename
}
... on CatoEndpointAlert {
criticality
catoStatus: status
__typename
}
__typename
}
fragment StoryDetailsCatoEndpointActivity on CatoActivity {
id
resourceId
parentResourceId
__typename
}
fragment StoryDetailsCatoEndpointResource on CatoResource {
id
createdDateTime
remediationStatus
...StoryDetailsCatoEndpointFileResource
...StoryDetailsCatoEndpointProcessResource
__typename
}
fragment StoryDetailsCatoEndpointFileResource on CatoFileResource {
detectionStatus
fileDetails {
...StoryDetailsCatoEndpointFileDetails
__typename
}
__typename
}
fragment StoryDetailsCatoEndpointFileDetails on FileDetails {
path
name
size
sha1
sha256
issuer
signer
__typename
}
fragment StoryDetailsCatoEndpointProcessResource on CatoProcessResource {
processId
processCommandLine
imageFile {
...StoryDetailsCatoEndpointFileDetails
__typename
}
userAccount {
...StoryDetailsCatoEndpointUserDetails
__typename
}
__typename
}
fragment StoryDetailsCatoEndpointUserDetails on EndpointUser {
id
... on CatoEndpointUser {
name
__typename
}
__typename
}
Variables
{"accountId": "123", "storyId": "abc123"}
Response
{
"data": {
"xdr": {
"__typename": "XDR",
"story": {
"playbook": null,
"incident": {
"__typename": "Threat",
"id": "abc123",
"status": "Open",
"producer": "ThreatHunt",
"ticket": null,
"connectionType": "Site",
"indication": "abc123",
"queryName": "abc123",
"criticality": 5,
"source": "abc123",
"research": false,
"firstSignal": "2024-02-29T09:00:00Z",
"lastSignal": "2024-02-29T13:00:00Z",
"description": "abc123",
"site": null,
"user": null,
"srcSiteId": "123",
"flowsCardinality": 4,
"storyDuration": 14400,
"os": "OS_WINDOWS",
"deviceName": "abc123",
"macAddress": "aa:aa:11:22:33:44",
"sourceIp": "1.2.3.4",
"logonName": null,
"direction": "OUTBOUND",
"predictedVerdict": null,
"predictedThreatType": null,
"similarStoriesData": [],
"events": [],
"mitres": [],
"timeSeries": [],
"targets": [
{
"type": "domain",
"name": "123",
"analysisScore": 0.75688803,
"infectionSource": true,
"catoPopularity": -1,
"threatFeeds": 2,
"creationTime": "2023-01-10T06:16:40Z",
"categories": "abc123",
"countryOfRegistration": "CZ",
"searchHits": "123",
"engines": null,
"eventData": [],
"__typename": "IncidentTargetRep"
}
],
"flows": [
{
"appName": "http",
"clientClass": null,
"sourceIp": "11.22.33.111",
"sourcePort": 123,
"direction": "INBOUND",
"createdAt": "2024-02-29T09:45:00Z",
"referer": null,
"userAgent": null,
"method": null,
"destinationCountry": "US",
"destinationPort": 123,
"destinationIp": "11.22.33.644",
"destinationGeolocation": "11.1,22.2",
"url": null,
"tunnelGeolocation": "11.1,22.2",
"domain": "abc123",
"target": "abc123",
"httpResponseCode": null,
"dnsResponseIP": null,
"smbFileName": null,
"fileHash": null,
"ja3": null,
"__typename": "IncidentFlow"
}
],
"analystFeedback": {
"verdict": null,
"severity": null,
"threatType": {
"name": "PuP",
"details": null,
"recommendedAction": null,
"__typename": "AnalystFeedbackThreatType"
},
"threatClassification": null,
"additionalInfo": null,
"__typename": "AnalystFeedback"
}
},
"__typename": "Story",
"id": "abc123",
"summary": "abc123",
"updatedAt": "2024-03-27T08:32:44Z",
"createdAt": "2024-03-27T08:22:51Z",
"timeline": [
{
"createdAt": "2024-03-27T08:22:51Z",
"type": "Diff",
"descriptions": ["abc123"],
"additionalInfo": null,
"analystInfo": null,
"context": "Story created",
"category": null,
"__typename": "TimelineItem"
}
]
}
}
}
}
Mutations
AdminMutations
addAdmin
Response
Returns an AddAdminPayload
Arguments
Name | Description |
---|---|
input - AddAdminInput!
|
Example
Query
mutation addAdmin($accountId:ID!, $input: AddAdminInput!) {
admin(accountId:$accountId) {
addAdmin(input:$input) {
adminID
}
}
}
Variables
{
"accountId": "123",
"input": {
"firstName": "Name",
"lastName": "Surname",
"email": "name.surname@company.org",
"passwordNeverExpires": false,
"mfaEnabled": true,
"managedRoles": [{"role": {"id": 2, "name": "Viewer"}}]
}
}
Response
{"data": {"admin": {"addAdmin": {"adminID": "456"}}}}
removeAdmin
Response
Returns a RemoveAdminPayload
Arguments
Name | Description |
---|---|
adminID - ID!
|
Example
Query
mutation removeAdmin($accountId:ID!, $adminID:ID!){
admin(accountId:$accountId) {
removeAdmin(adminID:$adminID) {
adminID
}
}
}
Variables
{"accountId": "123", "adminID": "456"}
Response
{"data": {"admin": {"removeAdmin": {"adminID": "456"}}}}
updateAdmin
Response
Returns an UpdateAdminPayload
Arguments
Name | Description |
---|---|
adminID - ID!
|
|
input - UpdateAdminInput!
|
Example
Query
mutation updateAdmin($accountId:ID!, $adminID:ID!, $input: UpdateAdminInput!){
admin(accountId:$accountId) {
updateAdmin(adminID:$adminID,input:$input) {
adminID
}
}
}
Variables
{
"accountId": "123",
"adminID": "456",
"input": {
"managedRoles": [
{"role": {"id": 1, "name": "Editor"}},
{"role": {"id": 2, "name": "Viewer"}}
]
}
}
Response
{"data": {"admin": {"updateAdmin": {"adminID": "456"}}}}
SiteMutations
addSocketSite
Response
Returns an AddSocketSitePayload
Arguments
Name | Description |
---|---|
input - AddSocketSiteInput!
|
Example
Query
mutation addSocketSite($accountId:ID!, $input:AddSocketSiteInput!){
site(accountId:$accountId) {
addSocketSite(input:$input) {
siteId
}
}
}
Variables
{
"accountId": 123,
"input": {
"name": "New Site",
"connectionType": "SOCKET_X1700",
"siteType": "DATACENTER",
"description": "Data warehouse",
"nativeNetworkRange": "123.0.0.0/24",
"siteLocation": {"countryCode": "IL", "timezone": "Asia/Jerusalem"}
}
}
Response
{"data": {"site": {"addSocketSite": {"siteId": "456"}}}}
updateSiteGeneralDetails
Response
Returns an UpdateSiteGeneralDetailsPayload
Arguments
Name | Description |
---|---|
siteId - ID!
|
|
input - UpdateSiteGeneralDetailsInput!
|
Example
Query
mutation updateSiteGeneralDetails($accountId:ID!, $siteId:ID!, $input:UpdateSiteGeneralDetailsInput!) {
site(accountId: $accountId){
updateSiteGeneralDetails(siteId:$siteId, input:$input) {
siteId
}
}
}
Variables
{"accountId": "123", "siteId": "456", "input": {"siteType": "BRANCH"}}
Response
{"data": {"site": {"updateSiteGeneralDetails": {"siteId": "456"}}}}
removeSite
Response
Returns a RemoveSitePayload
Arguments
Name | Description |
---|---|
siteId - ID!
|
Example
Query
mutation removeSite($accountId:ID!, $siteId:ID!){
site(accountId:$accountId) {
removeSite(siteId:$siteId) {
siteId
}
}
}
Variables
{"accountId": "123", "siteId": "456"}
Response
{"data": {"site": {"removeSite": {"siteId": "456"}}}}
updateSocketInterface
Response
Returns an UpdateSocketInterfacePayload
Arguments
Name | Description |
---|---|
siteId - ID!
|
|
socketInterfaceId - SocketInterfaceIDEnum!
|
|
input - UpdateSocketInterfaceInput!
|
Example
Query
mutation updateSocketInterface(
$accountId:ID!,
$siteId: ID!,
$socketInterfaceId: SocketInterfaceIDEnum!,
$input:UpdateSocketInterfaceInput!
) {
site(accountId:$accountId){
updateSocketInterface(siteId:$siteId, socketInterfaceId: $socketInterfaceId, input:$input){
siteId
socketInterfaceId
}
}
}
Variables
{
"accountId": "123",
"siteId": "456",
"socketInterfaceId": "INT_1",
"input": {
"destType": "CATO",
"bandwidth": {"upstreamBandwidth": 100, "downstreamBandwidth": 100}
}
}
Response
{
"data": {
"site": {
"updateSocketInterface": {"siteId": "456", "socketInterfaceId": "INT_1"}
}
}
}
addNetworkRange
Response
Returns an AddNetworkRangePayload
Arguments
Name | Description |
---|---|
lanSocketInterfaceId - ID!
|
|
input - AddNetworkRangeInput!
|
Example
Query
mutation addNetworkRange(
$accountId:ID!,
$lanSocketInterfaceId: ID!,
$input:AddNetworkRangeInput!
) {
site(accountId:$accountId){
addNetworkRange(lanSocketInterfaceId:$lanSocketInterfaceId, input:$input){
networkRangeId
}
}
}
Variables
{
"accountId": "123",
"lanSocketInterfaceId": "456",
"input": {
"name": "Printers",
"rangeType": "Routed",
"subnet": "123.0.1.0/30",
"gateway": "123.0.0.2"
}
}
Response
{"data": {"site": {"addNetworkRange": {"networkRangeId": "UzQ3MDcw"}}}}
updateNetworkRange
Response
Returns an UpdateNetworkRangePayload
Arguments
Name | Description |
---|---|
networkRangeId - ID!
|
|
input - UpdateNetworkRangeInput!
|
Example
Query
mutation updateNetworkRange(
$accountId:ID!,
$networkRangeId: ID!,
$input:UpdateNetworkRangeInput!
) {
site(accountId:$accountId){
updateNetworkRange(networkRangeId:$networkRangeId, input:$input){
networkRangeId
}
}
}
Variables
{"accountId": "123", "networkRangeId": "UzQ3MDcw", "input": {"name": "Devs"}}
Response
{"data": {"site": {"updateNetworkRange": {"networkRangeId": "UzQ3MDcw"}}}}
removeNetworkRange
Response
Returns a RemoveNetworkRangePayload
Arguments
Name | Description |
---|---|
networkRangeId - ID!
|
Example
Query
mutation removeNetworkRange(
$accountId:ID!,
$networkRangeId: ID!,
) {
site(accountId:$accountId){
removeNetworkRange(networkRangeId:$networkRangeId){
networkRangeId
}
}
}
Variables
{"accountId": "123", "networkRangeId": "UzQ3MDcw"}
Response
{"data": {"site": {"removeNetworkRange": {"networkRangeId": "UzQ3MDcw"}}}}
updateHa
Response
Returns an UpdateHaPayload
Arguments
Name | Description |
---|---|
siteId - ID!
|
|
input - UpdateHaInput!
|
Example
Query
mutation updateHa($accountId:ID!,$siteId: ID!, $input: UpdateHaInput!) {
site(accountId:$accountId){
updateHa(siteId:$siteId, input:$input){
siteId
}
}
}
Variables
{
"accountId": "123",
"siteId": "456",
"input": {
"primaryManagementIp": "123.0.0.231",
"secondaryManagementIp": "123.0.0.232",
"vrid": 123
}
}
Response
{"data": {"site": {"updateHa": {"siteId": "456"}}}}
addStaticHost
Response
Returns an AddStaticHostPayload
Arguments
Name | Description |
---|---|
siteId - ID!
|
|
input - AddStaticHostInput!
|
Example
Query
mutation addStaticHost($accountId:ID!,$siteId: ID!, $input: AddStaticHostInput!) {
site(accountId:$accountId){
addStaticHost(siteId:$siteId, input:$input){
hostId
}
}
}
Variables
{
"accountId": "123",
"siteId": "456",
"input": {"name": "Printer", "ip": "123.0.0.10"}
}
Response
{"data": {"site": {"addStaticHost": {"hostId": "789"}}}}
updateStaticHost
Response
Returns an UpdateStaticHostPayload
Arguments
Name | Description |
---|---|
hostId - ID!
|
|
input - UpdateStaticHostInput!
|
Example
Query
mutation updateStaticHost($accountId:ID!,$hostId: ID!, $input: UpdateStaticHostInput!) {
site(accountId:$accountId){
updateStaticHost(hostId:$hostId, input:$input){
hostId
}
}
}
Variables
{
"accountId": "123",
"hostId": "789",
"input": {"name": "Printer", "ip": "123.0.0.11"}
}
Response
{"data": {"site": {"updateStaticHost": {"hostId": "789"}}}}
removeStaticHost
Response
Returns a RemoveStaticHostPayload
Arguments
Name | Description |
---|---|
hostId - ID!
|
Example
Query
mutation removeStaticHost($accountId:ID!,$hostId: ID!) {
site(accountId:$accountId){
removeStaticHost(hostId:$hostId){
hostId
}
}
}
Variables
{"accountId": "123", "hostId": "789"}
Response
{"data": {"site": {"removeStaticHost": {"hostId": "789"}}}}
Types
AccountDataPayload
AccountMetrics
Fields
Field Name | Description |
---|---|
id - ID
|
Unique Identifier of Account. |
from - DateTime
|
Starting time |
to - DateTime
|
Ending time |
granularity - Int
|
The size of a single time bucket in seconds |
sites - [SiteMetrics!]
|
Site connectivity metrics for the requested sites. |
Arguments
|
|
users - [SiteMetrics!]
|
Connectivity metrics for the requested users connecting remotely with the Client. Doesn’t include user traffic behind a site. |
Arguments
|
|
timeseries - [Timeseries!]
|
|
Arguments
|
Example
{
"id": "4",
"from": "2007-12-03T10:15:30Z",
"to": "2007-12-03T10:15:30Z",
"granularity": 987,
"sites": [SiteMetrics],
"users": [SiteMetrics],
"timeseries": [Timeseries]
}
AccountRolesResult
Fields
Field Name | Description |
---|---|
items - [RBACRole!]!
|
|
total - Int!
|
Example
{"items": [RBACRole], "total": 987}
AccountSnapshot
Fields
Field Name | Description |
---|---|
id - ID
|
Unique Identifier of Account |
sites - [SiteSnapshot!]
|
Sites includes information about online as well as offline sites |
Arguments
|
|
users - [UserSnapshot!]
|
VPN users information includes only connected users by default (Unlike sites), unless specific ID is requested |
Arguments
|
|
timestamp - DateTime
|
Example
{
"id": 4,
"sites": [SiteSnapshot],
"users": [UserSnapshot],
"timestamp": "2007-12-03T10:15:30Z"
}
AccountType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"SYSTEM"
Activity
Possible Types
Activity Types |
---|
Example
{
"id": 4,
"resourceId": "4",
"parentResourceId": "4"
}
AddAdminInput
Fields
Input Field | Description |
---|---|
firstName - String!
|
|
lastName - String!
|
|
email - String!
|
|
passwordNeverExpires - Boolean!
|
|
mfaEnabled - Boolean!
|
|
managedRoles - [UpdateAdminRoleInput!]
|
|
resellerRoles - [UpdateAdminRoleInput!]
|
Example
{
"firstName": "xyz789",
"lastName": "abc123",
"email": "xyz789",
"passwordNeverExpires": false,
"mfaEnabled": false,
"managedRoles": [UpdateAdminRoleInput],
"resellerRoles": [UpdateAdminRoleInput]
}
AddAdminPayload
Fields
Field Name | Description |
---|---|
adminID - ID!
|
Example
{"adminID": 4}
AddNetworkRangeInput
Fields
Input Field | Description |
---|---|
name - String!
|
|
rangeType - SubnetType!
|
|
subnet - IPSubnet!
|
|
translatedSubnet - IPSubnet
|
|
localIp - IPAddress
|
Only relevant for NATIVE, SECONDARY_NATIVE, DIRECT_ROUTE, VLAN rangeType |
gateway - IPAddress
|
Only relevant for ROUTED_ROUTE rangeType |
vlan - Int
|
Only relevant for VLAN network rangeType |
azureFloatingIp - IPAddress
|
Only relevant for AZURE HA sites |
dhcpSettings - NetworkDhcpSettingsInput
|
Only relevant for NATIVE, VLAN rangeType |
Example
{
"name": "abc123",
"rangeType": "Routed",
"subnet": IPSubnet,
"translatedSubnet": IPSubnet,
"localIp": IPAddress,
"gateway": IPAddress,
"vlan": 987,
"azureFloatingIp": IPAddress,
"dhcpSettings": NetworkDhcpSettingsInput
}
AddNetworkRangePayload
Fields
Field Name | Description |
---|---|
networkRangeId - ID!
|
Example
{"networkRangeId": "4"}
AddSiteLocationInput
AddSocketSiteInput
Fields
Input Field | Description |
---|---|
name - String!
|
|
connectionType - SiteConnectionTypeEnum!
|
|
siteType - SiteType!
|
|
description - String
|
|
nativeNetworkRange - IPSubnet!
|
|
translatedSubnet - IPSubnet
|
|
siteLocation - AddSiteLocationInput!
|
Example
{
"name": "xyz789",
"connectionType": "SOCKET_X1500",
"siteType": "BRANCH",
"description": "abc123",
"nativeNetworkRange": IPSubnet,
"translatedSubnet": IPSubnet,
"siteLocation": AddSiteLocationInput
}
AddSocketSitePayload
Fields
Field Name | Description |
---|---|
siteId - ID!
|
Example
{"siteId": 4}
AddStaticHostInput
Fields
Input Field | Description |
---|---|
name - String!
|
|
ip - IPAddress!
|
|
macAddress - String
|
Example
{
"name": "abc123",
"ip": IPAddress,
"macAddress": "abc123"
}
AddStaticHostPayload
Fields
Field Name | Description |
---|---|
hostId - ID!
|
Example
{"hostId": 4}
Admin
Description
A CC2 administrator
Fields
Field Name | Description |
---|---|
id - ID!
|
|
version - String!
|
|
role - UserRole
|
|
firstName - String
|
|
lastName - String
|
|
email - String
|
|
creationDate - DateTime
|
|
modifyDate - DateTime
|
|
status - OperationalStatus
|
|
passwordNeverExpires - Boolean
|
|
mfaEnabled - Boolean
|
|
nativeAccountID - ID
|
|
allowedItems - [Entity!]
|
|
presentUsageAndEvents - Boolean
|
|
managedRoles - [AdminRole!]
|
|
resellerRoles - [AdminRole!]
|
Example
{
"id": "4",
"version": "abc123",
"role": "OWNER",
"firstName": "abc123",
"lastName": "abc123",
"email": "xyz789",
"creationDate": "2007-12-03T10:15:30Z",
"modifyDate": "2007-12-03T10:15:30Z",
"status": "active",
"passwordNeverExpires": false,
"mfaEnabled": true,
"nativeAccountID": "4",
"allowedItems": [Entity],
"presentUsageAndEvents": true,
"managedRoles": [AdminRole],
"resellerRoles": [AdminRole]
}
AdminRole
AdminsResult
AggregationType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"sum"
AlertClassificationEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"FALSE_POSITIVE"
AlertDeterminationEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"APT"
AnalystFeedback
Fields
Field Name | Description |
---|---|
verdict - StoryVerdictEnum
|
|
severity - SeverityEnum
|
|
threatType - AnalystFeedbackThreatType
|
|
threatClassification - String
|
|
additionalInfo - String
|
Example
{
"verdict": "Suspicious",
"severity": "High",
"threatType": AnalystFeedbackThreatType,
"threatClassification": "xyz789",
"additionalInfo": "xyz789"
}
AnalystFeedbackThreatType
AnalystInfo
AnnotationType
Values
Enum Value | Description |
---|---|
|
The site connects to a different PoP |
|
Change for HA status role |
|
The ISP IP address (remote IP) changed |
|
Other events that are included in annotations |
Example
"popChange"
Anomalies
Fields
Field Name | Description |
---|---|
id - ID!
|
|
firstSignal - DateTime!
|
|
lastSignal - DateTime!
|
|
engineType - StoryEngineTypeEnum
|
|
vendor - VendorEnum
|
|
producer - StoryProducerEnum!
|
|
producerName - String!
|
|
connectionType - ConnectionTypeEnum
|
|
indication - String!
|
|
queryName - String
|
|
source - String
|
|
criticality - Int
|
|
ticket - String
|
|
status - StoryStatusEnum
|
|
research - Boolean
|
|
siteName - String
|
|
storyDuration - Int
|
|
description - String
|
|
analystFeedback - AnalystFeedback
|
|
site - SiteRef
|
|
user - UserRef
|
|
sourceIp - String
|
|
similarStoriesData - [SimilarStoryData!]!
|
|
predictedVerdict - StoryVerdictEnum
|
|
predictedThreatType - String
|
Possible Types
Anomalies Types |
---|
Example
{
"id": 4,
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "abc123",
"connectionType": "Site",
"indication": "abc123",
"queryName": "abc123",
"source": "abc123",
"criticality": 123,
"ticket": "xyz789",
"status": "Open",
"research": true,
"siteName": "abc123",
"storyDuration": 123,
"description": "xyz789",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"sourceIp": "xyz789",
"similarStoriesData": [SimilarStoryData],
"predictedVerdict": "Suspicious",
"predictedThreatType": "abc123"
}
AnomalyEvents
Fields
Field Name | Description |
---|---|
id - ID!
|
|
firstSignal - DateTime!
|
|
lastSignal - DateTime!
|
|
engineType - StoryEngineTypeEnum
|
|
vendor - VendorEnum
|
|
producer - StoryProducerEnum!
|
|
producerName - String!
|
|
connectionType - ConnectionTypeEnum
|
|
indication - String!
|
|
queryName - String
|
|
source - String
|
|
criticality - Int
|
|
ticket - String
|
|
status - StoryStatusEnum
|
|
research - Boolean
|
|
siteName - String
|
|
storyDuration - Int
|
|
description - String
|
|
analystFeedback - AnalystFeedback
|
|
site - SiteRef
|
|
user - UserRef
|
|
sourceIp - String
|
|
similarStoriesData - [SimilarStoryData!]!
|
|
predictedVerdict - StoryVerdictEnum
|
|
predictedThreatType - String
|
|
srcSiteId - String
|
|
os - String
|
|
deviceName - String
|
|
macAddress - String
|
|
logonName - String
|
|
clientClass - [String!]!
|
|
drillDownFilter - [StoryDrillDownFilter!]
|
|
breakdownField - String
|
|
subjectType - String
|
|
extra - [Extra!]
|
|
gaussian - Gaussian
|
|
metric - Metric
|
|
metricDetails - MetricDetails
|
|
mitres - [Mitre!]
|
|
rules - [String!]
|
|
timeSeries - [IncidentTimeseries!]
|
|
targets - [IncidentTargetRep!]!
|
Example
{
"id": 4,
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "abc123",
"connectionType": "Site",
"indication": "xyz789",
"queryName": "abc123",
"source": "xyz789",
"criticality": 987,
"ticket": "xyz789",
"status": "Open",
"research": true,
"siteName": "xyz789",
"storyDuration": 987,
"description": "abc123",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"sourceIp": "xyz789",
"similarStoriesData": [SimilarStoryData],
"predictedVerdict": "Suspicious",
"predictedThreatType": "abc123",
"srcSiteId": "abc123",
"os": "abc123",
"deviceName": "abc123",
"macAddress": "xyz789",
"logonName": "abc123",
"clientClass": ["xyz789"],
"drillDownFilter": [StoryDrillDownFilter],
"breakdownField": "abc123",
"subjectType": "abc123",
"extra": [Extra],
"gaussian": Gaussian,
"metric": Metric,
"metricDetails": MetricDetails,
"mitres": [Mitre],
"rules": ["xyz789"],
"timeSeries": [IncidentTimeseries],
"targets": [IncidentTargetRep]
}
AnomalyStats
Fields
Field Name | Description |
---|---|
id - ID!
|
|
firstSignal - DateTime!
|
|
lastSignal - DateTime!
|
|
engineType - StoryEngineTypeEnum
|
|
vendor - VendorEnum
|
|
producer - StoryProducerEnum!
|
|
producerName - String!
|
|
connectionType - ConnectionTypeEnum
|
|
indication - String!
|
|
queryName - String
|
|
source - String
|
|
criticality - Int
|
|
ticket - String
|
|
status - StoryStatusEnum
|
|
research - Boolean
|
|
siteName - String
|
|
storyDuration - Int
|
|
description - String
|
|
analystFeedback - AnalystFeedback
|
|
site - SiteRef
|
|
user - UserRef
|
|
sourceIp - String
|
|
similarStoriesData - [SimilarStoryData!]!
|
|
predictedVerdict - StoryVerdictEnum
|
|
predictedThreatType - String
|
|
srcSiteId - String
|
|
os - String
|
|
deviceName - String
|
|
macAddress - String
|
|
logonName - String
|
|
clientClass - [String!]!
|
|
drillDownFilter - [StoryDrillDownFilter!]
|
|
breakdownField - String
|
|
subjectType - String
|
|
extra - [Extra!]
|
|
gaussian - Gaussian
|
|
metric - Metric
|
|
metricDetails - MetricDetails
|
|
mitres - [Mitre!]
|
|
rules - [String!]
|
|
timeSeries - [IncidentTimeseries!]
|
|
targets - [IncidentTargetRep!]!
|
Example
{
"id": 4,
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "xyz789",
"connectionType": "Site",
"indication": "abc123",
"queryName": "abc123",
"source": "xyz789",
"criticality": 123,
"ticket": "xyz789",
"status": "Open",
"research": false,
"siteName": "xyz789",
"storyDuration": 987,
"description": "xyz789",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"sourceIp": "abc123",
"similarStoriesData": [SimilarStoryData],
"predictedVerdict": "Suspicious",
"predictedThreatType": "xyz789",
"srcSiteId": "abc123",
"os": "xyz789",
"deviceName": "xyz789",
"macAddress": "abc123",
"logonName": "abc123",
"clientClass": ["abc123"],
"drillDownFilter": [StoryDrillDownFilter],
"breakdownField": "abc123",
"subjectType": "xyz789",
"extra": [Extra],
"gaussian": Gaussian,
"metric": Metric,
"metricDetails": MetricDetails,
"mitres": [Mitre],
"rules": ["abc123"],
"timeSeries": [IncidentTimeseries],
"targets": [IncidentTargetRep]
}
ApnMethod
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"METHOD_UNKNOWN"
AppStats
AppStatsField
Fields
Field Name | Description |
---|---|
name - AppStatsFieldName!
|
|
value - Value!
|
Example
{"name": "app", "value": StringValue}
AppStatsFieldName
Values
Enum Value | Description |
---|---|
|
the cloud application identifier |
|
the cloud application name |
|
new cloud application identifier |
|
|
|
the total sum of upstream and downstream data in bytes |
|
data uploaded to cloud applications |
|
data downloaded from cloud applications |
|
the application risk score assigned by Cato |
|
|
|
cloud applications approved for use and managed by the organization |
|
the country in which the registered application headquarteres is located |
|
indicates whether the application is considered cloud app/SaaS app |
|
the cloud application category |
|
|
|
|
|
|
|
|
|
|
|
|
|
Source site or VPN user |
|
|
|
|
|
|
|
|
|
Destination Site or VPN user ID (proto) |
|
Destination Site or VPN user |
|
Destination Site or VPN user ID (DB) |
|
Destination Site or VPN user name |
|
Traffic direction |
|
PC or device name |
|
Active Directory name |
|
IP for host or VPN client |
|
Name for Socket interface |
|
Traffic is site or VPN client |
Example
"app"
AppStatsFilter
Fields
Input Field | Description |
---|---|
fieldName - AppStatsFieldName!
|
|
operator - FilterOperator!
|
|
values - [String!]!
|
Example
{
"fieldName": "app",
"operator": "is",
"values": ["xyz789"]
}
AppStatsRecord
Fields
Field Name | Description |
---|---|
fields - [AppStatsField!]
|
|
fieldsUnitTypes - [UnitType!]
|
|
fieldsMap - Map
|
fields in map format (see Map scalar) |
trends - Map
|
|
prevTimeFrame - Map
|
|
flatFields - [String!]
|
Simplified fields, as array of name value tuples, e.g: [ [ "name", "val" ], [ "name2", "val2" ] ... ] |
Example
{
"fields": [AppStatsField],
"fieldsUnitTypes": ["bytes"],
"fieldsMap": Map,
"trends": Map,
"prevTimeFrame": Map,
"flatFields": ["xyz789"]
}
AppStatsSort
Fields
Input Field | Description |
---|---|
fieldName - AppStatsFieldName!
|
|
order - DirectionEnum!
|
Example
{"fieldName": "app", "order": "asc"}
AppStatsTimeSeries
AuditFeed
Example
{
"from": "2007-12-03T10:15:30Z",
"to": "2007-12-03T10:15:30Z",
"marker": "abc123",
"fetchedCount": 123,
"hasMore": true,
"accounts": [AuditFeedAccountRecords]
}
AuditFeedAccountRecords
Fields
Field Name | Description |
---|---|
id - ID
|
|
records - [AuditRecord!]
|
|
Arguments
|
Example
{"id": 4, "records": [AuditRecord]}
AuditField
AuditFieldFilterInput
Fields
Input Field | Description |
---|---|
fieldName - FieldNameInput!
|
|
operator - ElasticOperator!
|
Use AuditFieldName for audits |
values - [String!]
|
Example
{
"fieldName": FieldNameInput,
"operator": "is",
"values": ["abc123"]
}
AuditFieldName
Values
Enum Value | Description |
---|---|
|
The admin whose action generated the record |
|
The api key whose action generated the record |
|
The name of the object that was affected, e.g. 'My Site' |
|
The ID of the admin whose action generated the record |
|
Less granular than model_name, a general marker of the modified area: administration, configuration, security |
|
|
|
Time the record was committed to storage |
|
the nature of the change: CREATED, DELETED, MODIFIED, ENABLED, DISABLED, SKIPPED
|
|
Time the record was created |
|
The type of object that was affected. e.g. Site, Socket, SocketInterface |
|
The name of the account on which the record was created |
|
The id of the account on which the record was created |
Example
"admin"
AuditRecord
Description
Represents a single event in the audit database
Fields
Field Name | Description |
---|---|
admin - Entity
|
|
apiKey - Entity
|
|
object - Entity
|
|
account - EntityInfo
|
|
time - DateTime
|
|
fields - [AuditField!]
|
All fields in the audit record (including the admin and object) |
fieldsMap - Map
|
fields in map format (see Map scalar) |
flatFields - [String!]
|
Simplified fields, as array of name value tuples, e.g: [ [ "name", "val" ], [ "name2", "val2" ] ... ] |
Example
{
"admin": Entity,
"apiKey": Entity,
"object": Entity,
"account": EntityInfo,
"time": "2007-12-03T10:15:30Z",
"fields": [AuditField],
"fieldsMap": Map,
"flatFields": ["abc123"]
}
BGPConnection
Boolean
Description
The Boolean
scalar type represents true
or false
.
Example
true
CatoActivity
Example
{
"id": 4,
"resourceId": 4,
"parentResourceId": "4"
}
CatoEndpoint
Fields
Field Name | Description |
---|---|
id - ID!
|
ID for the Endpoint Protection story |
firstSignal - DateTime!
|
Timestamp for the first incident signal related to this story |
lastSignal - DateTime!
|
Timestamp for the last (most recent) incident signal related to this story |
engineType - StoryEngineTypeEnum
|
enum that shows XDR engine involved with the incident |
vendor - VendorEnum
|
Vendor that identified the incident, such as Cato or Microsoft |
producer - StoryProducerEnum!
|
enum for the Producer (specific XDR engine or service) involved with the incident |
producerName - String!
|
Full name of the Producer (specific XDR engine and service) involved with the incident |
connectionType - ConnectionTypeEnum
|
enum for the connection for this incident (ie. host, user) |
indication - String!
|
An indication is a set of actions and behaviors for the Network or Security incident. Each producer has different indications. |
queryName - String
|
|
source - String
|
IP address, name of device, or SDP user on your network involved in the story |
criticality - Int
|
Cato's risk analysis of the story. Values are from 1 (low risk) to 10 (high risk) |
ticket - String
|
The ticket for this story |
status - StoryStatusEnum
|
Enum for the status of this story (ie. Open, Closed, Monitoring) |
research - Boolean
|
TRUE indicates that the story is currently being researched by Security Analysts |
siteName - String
|
Site name related to the story |
storyDuration - Int
|
Amount of time since the story was opened (no value for closed stories) |
description - String
|
Description of the threat |
sourceIp - String
|
Source IP address of the device in your network sending or receiving the flow |
analystFeedback - AnalystFeedback
|
Fields related to analysts research of the threat incident |
site - SiteRef
|
Cato ID and name for the site |
user - UserRef
|
Cato ID and name for the site |
similarStoriesData - [SimilarStoryData!]!
|
|
predictedVerdict - StoryVerdictEnum
|
|
predictedThreatType - String
|
|
device - CatoEndpointDeviceDetails
|
Details for the EPP device (ie. device name, OS, MAC address) |
alerts - [CatoEndpointAlert!]!
|
Details for the threat detected by the EPP |
Example
{
"id": 4,
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "xyz789",
"connectionType": "Site",
"indication": "abc123",
"queryName": "xyz789",
"source": "xyz789",
"criticality": 987,
"ticket": "xyz789",
"status": "Open",
"research": true,
"siteName": "abc123",
"storyDuration": 123,
"description": "abc123",
"sourceIp": "abc123",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"similarStoriesData": [SimilarStoryData],
"predictedVerdict": "Suspicious",
"predictedThreatType": "xyz789",
"device": CatoEndpointDeviceDetails,
"alerts": [CatoEndpointAlert]
}
CatoEndpointAlert
Fields
Field Name | Description |
---|---|
id - ID!
|
Unique Cato ID for the Endpoint Protection story |
title - String
|
Title of the endpoint alert |
description - String
|
Description of the threat |
threatName - String
|
Name of threat detected on the device |
mitreTechnique - [Mitre!]!
|
MITRE ATT&CK® technique for the threat |
mitreSubTechnique - [Mitre!]!
|
MITRE ATT&CK® sub-technique for the threat |
createdDateTime - DateTime
|
Timestamp that the threat was detected and the alert generated |
resources - [CatoResource!]!
|
Data for the remediation status of the alert |
activities - [CatoActivity!]!
|
Unique Cato IDs for the activities related to the alert |
criticality - Int
|
Cato's risk analysis of the story. Values are from 1 (low risk) to 10 (high risk) |
engineType - CatoEndpointEngineType
|
Enum for the EPP engine related to this story |
status - RemediationStatusEnum
|
Enum for the remediation status of the EPP alert |
endpointProtectionProfile - String
|
EPP profile that is assigned to this device |
Example
{
"id": "4",
"title": "xyz789",
"description": "xyz789",
"threatName": "xyz789",
"mitreTechnique": [Mitre],
"mitreSubTechnique": [Mitre],
"createdDateTime": "2007-12-03T10:15:30Z",
"resources": [CatoResource],
"activities": [CatoActivity],
"criticality": 987,
"engineType": "Behavioral",
"status": "REMEDIATED",
"endpointProtectionProfile": "abc123"
}
CatoEndpointDeviceDetails
Fields
Field Name | Description |
---|---|
id - ID!
|
Unique Cato ID for this story |
deviceName - String
|
Name of the device |
osDetails - OsDetails
|
OS data (ie. type, build, version) |
loggedOnUsers - [EndpointUser!]!
|
Data for one or more users logged in to the device |
macAddress - String
|
MAC address of the device |
Example
{
"id": "4",
"deviceName": "xyz789",
"osDetails": OsDetails,
"loggedOnUsers": [EndpointUser],
"macAddress": "xyz789"
}
CatoEndpointEngineType
Values
Enum Value | Description |
---|---|
|
|
|
Example
"Behavioral"
CatoEndpointUser
CatoFileResource
Fields
Field Name | Description |
---|---|
id - ID!
|
Unique Cato ID for this file resource |
createdDateTime - DateTime
|
Timestamp that the this file resource was used |
remediationStatus - RemediationStatusEnum
|
Enum for the remediation status associated with this file resource |
fileDetails - FileDetails
|
Details of the file related to this resource |
detectionStatus - DetectionStatusEnum
|
Enum for the detection status of this file resource |
Example
{
"id": "4",
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED",
"fileDetails": FileDetails,
"detectionStatus": "DETECTED"
}
CatoProcessResource
Fields
Field Name | Description |
---|---|
id - ID!
|
Unique Cato ID for this resource |
createdDateTime - DateTime
|
Timestamp that the this resource was used |
remediationStatus - RemediationStatusEnum
|
Enum for the remediation status associated with this resource |
processId - Int!
|
ID for the process |
processCommandLine - String
|
CLI command related to this process |
imageFile - FileDetails
|
Details of the file related to this process |
userAccount - EndpointUser
|
User account related to this process |
Example
{
"id": 4,
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED",
"processId": 123,
"processCommandLine": "abc123",
"imageFile": FileDetails,
"userAccount": EndpointUser
}
CatoResource
Fields
Field Name | Description |
---|---|
id - ID!
|
Unique Cato ID for this EPP resource |
createdDateTime - DateTime
|
Timestamp that the this resource was used |
remediationStatus - RemediationStatusEnum
|
Enum for the remediation status associated with this resource |
Possible Types
CatoResource Types |
---|
Example
{
"id": 4,
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED"
}
CellularDisconnectionReason
Values
Enum Value | Description |
---|---|
|
|
|
Example
"REASON_NONE"
CellularInterface
Fields
Field Name | Description |
---|---|
networkType - CellularNetworkType
|
2G, 3G, or 4G |
simSlotId - Int
|
Shows the currently active SIM slot; the other slot is in standby. Slot 1 is active by default. |
modemStatus - CellularModemStatus
|
Represents the current status of the modem. Valid values are Error, OK, or Unknown. |
isModemConnected - Boolean!
|
Indicates if the cellular modem is currently connected to the internet. |
iccid - String
|
Unique identifier (20-digit number) for the modem. |
imei - String
|
Unique identifier (15-digit number) for a specific SIM. |
operatorName - String
|
Displays the operator or carrier name, such as Verizon. |
isModemSuspended - Boolean!
|
Indicates if the modem is currently suspended. |
apn - String
|
Represents the Access Point Name (e.g., uwap.orange.co.il). Configurable from Socket WebUI or SIM switch. |
apnSelectionMethod - ApnMethod
|
Determines how the APN is selected. Valid values are Auto or Manual (configurable in WebUI). |
signalStrength - String
|
Represents the signal strength of the cellular connection, in units of calculation. |
isRoamingAllowed - Boolean!
|
Indicates whether roaming is enabled. |
simNumber - String
|
The phone number associated with the SIM. |
disconnectionReason - CellularDisconnectionReason
|
Displays the reason for the modem disconnecting. Valid values are 0 (No reason provided) or 1 (The session timed out). |
isSimSlot1Detected - Boolean!
|
Indicates whether a SIM is detected in the first slot. |
isSimSlot2Detected - Boolean!
|
Indicates whether a SIM is detected in the second slot. |
Example
{
"networkType": "TYPE_UNKNOWN",
"simSlotId": 123,
"modemStatus": "STATUS_UNKNOWN",
"isModemConnected": true,
"iccid": "abc123",
"imei": "xyz789",
"operatorName": "abc123",
"isModemSuspended": false,
"apn": "abc123",
"apnSelectionMethod": "METHOD_UNKNOWN",
"signalStrength": "abc123",
"isRoamingAllowed": false,
"simNumber": "xyz789",
"disconnectionReason": "REASON_NONE",
"isSimSlot1Detected": false,
"isSimSlot2Detected": false
}
CellularModemStatus
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"STATUS_UNKNOWN"
CellularNetworkType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"TYPE_UNKNOWN"
ConnectionTypeEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"Site"
ConnectivityStatus
Values
Enum Value | Description |
---|---|
|
Connected to the Cato Cloud |
|
Disconnected from the Cato Cloud |
Example
"connected"
DateTime
Description
2006-01-02T15:04:05Z07:00 (RFC3339)
Example
"2007-12-03T10:15:30Z"
DateValue
Fields
Field Name | Description |
---|---|
date - DateTime
|
Example
{"date": "2007-12-03T10:15:30Z"}
DetectionSourceEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"MICROSOFT_DEFENDER_FOR_ENDPOINT"
DetectionStatusEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"DETECTED"
DeviceAvStatusEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"NOT_REPORTING"
DeviceConfigHaRoleEnum
Values
Enum Value | Description |
---|---|
|
|
|
Example
"PRIMARY"
DeviceDetails
Fields
Field Name | Description |
---|---|
id - ID!
|
|
deviceName - String
|
|
osDetails - OsDetails
|
|
loggedOnUsers - [EndpointUser!]!
|
Possible Types
DeviceDetails Types |
---|
Example
{
"id": 4,
"deviceName": "abc123",
"osDetails": OsDetails,
"loggedOnUsers": [EndpointUser]
}
DeviceHaRoleStateEnum
Values
Enum Value | Description |
---|---|
|
|
|
Example
"MASTER"
DeviceHealthStatusEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
Example
"ACTIVE"
DeviceSnapshot
Fields
Field Name | Description |
---|---|
id - ID
|
Unique internal Cato ID for the Socket |
name - String
|
Name of the device |
identifier - String
|
Unique identifier for the device |
connected - Boolean
|
A boolean value that indicates if the site is connected to the Cato Cloud |
haRole - String
|
Shows if this is the primary or secondary Socket in high availability mode |
interfaces - [InterfaceSnapshot!]
|
Snapshot data for outbound facing interfaces |
lastConnected - DateTime
|
The last time the device was seen |
lastDuration - Int
|
The uptime of the last tunnel from this device (or current), in seconds |
connectedSince - DateTime
|
For connected devices (this somewhat overlaps to last duration) |
lastPopID - Int
|
The ID of the PoP that the Socket is connected to |
lastPopName - String
|
The PoP name that the Socket is connected to |
recentConnections - [RecentConnection!]
|
Data related to the most recent completed traffic flows |
type - String
|
Shows the Socket model or vSocket type |
socketInfo - SocketInfo
|
Shows data related to the Socket, such as version and serial number |
interfacesLinkState - [InterfaceLinkState!]
|
Information of the link state of various interfaces in the devices. Unlike the interfacess field, it contains all links of the device, not just the outbound facing ones |
osType - String
|
Operating system of the Device. |
osVersion - String
|
Version of the Socket operating system |
version - String
|
Device version |
versionNumber - Int
|
Device major version |
releaseGroup - String
|
Shows the release group for the site |
mfaExpirationTime - Int
|
Shows the amount of time remaining before the MFA token expires |
mfaCreationTime - Int
|
The time the mfa cookie (for sdp users) was created |
internalIP - String
|
Device's internal IP in the account's routing table |
Example
{
"id": "4",
"name": "xyz789",
"identifier": "xyz789",
"connected": false,
"haRole": "abc123",
"interfaces": [InterfaceSnapshot],
"lastConnected": "2007-12-03T10:15:30Z",
"lastDuration": 123,
"connectedSince": "2007-12-03T10:15:30Z",
"lastPopID": 123,
"lastPopName": "xyz789",
"recentConnections": [RecentConnection],
"type": "abc123",
"socketInfo": SocketInfo,
"interfacesLinkState": [InterfaceLinkState],
"osType": "xyz789",
"osVersion": "xyz789",
"version": "abc123",
"versionNumber": 123,
"releaseGroup": "abc123",
"mfaExpirationTime": 123,
"mfaCreationTime": 123,
"internalIP": "abc123"
}
DhcpType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"DHCP_RELAY"
Dimension
Fields
Input Field | Description |
---|---|
fieldName - AppStatsFieldName!
|
Example
{"fieldName": "app"}
DimensionData
DimensionKey
DirectionEnum
Values
Enum Value | Description |
---|---|
|
|
|
Example
"asc"
DirectionInput
Values
Enum Value | Description |
---|---|
|
|
|
Example
"asc"
ElasticOperator
Description
Search operators on ElasticSearch. Between operators are applicable only to numeric fields Note that not operators are slower
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"is"
Endpoint
Fields
Field Name | Description |
---|---|
id - ID!
|
Unique Cato ID for the story |
firstSignal - DateTime!
|
Timestamp for the first incident signal related to this story |
lastSignal - DateTime!
|
Timestamp for the last (most recent) incident signal related to this story |
engineType - StoryEngineTypeEnum
|
XDR engine involved with the incident |
vendor - VendorEnum
|
Vendor that identified the incident, such as Cato or Microsoft |
producer - StoryProducerEnum!
|
Enum for the Producer (specific XDR engine and service) involved with the incident |
producerName - String!
|
Full name of the Producer (specific XDR engine and service) involved with the incident |
connectionType - ConnectionTypeEnum
|
Enum for the connection for this incident (ie. site, host, user) |
indication - String!
|
An indication is a set of actions and behaviors for the Network or Security incident. Each producer has different indications. |
queryName - String
|
Category for the indication ID related to the story |
source - String
|
IP address, name of device, or SDP user on your network involved in the story |
criticality - Int
|
|
ticket - String
|
|
status - StoryStatusEnum
|
|
research - Boolean
|
|
siteName - String
|
|
storyDuration - Int
|
|
description - String
|
|
sourceIp - String
|
|
analystFeedback - AnalystFeedback
|
|
site - SiteRef
|
|
user - UserRef
|
|
similarStoriesData - [SimilarStoryData!]!
|
|
predictedVerdict - StoryVerdictEnum
|
|
predictedThreatType - String
|
|
device - DeviceDetails
|
|
alerts - [EndpointAlert!]!
|
Possible Types
Endpoint Types |
---|
Example
{
"id": "4",
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "xyz789",
"connectionType": "Site",
"indication": "xyz789",
"queryName": "abc123",
"source": "xyz789",
"criticality": 123,
"ticket": "abc123",
"status": "Open",
"research": false,
"siteName": "abc123",
"storyDuration": 987,
"description": "abc123",
"sourceIp": "xyz789",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"similarStoriesData": [SimilarStoryData],
"predictedVerdict": "Suspicious",
"predictedThreatType": "abc123",
"device": DeviceDetails,
"alerts": [EndpointAlert]
}
EndpointAlert
Fields
Field Name | Description |
---|---|
id - ID!
|
|
title - String
|
|
description - String
|
|
threatName - String
|
|
mitreTechnique - [Mitre!]!
|
|
mitreSubTechnique - [Mitre!]!
|
|
createdDateTime - DateTime
|
|
resources - [EndpointResource!]!
|
|
activities - [Activity!]!
|
|
criticality - Int
|
Possible Types
EndpointAlert Types |
---|
Example
{
"id": "4",
"title": "xyz789",
"description": "xyz789",
"threatName": "abc123",
"mitreTechnique": [Mitre],
"mitreSubTechnique": [Mitre],
"createdDateTime": "2007-12-03T10:15:30Z",
"resources": [EndpointResource],
"activities": [Activity],
"criticality": 123
}
EndpointResource
Fields
Field Name | Description |
---|---|
id - ID!
|
|
createdDateTime - DateTime
|
|
remediationStatus - RemediationStatusEnum
|
Possible Types
EndpointResource Types |
---|
Example
{
"id": "4",
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED"
}
EndpointUser
Possible Types
EndpointUser Types |
---|
Example
{"id": 4, "name": "xyz789"}
EngineTypePredicate
Fields
Input Field | Description |
---|---|
in - [StoryEngineTypeEnum!]
|
|
not_in - [StoryEngineTypeEnum!]
|
Example
{"in": ["ANOMALY"], "not_in": ["ANOMALY"]}
Entity
Fields
Field Name | Description |
---|---|
id - ID!
|
|
name - String
|
|
type - EntityType!
|
Example
{
"id": "4",
"name": "abc123",
"type": "country"
}
EntityInfo
EntityInput
Fields
Input Field | Description |
---|---|
id - ID!
|
|
name - String
|
|
type - EntityType!
|
Example
{
"id": 4,
"name": "abc123",
"type": "country"
}
EntityLookupResult
Fields
Field Name | Description |
---|---|
items - [EntityInfo!]!
|
|
total - Int
|
Example
{"items": [EntityInfo], "total": 987}
EntityType
Values
Enum Value | Description |
---|---|
|
Geographical and political entity recognized internationally |
|
Represents a state or territory within a country. It is a sub-division of the country |
|
Time zone, which is a geographical region where clocks are set to the same time |
|
A reference to a configured Site within Account |
|
A reference to the configured Host within Site |
|
Any entity (matches everything) |
|
A reference to a configured Account under reseller |
|
A reference to the configured Network Interface within Site |
|
A reference to the configured VPN User within Account |
|
An account administrator (user in Cato Console) |
|
A reference to Local Routing Rule within Site |
|
A reference to LAN Firewall Rule within Site |
|
An external IP address in a specific PoP reserved for the account |
|
union of the globalRange and a Subnet |
|
l4 services for LAN firewall rules |
|
Site licenses available for use |
|
Pooled licenses available for use |
|
A reference to DHCP Relay Group within account |
|
Combination of protocol (TCP, UDP, TCP/UDP, ICMP) and port number |
|
|
|
|
|
Example
"country"
Event
EventFeedFieldFilterInput
Fields
Input Field | Description |
---|---|
fieldName - EventFeedFilterFieldName!
|
|
operator - EventFeedFilterOperator!
|
Use event_type and event_sub_type for events |
values - [String!]
|
Example
{
"fieldName": "event_sub_type",
"operator": "is",
"values": ["xyz789"]
}
EventFeedFilterFieldName
Values
Enum Value | Description |
---|---|
|
Sub-type for Routing, Security, Connectivity, System or Sockets Management event |
|
Routing, Security, Connectivity, System or Sockets Management event |
Example
"event_sub_type"
EventFeedFilterOperator
Description
Search operators on Event Feed
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"is"
EventField
Fields
Field Name | Description |
---|---|
name - EventFieldName!
|
|
value - Value!
|
Example
{"name": "src_site", "value": StringValue}
EventFieldName
Values
Enum Value | Description |
---|---|
|
Site or VPN user initiating the transaction |
|
|
|
Target Site or VPN user |
|
Source or destination site or VPN user ID. This field can only be used in filter. |
|
Rule ID in security events |
|
Remote ISP name |
|
Name for Socket interface |
|
|
|
LDAP event, host name |
|
Internet traffic, destination server port |
|
BGP ASN for remote peer |
|
The reference number of a miscategorization event |
|
Internal port number |
|
Data that measures the packet loss for a specific link |
|
Name of PoP for event |
|
|
|
Cato's description of the event |
|
Source site or VPN user |
|
SSL SNI, HTTPhost name, DNSname |
|
Internet traffic, destination server IP |
|
Malware event, file hash |
|
ISP IP for site or VPN client |
|
Examples: MFA or password |
|
Firewall rule name |
|
LDAP event, sync with DC results |
|
|
|
Type of malware event |
|
Result of malware event |
|
PC or device name |
|
Link type – Cato, Alt. WAN or LAG |
|
User portal or VPN client (VPN or site traffic) |
|
Host name (hosts with static IP) |
|
|
|
LDAP event, sync with DC |
|
User email |
|
Type of process generating this traffic |
|
Incident aggregation |
|
Hardware or software Socket reset |
|
User name |
|
Socket or VPN client version |
|
Malware event, file size |
|
|
|
BGP disconnect error message |
|
Description for BGP neighbor |
|
Name of malware event |
|
Time QoS event started |
|
Network protocol for this event |
|
BGP ASN for Cato peer |
|
IP for host or VPN client |
|
Link to external malware reference |
|
Firewall, QoS or LAG action |
|
|
|
Malware event, risk level |
|
Socket upgrade, old version number |
|
Data that measures the latency for a specific link |
|
Protocol for the tunnel |
|
Socket upgrade, new version number |
|
Data that measures the jitter for a specific link |
|
Upgrade started at: |
|
BGP IP for Cato peer |
|
Cato Networks Category |
|
|
|
|
|
Amount of targets (servers) for a given incident |
|
Upgrade initiated by |
|
Site or VPN user |
|
BGP IP for remote peer |
|
Traffic is site or VPN client |
|
Active Directory name |
|
User Awareness Query Method |
|
Data that measures the congestion for a specific link |
|
Name for subnet |
|
Version for host OS or tunnel device |
|
Sub-type for Routing, Security, Connectivity, System or Sockets Management event |
|
Host OS or tunnel device |
|
Inbound or outbound |
|
BGP disconnect error message |
|
CIDR for BGP route |
|
Incident identifier |
|
App used in Internet Firewall |
|
Upgrade ended at: |
|
Socket interface ID |
|
Custom category for the account |
|
Country based on public IP |
|
Country code based on public IP |
|
Count for events often repeated |
|
Malware event, file name |
|
LDAP event, IP for DC |
|
Time of event |
|
URL for Internet traffic |
|
Internet traffic, destination server location |
|
Internet traffic, destination server location code |
|
Amount of flows for a given incident |
|
Name of site or VPN user |
|
Routing, Security, Connectivity, System or Sockets Management event |
|
Account ID |
|
Signature ID |
|
Client certificate expiration date |
|
Name of client Certificate |
|
Is sanctioned app matched |
|
Name of application class |
|
Name of application activity |
|
Device posture profiles |
|
Full path URL application activity |
|
Application risk score |
|
Mitre attack techniques |
|
Mitre attack subtechniques |
|
Mitre attack tactics |
|
Indicator |
|
Connector Type |
|
Connector Name |
|
|
|
|
|
|
|
|
|
|
|
Owner |
|
Collaborators |
|
Email Subject |
|
Sharing Scope |
|
DNS Protection Category |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
use src_pid instead |
|
use src_process_parent_pid instead |
|
use src_process_path instead |
|
|
|
|
|
|
|
|
|
|
|
DNS Query |
|
|
|
|
|
|
|
Related Apps |
|
TLS Certificate Error |
|
TLS Version |
|
TLS Error Type |
|
TLS Error Description |
|
Cato App |
|
Prompt Page Selected Action |
|
Unique Cato ID for devices |
|
Unique Cato Visible ID for devices |
|
Connectivity authentication method: unauthenticated, OATH2, LDAP or VPN |
|
Always-On Bypass Method |
|
Always-On Bypass Duration In Seconds |
|
Always-On Bypass Reason |
|
Sign In Types |
|
Tenant Id |
|
Tenant Name |
|
User Agent |
|
Vendor Event Id |
|
Vendor Device Id |
|
Vendor Device Name |
|
Is Compliant |
|
Is Managed |
|
Trust Type |
|
Trust Level |
|
Data Classifiers |
|
Network Access |
|
Analyst Verdict |
|
Criticality |
|
Indication |
|
Producer |
|
Story Id |
|
Raw Data |
Example
"src_site"
EventRecord
Example
{
"time": "2007-12-03T10:15:30Z",
"fieldsMap": Map,
"flatFields": ["xyz789"]
}
Events
EventsDimension
Fields
Input Field | Description |
---|---|
fieldName - EventFieldName!
|
Example
{"fieldName": "src_site"}
EventsFeedAccountRecords
Fields
Field Name | Description |
---|---|
id - ID
|
|
errorString - String
|
|
records - [EventRecord!]
|
|
Arguments
|
Example
{
"id": "4",
"errorString": "xyz789",
"records": [EventRecord]
}
EventsFeedData
Fields
Field Name | Description |
---|---|
marker - String
|
|
fetchedCount - Int!
|
|
accounts - [EventsFeedAccountRecords]
|
Example
{
"marker": "xyz789",
"fetchedCount": 987,
"accounts": [EventsFeedAccountRecords]
}
EventsFilter
Fields
Input Field | Description |
---|---|
fieldName - EventFieldName!
|
|
operator - FilterOperator!
|
|
values - [String!]!
|
Example
{
"fieldName": "src_site",
"operator": "is",
"values": ["abc123"]
}
EventsMeasure
Fields
Input Field | Description |
---|---|
fieldName - EventFieldName!
|
|
aggType - AggregationType!
|
|
trend - Boolean
|
Example
{"fieldName": "src_site", "aggType": "sum", "trend": true}
EventsRecord
Fields
Field Name | Description |
---|---|
fields - [EventField!]
|
|
fieldsUnitTypes - [UnitType!]
|
|
fieldsMap - Map
|
fields in map format (see Map scalar) |
trends - Map
|
|
prevTimeFrame - Map
|
|
flatFields - [String!]
|
Simplified fields, as array of name value tuples, e.g: [ [ "name", "val" ], [ "name2", "val2" ] ... ] |
Example
{
"fields": [EventField],
"fieldsUnitTypes": ["bytes"],
"fieldsMap": Map,
"trends": Map,
"prevTimeFrame": Map,
"flatFields": ["abc123"]
}
EventsSort
Fields
Input Field | Description |
---|---|
fieldName - EventFieldName!
|
|
order - DirectionEnum!
|
Example
{"fieldName": "src_site", "order": "asc"}
EventsTimeSeries
Extra
FieldNameInput
Description
FieldName for the different types of FieldName inputs Use the EventFieldName for events, and AuditFieldName for audit
Fields
Input Field | Description |
---|---|
EventFieldName - EventFieldName
|
|
AuditFieldName - AuditFieldName
|
Example
{"EventFieldName": "src_site", "AuditFieldName": "admin"}
FileDetails
Example
{
"name": "abc123",
"path": "xyz789",
"size": 987,
"sha1": "abc123",
"sha256": "abc123",
"md5": "abc123",
"issuer": "abc123",
"signer": "abc123",
"publisher": "xyz789"
}
FileResource
Fields
Field Name | Description |
---|---|
id - ID!
|
|
createdDateTime - DateTime
|
|
remediationStatus - RemediationStatusEnum
|
|
fileDetails - FileDetails
|
|
detectionStatus - DetectionStatusEnum
|
Possible Types
FileResource Types |
---|
Example
{
"id": "4",
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED",
"fileDetails": FileDetails,
"detectionStatus": "DETECTED"
}
FilterOperator
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"is"
Float
Description
The Float
scalar type represents signed double-precision fractional values as specified by IEEE 754.
Example
123.45
Gaussian
GetAdminPayload
Fields
Field Name | Description |
---|---|
id - ID!
|
|
firstName - String!
|
|
lastName - String!
|
|
email - String!
|
|
creationDate - String!
|
|
passwordNeverExpires - Boolean!
|
|
mfaEnabled - Boolean!
|
|
managedRoles - [AdminRole!]
|
|
resellerRoles - [AdminRole!]
|
Example
{
"id": "4",
"firstName": "xyz789",
"lastName": "xyz789",
"email": "xyz789",
"creationDate": "abc123",
"passwordNeverExpires": true,
"mfaEnabled": false,
"managedRoles": [AdminRole],
"resellerRoles": [AdminRole]
}
HaReadiness
Values
Enum Value | Description |
---|---|
|
|
|
Example
"ready"
HaStatus
Description
Basic Site Ha readiness information
Fields
Field Name | Description |
---|---|
readiness - HaReadiness
|
|
wanConnectivity - HaSubStatus
|
|
keepalive - HaSubStatus
|
|
socketVersion - HaSubStatus
|
Example
{
"readiness": "ready",
"wanConnectivity": "ok",
"keepalive": "ok",
"socketVersion": "ok"
}
HaSubStatus
Values
Enum Value | Description |
---|---|
|
|
|
Example
"ok"
ID
Description
The ID
scalar type represents a unique identifier, often used to refetch an object or as key for a cache. The ID type appears in a JSON response as a String; however, it is not intended to be human-readable. When expected as an input type, any string (such as "4"
) or integer (such as 4
) input value will be accepted as an ID.
Example
"4"
IPAddress
Example
IPAddress
IPInfo
Description
A general structure to contain IP detailed information
Fields
Field Name | Description |
---|---|
ip - String
|
IP address of the link |
countryCode - String
|
Geolocation ISO country code |
countryName - String
|
Geolocation country name |
city - String
|
Geolocation city |
state - String
|
Geolocation state |
provider - String
|
ISP Internet provider |
latitude - Float
|
Geolocation latitude for the ISP |
longitude - Float
|
Geolocation longitude for the ISP |
Example
{
"ip": "abc123",
"countryCode": "abc123",
"countryName": "xyz789",
"city": "xyz789",
"state": "abc123",
"provider": "xyz789",
"latitude": 987.65,
"longitude": 123.45
}
IPRange
Description
A from-to range (used for DHCP range, for example)
Example
IPRange
IPSecInfo
Description
Basic IPSec configuration information
Fields
Field Name | Description |
---|---|
isPrimary - Boolean
|
For HA configurations, when this boolean value is true, this the primary IPsec firewall or routing device |
catoIP - String
|
The source IP address for the IPsec tunnel in the Cato Cloud |
remoteIP - String
|
The destination IP address for the IPsec tunnel (in the site) |
ikeVersion - Int
|
Shows 1 for IKEv1 and 2 for IKEv2 |
Example
{
"isPrimary": true,
"catoIP": "abc123",
"remoteIP": "xyz789",
"ikeVersion": 987
}
IPSubnet
Example
IPSubnet
IncidentFlow
Fields
Field Name | Description |
---|---|
appName - String
|
|
clientClass - String
|
|
sourceIp - String
|
|
sourcePort - Int
|
|
destinationCountry - String
|
|
destinationIp - String
|
|
destinationPort - Int
|
|
direction - String
|
|
createdAt - DateTime
|
|
referer - String
|
|
userAgent - String
|
|
method - String
|
|
url - String
|
|
target - String
|
|
domain - String
|
|
sourceGeolocation - String
|
|
destinationGeolocation - String
|
|
tunnelGeolocation - String
|
|
httpResponseCode - Int
|
|
dnsResponseIP - String
|
|
smbFileName - String
|
|
user - String
|
|
fileHash - String
|
|
ja3 - String
|
Example
{
"appName": "abc123",
"clientClass": "abc123",
"sourceIp": "xyz789",
"sourcePort": 123,
"destinationCountry": "abc123",
"destinationIp": "abc123",
"destinationPort": 123,
"direction": "xyz789",
"createdAt": "2007-12-03T10:15:30Z",
"referer": "abc123",
"userAgent": "xyz789",
"method": "xyz789",
"url": "xyz789",
"target": "abc123",
"domain": "xyz789",
"sourceGeolocation": "abc123",
"destinationGeolocation": "abc123",
"tunnelGeolocation": "xyz789",
"httpResponseCode": 123,
"dnsResponseIP": "xyz789",
"smbFileName": "abc123",
"user": "xyz789",
"fileHash": "xyz789",
"ja3": "abc123"
}
IncidentTargetRep
Fields
Field Name | Description |
---|---|
type - TargetType
|
|
name - String
|
|
analysisScore - Float
|
|
infectionSource - Boolean
|
|
threatReference - String
|
|
catoPopularity - Int
|
|
threatFeeds - Int
|
|
creationTime - DateTime
|
|
categories - String
|
|
countryOfRegistration - String
|
|
searchHits - String
|
|
engines - Int
|
|
eventData - [Event!]!
|
Example
{
"type": "ip",
"name": "xyz789",
"analysisScore": 987.65,
"infectionSource": true,
"threatReference": "abc123",
"catoPopularity": 123,
"threatFeeds": 987,
"creationTime": "2007-12-03T10:15:30Z",
"categories": "xyz789",
"countryOfRegistration": "xyz789",
"searchHits": "xyz789",
"engines": 987,
"eventData": [Event]
}
IncidentTimeseries
Fields
Field Name | Description |
---|---|
data - [Float!]
|
Data is an array of tuples, each containing two values: [timestamp, metric], where the timestamp is in milliseconds from the epoch (1.1.1970), and the metric is a number (according to the unit type) |
Arguments
|
|
label - String!
|
Indicates the type of the timeseries |
sum - Float
|
|
units - UnitType
|
Identifies what unit of data this timeseries represents. Note that toRate is only available for particular types of data to make sense. |
info - [String!]
|
Specific information about the timeseries, used to build its name, title etc |
key - TimeseriesKey
|
Example
{
"data": [123.45],
"label": "xyz789",
"sum": 987.65,
"units": "bytes",
"info": ["abc123"],
"key": TimeseriesKey
}
Int
Description
The Int
scalar type represents non-fractional signed whole numeric values. Int can represent values between -(2^31) and 2^31 - 1.
Example
123
IntPredicate
InterfaceInfo
Description
Basic Socket Interface configuration information
Fields
Field Name | Description |
---|---|
id - ID!
|
ID for the Socket port in the Socket WebUI Monitor tab |
name - String
|
Name for the port in the Cato Management Application |
upstreamBandwidth - Int
|
Maximum allowed bandwidth on this port, for traffic from the site to the Cato Cloud |
downstreamBandwidth - Int
|
Maximum allowed bandwidth for traffic on this port, from the Cato Cloud to the site |
destType - String
|
The destination type configured to the Socket interface |
Example
{
"id": "4",
"name": "abc123",
"upstreamBandwidth": 123,
"downstreamBandwidth": 987,
"destType": "xyz789"
}
InterfaceLinkState
Fields
Field Name | Description |
---|---|
id - ID
|
The ID for the specific Socket port, for example LAN1 or LAN2 |
up - Boolean
|
When this boolean value is true, then the link for the port is up |
mediaIn - Boolean
|
When this boolean value is true, then a cable is connected to the Socket port |
linkSpeed - String
|
Shows the maximum bandwidth configured for the link |
duplex - String
|
Shows the duplex mode for the link |
Example
{
"id": 4,
"up": true,
"mediaIn": false,
"linkSpeed": "xyz789",
"duplex": "abc123"
}
InterfaceMetrics
Fields
Field Name | Description |
---|---|
metrics - Metrics
|
Traffic data for the link |
Arguments
|
|
name - String
|
Link name in the Cato Management Application |
timeseries - [Timeseries!]
|
For site metrics, timeseries info field will include: siteID, interfaceName, for last mile metrics it will also include the destination last mile check |
Arguments
|
|
annotations - [TimeAnnotation!]
|
Time stamp annotation that shows a time increment for a GUI |
Arguments
|
|
periods - [TimePeriod!]
|
object that is a specific time duration |
remoteIPInfo - IPInfo
|
Data related to the link IP address, such as country code |
remoteIP - String
|
IP address of the PoP that the link is connected to |
socketInfo - SocketInfo
|
Data related to Socket and vSocket sites, such as serial number and Socket version. Applicable only for site |
ipsecInfo - IPSecInfo
|
Data related to IPsec sites, such as IKE version . Applicable only for site |
interfaceInfo - InterfaceInfo
|
Basic configuration information about the Socket interface . Applicable only for site |
Example
{
"metrics": Metrics,
"name": "abc123",
"timeseries": [Timeseries],
"annotations": [TimeAnnotation],
"periods": [TimePeriod],
"remoteIPInfo": IPInfo,
"remoteIP": "xyz789",
"socketInfo": SocketInfo,
"ipsecInfo": IPSecInfo,
"interfaceInfo": InterfaceInfo
}
InterfaceSnapshot
Fields
Field Name | Description |
---|---|
connected - Boolean
|
Shows if the WAN link is connected to the PoP |
id - ID
|
Interface ID for the WAN link |
name - String
|
WAN link name in the Cato Management Application |
physicalPort - Int
|
Physical WAN port on the Socket |
naturalOrder - Int
|
Interface Natural order for WAN link |
popName - String
|
The name of the PoP that the WAN link is connected to |
previousPopID - Int
|
The ID of the PoP that the WAN link was connected to before the current one |
previousPopName - String
|
The name of the PoP that the WAN link was connected to before the current one |
tunnelConnectionReason - String
|
Reason that the tunnel required a new connection (for example, PoP or Socket restarted) |
tunnelUptime - Int
|
Number of seconds that the tunnel is connected to a PoP |
tunnelRemoteIP - String
|
IP address of the WAN ISP |
tunnelRemoteIPInfo - IPInfo
|
IP address, ISP, and geographical information related to the WAN ISP |
type - String
|
No longer supported |
info - InterfaceInfo
|
data about the WAN link that is configured in the Socket Configuration window for the site |
cellularInterfaceInfo - CellularInterface
|
Information about cellular (LTE) interface |
Example
{
"connected": true,
"id": 4,
"name": "xyz789",
"physicalPort": 987,
"naturalOrder": 987,
"popName": "xyz789",
"previousPopID": 123,
"previousPopName": "xyz789",
"tunnelConnectionReason": "abc123",
"tunnelUptime": 123,
"tunnelRemoteIP": "abc123",
"tunnelRemoteIPInfo": IPInfo,
"type": "xyz789",
"info": InterfaceInfo,
"cellularInterfaceInfo": CellularInterface
}
LinkConfigPrecedenceEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"ACTIVE"
LinkQualityIssue
Fields
Field Name | Description |
---|---|
issueType - LinkQualityIssueTypeEnum
|
|
direction - TrafficDirectionEnum
|
|
current - Int
|
|
threshold - Int
|
Example
{
"issueType": "PACKET_LOSS",
"direction": "UPSTREAM",
"current": 987,
"threshold": 123
}
LinkQualityIssueTypeEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"PACKET_LOSS"
LinkStatusEnum
Values
Enum Value | Description |
---|---|
|
|
|
Example
"ACTIVE"
LookupFilterInput
Fields
Input Field | Description |
---|---|
filter - LookupFilterType
|
|
value - String
|
Example
{
"filter": "filterByConnectionTypeFamily",
"value": "xyz789"
}
LookupFilterType
Values
Enum Value | Description |
---|---|
|
Custom filter to be used with Site entityLookup, to get only sites with one connection type, possible values: "SOCKET", "IPSEC", "vSOCKET", "PHYSICAL_SOCKET" |
|
Custom filter to be used with Site entityLookup, to get only sites with one connection type, possible values (there are more values that can supported): "SOCKET_X1500", "SOCKET_X1600", "SOCKET_X1700", "VSOCKET_VGX_ESX", "VSOCKET_VGX_AWS" "VSOCKET_VGX_AZURE" "SOCKET_X1600_LTE", |
|
Custom filter to be used with Site entityLookup, to get only sites with Alt WAN, possible values: "true", "false", |
|
Custom filter to be used with Site entityLookup, to get only sites that are configured as backhauling gateways, possible values: "true", "false", |
|
Custom filter to be used with Site entityLookup, to get only sites that are configured as OffCloudTransportEnabled, possible values: "true", "false", |
Example
"filterByConnectionTypeFamily"
Map
Description
A key value pairs object { "key1": "value1", "key2": "value2" }
Example
Map
Measure
Fields
Input Field | Description |
---|---|
fieldName - AppStatsFieldName!
|
|
aggType - AggregationType!
|
|
trend - Boolean
|
Example
{"fieldName": "app", "aggType": "sum", "trend": false}
MergedIncident
Fields
Field Name | Description |
---|---|
id - ID!
|
Unique Cato ID for each story |
firstSignal - DateTime!
|
Timestamp for the first incident signal related to this story |
lastSignal - DateTime!
|
Timestamp for the last (most recent) incident signal related to this story |
engineType - StoryEngineTypeEnum
|
XDR engine involved with the incident |
vendor - VendorEnum
|
Vendor that identified the incident, such as Cato or Microsoft |
producer - StoryProducerEnum!
|
Enum for the Producer (specific XDR engine and service) involved with the incident |
producerName - String!
|
Full name of the Producer (specific XDR engine and service) involved with the incident |
connectionType - ConnectionTypeEnum
|
Enum for the connection for this incident (ie. site, host, user) |
indication - String!
|
An indication is a set of actions and behaviors for the Network or Security incident. Each producer has different indications. |
queryName - String
|
Category for the indication ID related to the story |
criticality - Int
|
For Network stories - The potential impact of the issue on your network. Values are from 1 (low impact) to 10 (high impact) For Security stories - Cato's risk analysis of the story. Values are from 1 (low risk) to 10 (high risk) |
source - String
|
For Network stories - The site where the network issue is occurring For Security stories - IP address, name of device, or SDP user on your network involved in the story |
ticket - String
|
The ticket an analyst created for this story |
status - StoryStatusEnum
|
Enum for the status of this story (ie. Open, Closed, Monitoring) |
research - Boolean
|
The value is TRUE when the story is currently being researched by Security Analysts |
siteName - String
|
Site name related to the story |
storyDuration - Int
|
Amount of time since the story was opened (no value for closed stories) |
description - String
|
For Security stories, description of the threat |
sourceIp - String
|
The source IP address of the device in your network sending or receiving the flow |
analystFeedback - AnalystFeedback
|
Fields related to analysts research of the threat incident |
site - SiteRef
|
Cato ID and name for the site |
user - UserRef
|
Cato ID and name for the user |
predictedVerdict - StoryVerdictEnum
|
|
predictedThreatType - String
|
Possible Types
MergedIncident Types |
---|
Example
{
"id": "4",
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "xyz789",
"connectionType": "Site",
"indication": "abc123",
"queryName": "abc123",
"criticality": 987,
"source": "abc123",
"ticket": "abc123",
"status": "Open",
"research": true,
"siteName": "abc123",
"storyDuration": 987,
"description": "xyz789",
"sourceIp": "xyz789",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"predictedVerdict": "Suspicious",
"predictedThreatType": "abc123"
}
Metric
MetricDetails
Metrics
Fields
Field Name | Description |
---|---|
duration - Int
|
total amount of time for the site data |
granularity - Int
|
duration in seconds for a single metrics bucket |
bytesDownstream - Float
|
total downstream traffic (from the Cato Cloud to the site) |
bytesUpstream - Float
|
total upstream traffic (from the site to the Cato Cloud) |
bytesTotal - Float
|
total traffic for the site |
lostDownstream - Float
|
number of packets lost for downstream traffic |
lostDownstreamPcnt - Float
|
percent of packet loss for downstream traffic |
lostUpstream - Float
|
number of packets lost for upstream traffic |
lostUpstreamPcnt - Float
|
percent of packet loss for upstream traffic |
packetsDownstream - Float
|
total downstream packets |
packetsUpstream - Float
|
total upstream packets |
jitterUpstream - Float
|
jitter for upstream traffic (difference in time delay in milliseconds (ms) between data packets) |
jitterDownstream - Float
|
jitter for downstream traffic (difference in time delay in milliseconds (ms) between data packets) |
packetsDiscardedDownstream - Float
|
total packets discarded for downstream traffic |
packetsDiscardedUpstream - Float
|
total packets discarded for upstream traffic |
rtt - Int
|
round-trip time from the site to the Cato Cloud |
hostCount - Float
|
The number of hosts in the tunnel. Relevant only for per site Metrics, ignored in per-interface metrics. |
hostLimit - Float
|
The configurable limit of the number of hosts in the tunnel. Relevant only for per site Metrics, ignored in per-interface metrics. |
flowCount - Float
|
The number of flows (connections) in the tunnel. Relevant only for per site Metrics, ignored in per-interface metrics. |
Example
{
"duration": 123,
"granularity": 987,
"bytesDownstream": 123.45,
"bytesUpstream": 987.65,
"bytesTotal": 987.65,
"lostDownstream": 987.65,
"lostDownstreamPcnt": 987.65,
"lostUpstream": 123.45,
"lostUpstreamPcnt": 987.65,
"packetsDownstream": 123.45,
"packetsUpstream": 123.45,
"jitterUpstream": 987.65,
"jitterDownstream": 987.65,
"packetsDiscardedDownstream": 987.65,
"packetsDiscardedUpstream": 123.45,
"rtt": 987,
"hostCount": 987.65,
"hostLimit": 123.45,
"flowCount": 123.45
}
MicrosoftActivity
Example
{
"id": "4",
"resourceId": "4",
"parentResourceId": "4",
"action": "xyz789",
"firstActivityDateTime": "2007-12-03T10:15:30Z",
"lastActivityDateTime": "2007-12-03T10:15:30Z"
}
MicrosoftDefenderEndpointAlert
Fields
Field Name | Description |
---|---|
id - ID!
|
|
title - String
|
|
description - String
|
|
threatName - String
|
|
mitreTechnique - [Mitre!]!
|
|
mitreSubTechnique - [Mitre!]!
|
|
createdDateTime - DateTime
|
|
resources - [MicrosoftEndpointResource!]!
|
|
activities - [MicrosoftActivity!]!
|
|
criticality - Int
|
|
comments - [String!]!
|
|
recommendedActions - String
|
|
category - String
|
|
ownerName - String
|
|
threatFamilyName - String
|
|
threatType - String
|
|
resolvedDateTime - DateTime
|
|
firstActivityDateTime - DateTime
|
|
lastActivityDateTime - DateTime
|
|
lastUpdateDateTime - DateTime
|
|
localIp - String
|
|
destinationIp - String
|
|
destinationUrl - String
|
|
status - MsAlertStatus
|
|
providerAlertId - String
|
|
alertWebUrl - String
|
|
determination - AlertDeterminationEnum
|
|
detectionSource - DetectionSourceEnum
|
|
classification - AlertClassificationEnum
|
Example
{
"id": "4",
"title": "xyz789",
"description": "xyz789",
"threatName": "xyz789",
"mitreTechnique": [Mitre],
"mitreSubTechnique": [Mitre],
"createdDateTime": "2007-12-03T10:15:30Z",
"resources": [MicrosoftEndpointResource],
"activities": [MicrosoftActivity],
"criticality": 987,
"comments": ["abc123"],
"recommendedActions": "abc123",
"category": "xyz789",
"ownerName": "abc123",
"threatFamilyName": "xyz789",
"threatType": "xyz789",
"resolvedDateTime": "2007-12-03T10:15:30Z",
"firstActivityDateTime": "2007-12-03T10:15:30Z",
"lastActivityDateTime": "2007-12-03T10:15:30Z",
"lastUpdateDateTime": "2007-12-03T10:15:30Z",
"localIp": "xyz789",
"destinationIp": "abc123",
"destinationUrl": "abc123",
"status": "NEW",
"providerAlertId": "xyz789",
"alertWebUrl": "abc123",
"determination": "APT",
"detectionSource": "MICROSOFT_DEFENDER_FOR_ENDPOINT",
"classification": "FALSE_POSITIVE"
}
MicrosoftDeviceDetails
Fields
Field Name | Description |
---|---|
id - ID!
|
|
deviceName - String
|
|
osDetails - OsDetails
|
|
loggedOnUsers - [EndpointUser!]!
|
|
firstSeenDateTime - DateTime
|
|
avStatus - DeviceAvStatusEnum
|
|
healthStatus - DeviceHealthStatusEnum
|
|
rbacGroup - RbacGroup
|
|
ipInterfaces - [String!]!
|
|
azureAdDeviceId - String
|
|
onboardingStatus - OnboardingStatusEnum
|
Example
{
"id": "4",
"deviceName": "abc123",
"osDetails": OsDetails,
"loggedOnUsers": [EndpointUser],
"firstSeenDateTime": "2007-12-03T10:15:30Z",
"avStatus": "NOT_REPORTING",
"healthStatus": "ACTIVE",
"rbacGroup": RbacGroup,
"ipInterfaces": ["xyz789"],
"azureAdDeviceId": "xyz789",
"onboardingStatus": "INSUFFICIENT_INFO"
}
MicrosoftEndpoint
Fields
Field Name | Description |
---|---|
id - ID!
|
|
firstSignal - DateTime!
|
|
lastSignal - DateTime!
|
|
engineType - StoryEngineTypeEnum
|
|
vendor - VendorEnum
|
|
producer - StoryProducerEnum!
|
|
producerName - String!
|
|
connectionType - ConnectionTypeEnum
|
|
indication - String!
|
|
queryName - String
|
|
source - String
|
|
criticality - Int
|
|
ticket - String
|
|
status - StoryStatusEnum
|
|
research - Boolean
|
|
siteName - String
|
|
storyDuration - Int
|
|
description - String
|
|
sourceIp - String
|
|
analystFeedback - AnalystFeedback
|
|
site - SiteRef
|
|
user - UserRef
|
|
similarStoriesData - [SimilarStoryData!]!
|
|
predictedVerdict - StoryVerdictEnum
|
|
predictedThreatType - String
|
|
device - MicrosoftDeviceDetails
|
|
alerts - [MicrosoftDefenderEndpointAlert!]!
|
Example
{
"id": "4",
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "xyz789",
"connectionType": "Site",
"indication": "xyz789",
"queryName": "abc123",
"source": "xyz789",
"criticality": 123,
"ticket": "abc123",
"status": "Open",
"research": false,
"siteName": "xyz789",
"storyDuration": 987,
"description": "xyz789",
"sourceIp": "abc123",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"similarStoriesData": [SimilarStoryData],
"predictedVerdict": "Suspicious",
"predictedThreatType": "xyz789",
"device": MicrosoftDeviceDetails,
"alerts": [MicrosoftDefenderEndpointAlert]
}
MicrosoftEndpointResource
Fields
Field Name | Description |
---|---|
id - ID!
|
|
createdDateTime - DateTime
|
|
remediationStatus - RemediationStatusEnum
|
|
remediationStatusDetails - String
|
|
tags - [String!]!
|
|
roles - [ResourceRoleEnum!]!
|
|
verdict - MsResourceVerdictEnum
|
Possible Types
MicrosoftEndpointResource Types |
---|
Example
{
"id": "4",
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED",
"remediationStatusDetails": "xyz789",
"tags": ["abc123"],
"roles": ["CONTEXTUAL"],
"verdict": "Suspicious"
}
MicrosoftEndpointUser
MicrosoftFileResource
Fields
Field Name | Description |
---|---|
id - ID!
|
|
createdDateTime - DateTime
|
|
remediationStatus - RemediationStatusEnum
|
|
remediationStatusDetails - String
|
|
tags - [String!]!
|
|
roles - [ResourceRoleEnum!]!
|
|
verdict - MsResourceVerdictEnum
|
|
fileDetails - FileDetails
|
|
detectionStatus - DetectionStatusEnum
|
Example
{
"id": "4",
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED",
"remediationStatusDetails": "abc123",
"tags": ["abc123"],
"roles": ["CONTEXTUAL"],
"verdict": "Suspicious",
"fileDetails": FileDetails,
"detectionStatus": "DETECTED"
}
MicrosoftProcessResource
Fields
Field Name | Description |
---|---|
id - ID!
|
|
createdDateTime - DateTime
|
|
remediationStatus - RemediationStatusEnum
|
|
remediationStatusDetails - String
|
|
tags - [String!]!
|
|
roles - [ResourceRoleEnum!]!
|
|
verdict - MsResourceVerdictEnum
|
|
processId - Int!
|
|
processCommandLine - String
|
|
imageFile - FileDetails
|
|
userAccount - EndpointUser
|
Example
{
"id": 4,
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED",
"remediationStatusDetails": "abc123",
"tags": ["abc123"],
"roles": ["CONTEXTUAL"],
"verdict": "Suspicious",
"processId": 123,
"processCommandLine": "abc123",
"imageFile": FileDetails,
"userAccount": EndpointUser
}
MicrosoftRegistryResource
Fields
Field Name | Description |
---|---|
id - ID!
|
|
createdDateTime - DateTime
|
|
remediationStatus - RemediationStatusEnum
|
|
remediationStatusDetails - String
|
|
tags - [String!]!
|
|
roles - [ResourceRoleEnum!]!
|
|
verdict - MsResourceVerdictEnum
|
|
hive - String
|
|
key - String
|
|
value - String
|
|
valueName - String
|
|
valueType - String
|
Example
{
"id": 4,
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED",
"remediationStatusDetails": "xyz789",
"tags": ["xyz789"],
"roles": ["CONTEXTUAL"],
"verdict": "Suspicious",
"hive": "abc123",
"key": "abc123",
"value": "xyz789",
"valueName": "abc123",
"valueType": "xyz789"
}
Mitre
MsAlertStatus
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"NEW"
MsResourceVerdictEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"Suspicious"
NetworkDhcpSettingsInput
NetworkEventSourceEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"SITE"
NetworkTimelineEvent
Fields
Field Name | Description |
---|---|
created - DateTime!
|
|
validated - DateTime!
|
|
description - String
|
|
eventType - NetworkXDREventTypeEnum
|
|
incidentId - String
|
|
networkEventSource - NetworkEventSourceEnum
|
|
eventIds - [String!]!
|
|
acknowledged - Boolean
|
|
linkId - String
|
|
linkName - String
|
|
linkConfigPrecedence - LinkConfigPrecedenceEnum
|
|
linkStatus - LinkStatusEnum
|
|
linkConfigBandwidth - String
|
|
deviceConfigHaRole - DeviceConfigHaRoleEnum
|
|
deviceHaRoleState - DeviceHaRoleStateEnum
|
|
pop - String
|
|
isp - String
|
|
bgpConnection - BGPConnection
|
|
linkQualityIssue - LinkQualityIssue
|
|
hostIp - String
|
|
ruleName - String
|
|
tunnelResetCount - Int
|
Example
{
"created": "2007-12-03T10:15:30Z",
"validated": "2007-12-03T10:15:30Z",
"description": "xyz789",
"eventType": "INSIGHT",
"incidentId": "xyz789",
"networkEventSource": "SITE",
"eventIds": ["xyz789"],
"acknowledged": false,
"linkId": "xyz789",
"linkName": "xyz789",
"linkConfigPrecedence": "ACTIVE",
"linkStatus": "ACTIVE",
"linkConfigBandwidth": "xyz789",
"deviceConfigHaRole": "PRIMARY",
"deviceHaRoleState": "MASTER",
"pop": "xyz789",
"isp": "xyz789",
"bgpConnection": BGPConnection,
"linkQualityIssue": LinkQualityIssue,
"hostIp": "xyz789",
"ruleName": "xyz789",
"tunnelResetCount": 123
}
NetworkXDREventTypeEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"INSIGHT"
NetworkXDRIncident
Fields
Field Name | Description |
---|---|
id - ID!
|
|
firstSignal - DateTime!
|
|
lastSignal - DateTime!
|
|
engineType - StoryEngineTypeEnum
|
|
vendor - VendorEnum
|
|
producer - StoryProducerEnum!
|
|
producerName - String!
|
|
connectionType - ConnectionTypeEnum
|
|
indication - String!
|
|
queryName - String
|
|
source - String
|
|
criticality - Int
|
|
ticket - String
|
|
status - StoryStatusEnum
|
|
research - Boolean
|
|
siteName - String!
|
|
storyDuration - Int
|
|
description - String
|
|
sourceIp - String
|
|
analystFeedback - AnalystFeedback
|
|
site - SiteRef
|
|
user - UserRef
|
|
similarStoriesData - [SimilarStoryData!]!
|
|
predictedVerdict - StoryVerdictEnum
|
|
predictedThreatType - String
|
|
networkIncidentTimeline - [NetworkTimelineEvent!]!
|
|
storyType - String!
|
|
socketSerialId - String
|
|
occurrences - Int
|
|
siteConnectionType - String
|
|
siteConfigLocation - String
|
|
acknowledged - Boolean
|
|
linkId - String
|
|
linkName - String
|
|
linkConfigPrecedence - LinkConfigPrecedenceEnum
|
|
deviceConfigHaRole - DeviceConfigHaRoleEnum
|
|
licenseRegion - String
|
|
licenseBandwidth - String
|
|
pop - String
|
|
isp - String
|
|
bgpConnection - BGPConnection
|
|
hostIp - String
|
|
ruleName - String
|
Example
{
"id": "4",
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "xyz789",
"connectionType": "Site",
"indication": "abc123",
"queryName": "xyz789",
"source": "abc123",
"criticality": 123,
"ticket": "xyz789",
"status": "Open",
"research": true,
"siteName": "abc123",
"storyDuration": 123,
"description": "xyz789",
"sourceIp": "xyz789",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"similarStoriesData": [SimilarStoryData],
"predictedVerdict": "Suspicious",
"predictedThreatType": "xyz789",
"networkIncidentTimeline": [NetworkTimelineEvent],
"storyType": "abc123",
"socketSerialId": "xyz789",
"occurrences": 987,
"siteConnectionType": "xyz789",
"siteConfigLocation": "abc123",
"acknowledged": false,
"linkId": "abc123",
"linkName": "xyz789",
"linkConfigPrecedence": "ACTIVE",
"deviceConfigHaRole": "PRIMARY",
"licenseRegion": "abc123",
"licenseBandwidth": "abc123",
"pop": "abc123",
"isp": "xyz789",
"bgpConnection": BGPConnection,
"hostIp": "xyz789",
"ruleName": "xyz789"
}
ObjectRef
OnboardingStatusEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"INSUFFICIENT_INFO"
OperationalStatus
Values
Enum Value | Description |
---|---|
|
Passing traffic |
|
Disabled in the Cato Management Application |
|
License has expired for this site and you can't configure it |
|
After you create the site before it is connected to the Cato Cloud |
|
For VPN users only |
|
For VPN users only |
|
For VPN users only |
Example
"active"
OsDetails
Paging
Fields
Field Name | Description |
---|---|
from - Int!
|
Based on the filter and sort parameters, the first story that is returned |
limit - Int!
|
Based on the filter and sort parameters, the number of stories returned after the from. For example, the argument {from: 10, limit: 10} returns stories 10-20. |
total - Int!
|
Total number of stories returned |
Example
{"from": 987, "limit": 987, "total": 987}
PagingInput
PeriodType
Values
Enum Value | Description |
---|---|
|
packet loss connectivity issue |
|
missing data |
|
interface in standby mode |
|
traffic was seen |
|
some packets were queued |
|
some packets were discarded after queue timeout |
|
multiple last mile destinations measured packet loss |
|
multiple last mile destinations measured large latency (greater than 500ms) |
|
unspecified period type |
|
period connected to specific pop instance |
Example
"packetLoss"
ProcessResource
Fields
Field Name | Description |
---|---|
id - ID!
|
|
createdDateTime - DateTime
|
|
remediationStatus - RemediationStatusEnum
|
|
processId - Int!
|
|
processCommandLine - String
|
|
imageFile - FileDetails
|
|
userAccount - EndpointUser
|
Possible Types
ProcessResource Types |
---|
Example
{
"id": "4",
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED",
"processId": 987,
"processCommandLine": "abc123",
"imageFile": FileDetails,
"userAccount": EndpointUser
}
ProtoType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"SOCKET_X1500"
RBACRole
RbacGroup
RecentConnection
Fields
Field Name | Description |
---|---|
duration - Int
|
The duration of the connection |
interfaceName - String
|
Name for the port in the Cato Management Application |
deviceName - String
|
Serial number for the Device |
lastConnected - DateTime
|
The last time this connection was detected (so lastConnected - duration is the start of the connection |
popName - String
|
The name of the PoP that the traffic flow was connected to |
remoteIP - String
|
IP address of the PoP that the link is connected to |
remoteIPInfo - IPInfo
|
IP address, ISP, and geographical information related to the PoP that the traffic flow was connected to |
Example
{
"duration": 123,
"interfaceName": "xyz789",
"deviceName": "abc123",
"lastConnected": "2007-12-03T10:15:30Z",
"popName": "xyz789",
"remoteIP": "abc123",
"remoteIPInfo": IPInfo
}
RegistryResource
Fields
Field Name | Description |
---|---|
id - ID!
|
|
createdDateTime - DateTime
|
|
remediationStatus - RemediationStatusEnum
|
|
hive - String
|
|
key - String
|
|
value - String
|
|
valueName - String
|
|
valueType - String
|
Possible Types
RegistryResource Types |
---|
Example
{
"id": 4,
"createdDateTime": "2007-12-03T10:15:30Z",
"remediationStatus": "REMEDIATED",
"hive": "abc123",
"key": "xyz789",
"value": "xyz789",
"valueName": "xyz789",
"valueType": "xyz789"
}
RemediationStatusEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"REMEDIATED"
RemoveAdminPayload
Fields
Field Name | Description |
---|---|
adminID - ID!
|
Example
{"adminID": 4}
RemoveNetworkRangePayload
Fields
Field Name | Description |
---|---|
networkRangeId - ID!
|
Example
{"networkRangeId": 4}
RemoveSitePayload
Fields
Field Name | Description |
---|---|
siteId - ID!
|
Example
{"siteId": "4"}
RemoveStaticHostPayload
Fields
Field Name | Description |
---|---|
hostId - ID!
|
Example
{"hostId": "4"}
ResourceRoleEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"CONTEXTUAL"
RiskLevelEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"Malicious"
SeverityEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"High"
SimilarStoryData
Example
{
"storyId": "abc123",
"threatTypeName": "xyz789",
"verdict": "xyz789",
"threatClassification": "xyz789",
"similarityPercentage": 987.65,
"indication": "abc123"
}
SiteConnectionTypeEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"SOCKET_X1500"
SiteInfo
Description
Basic Site configuration information
Fields
Field Name | Description |
---|---|
name - String
|
Name for the site |
type - SiteType
|
Site type in the Cato Management Application, such as branch office or datacenter |
description - String
|
User defined description of the site |
countryCode - String
|
Code for the Country that is the physical location of the site |
region - String
|
Geographical PoP region that the site is licensed to use |
countryName - String
|
Country that is the physical location of the site |
isHA - Boolean
|
When this boolean value is true, the site is enabled for high availability |
connType - ProtoType
|
The Connection Type field defines how the site connects to the Cato Cloud, such as X1500 Socket or AWS vSocket (array with nested fields) |
creationTime - DateTime
|
Timestamp for when the site was created |
interfaces - [InterfaceInfo!]
|
Basic configuration information about the Socket interface |
sockets - [SocketInfo!]
|
Data related to Socket and vSocket sites, such as serial number and Socket version (array with nested fields) |
ipsec - [IPSecInfo!]
|
data related to IPsec sites, such as IKE version |
Example
{
"name": "xyz789",
"type": "BRANCH",
"description": "abc123",
"countryCode": "abc123",
"region": "xyz789",
"countryName": "xyz789",
"isHA": true,
"connType": "SOCKET_X1500",
"creationTime": "2007-12-03T10:15:30Z",
"interfaces": [InterfaceInfo],
"sockets": [SocketInfo],
"ipsec": [IPSecInfo]
}
SiteMetrics
Fields
Field Name | Description |
---|---|
id - ID
|
Site ID |
interfaces - [InterfaceMetrics!]
|
Analytics that are returned for the links for a site |
metrics - Metrics
|
Traffic metrics and data for sites |
Arguments
|
|
name - String
|
Site names |
info - SiteInfo
|
Shows general information about the site (array with nested fields). Applicable only for site |
hostCount - Timeseries
|
Timeseries with the number of hosts in the site. Applicable only for site |
flowCount - Timeseries
|
Timeseries with the number of flows (connections) in the site. Applicable only for site |
hostLimit - Timeseries
|
Timeseries with the configurable limit of the number of hosts in the site. Applicable only for site |
samples - Int
|
internal use |
Example
{
"id": "4",
"interfaces": [InterfaceMetrics],
"metrics": Metrics,
"name": "xyz789",
"info": SiteInfo,
"hostCount": Timeseries,
"flowCount": Timeseries,
"hostLimit": Timeseries,
"samples": 987
}
SiteRef
SiteSnapshot
Fields
Field Name | Description |
---|---|
id - ID
|
site ID |
protoId - ID
|
|
connectivityStatus - ConnectivityStatus
|
Connectivity to the Cato Cloud |
haStatus - HaStatus
|
Site HA readiness information |
operationalStatus - OperationalStatus
|
Status for a site or VPN user |
lastConnected - DateTime
|
Relevant when the site is disconnected - the last time the device was connected |
connectedSince - DateTime
|
For connected sites, since when are they connected |
popName - String
|
Name of the PoP that the site is connected to |
devices - [DeviceSnapshot!]
|
Data related to the Sockets for a site |
info - SiteInfo
|
General real-time information about the site |
hostCount - Int
|
Number of hosts connected to a site |
altWanStatus - String
|
Alternative WAN connectivity status |
Example
{
"id": 4,
"protoId": "4",
"connectivityStatus": "connected",
"haStatus": HaStatus,
"operationalStatus": "active",
"lastConnected": "2007-12-03T10:15:30Z",
"connectedSince": "2007-12-03T10:15:30Z",
"popName": "abc123",
"devices": [DeviceSnapshot],
"info": SiteInfo,
"hostCount": 123,
"altWanStatus": "xyz789"
}
SiteType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"BRANCH"
SocketInfo
Description
Basic information about socket
Fields
Field Name | Description |
---|---|
id - String
|
Unique ID for Socket |
serial - String
|
Serial number for the Socket |
isPrimary - Boolean
|
For HA configurations, when this boolean value is true, this the primary Socket |
platform - SocketPlatform
|
Shows Socket type |
version - String
|
Software version number that is currently installed on the Socket |
versionUpdateTime - DateTime
|
Timestamp when the Socket upgraded to the current hardware version |
Example
{
"id": "abc123",
"serial": "abc123",
"isPrimary": true,
"platform": "X1500",
"version": "xyz789",
"versionUpdateTime": "2007-12-03T10:15:30Z"
}
SocketInterfaceAltWanInput
Fields
Input Field | Description |
---|---|
privateInterfaceIp - IPAddress!
|
|
privateNetwork - IPSubnet!
|
|
privateGatewayIp - IPAddress!
|
|
privateVlanTag - Int
|
|
publicInterfaceIp - IPAddress
|
|
publicNetwork - IPSubnet
|
|
publicGatewayIp - IPAddress
|
|
publicVlanTag - Int
|
Example
{
"privateInterfaceIp": IPAddress,
"privateNetwork": IPSubnet,
"privateGatewayIp": IPAddress,
"privateVlanTag": 987,
"publicInterfaceIp": IPAddress,
"publicNetwork": IPSubnet,
"publicGatewayIp": IPAddress,
"publicVlanTag": 987
}
SocketInterfaceBandwidthInput
SocketInterfaceDestType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"CATO"
SocketInterfaceIDEnum
Description
SocketInterface available ids, INT_# stands for 1,2,3...12 supported ids
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"LAN1"
SocketInterfaceLagInput
Fields
Input Field | Description |
---|---|
minLinks - Int!
|
Example
{"minLinks": 987}
SocketInterfaceLanInput
Fields
Input Field | Description |
---|---|
subnet - IPSubnet!
|
|
translatedSubnet - IPSubnet
|
|
localIp - IPAddress!
|
Example
{
"subnet": IPSubnet,
"translatedSubnet": IPSubnet,
"localIp": IPAddress
}
SocketInterfaceOffCloudInput
SocketInterfacePrecedenceEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"ACTIVE"
SocketInterfaceRole
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"wan_1"
SocketInterfaceVrrpInput
Fields
Input Field | Description |
---|---|
vrrpType - VrrpType
|
Example
{"vrrpType": "VIA_SWITCH"}
SocketInterfaceWanInput
Fields
Input Field | Description |
---|---|
role - SocketInterfaceRole!
|
|
precedence - SocketInterfacePrecedenceEnum!
|
Example
{"role": "wan_1", "precedence": "ACTIVE"}
SocketPlatform
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"X1500"
SortDirectionEnum
Values
Enum Value | Description |
---|---|
|
|
|
Example
"asc"
SortInput
Fields
Input Field | Description |
---|---|
field - String
|
|
order - DirectionInput
|
Example
{"field": "abc123", "order": "asc"}
StoriesData
Story
Fields
Field Name | Description |
---|---|
id - ID!
|
Unique Cato ID for each story |
accountId - Int!
|
ID for your Cato account |
analystName - String
|
Name of analyst working on the story |
analystEmail - String
|
Email address of the analyst working on the story |
accountName - String
|
Name of the account in the Cato Management Application |
updatedAt - DateTime!
|
Timestamp when the story was most recently updated |
createdAt - DateTime!
|
Timestamp when the story was created |
playbook - String
|
URL for the playbook in the Knowledge Base to help troubleshoot the story |
summary - String
|
Summary of the story |
incident - MergedIncident!
|
Data related to the fields and incidents that were merged to create or update the story |
timeline - [TimelineItem!]!
|
Data for the story timeline |
Example
{
"id": "4",
"accountId": 123,
"analystName": "xyz789",
"analystEmail": "xyz789",
"accountName": "xyz789",
"updatedAt": "2007-12-03T10:15:30Z",
"createdAt": "2007-12-03T10:15:30Z",
"playbook": "abc123",
"summary": "abc123",
"incident": MergedIncident,
"timeline": [TimelineItem]
}
StoryDrillDownFilter
StoryEngineTypeEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"ANOMALY"
StoryFilterInput
Fields
Input Field | Description |
---|---|
timeFrame - TimeFramePredicate!
|
|
producer - StoryProducerPredicate
|
|
status - StoryStatusPredicate
|
|
criticality - IntPredicate
|
|
source - StringPredicate
|
|
severity - StorySeverityPredicate
|
|
incidentId - StringPredicate
|
|
ioa - StringPredicate
|
|
storyId - StoryIdPredicate
|
|
queryName - StringPredicate
|
|
verdict - StoryVerdictPredicate
|
|
engineType - EngineTypePredicate
|
|
vendor - VendorPredicate
|
|
sourceIp - StringPredicate
|
Example
{
"timeFrame": TimeFramePredicate,
"producer": StoryProducerPredicate,
"status": StoryStatusPredicate,
"criticality": IntPredicate,
"source": StringPredicate,
"severity": StorySeverityPredicate,
"incidentId": StringPredicate,
"ioa": StringPredicate,
"storyId": StoryIdPredicate,
"queryName": StringPredicate,
"verdict": StoryVerdictPredicate,
"engineType": EngineTypePredicate,
"vendor": VendorPredicate,
"sourceIp": StringPredicate
}
StoryIdPredicate
Fields
Input Field | Description |
---|---|
in - [ID!]
|
Example
{"in": ["4"]}
StoryInput
Fields
Input Field | Description |
---|---|
paging - PagingInput!
|
|
sort - [StorySortInput!]
|
|
filter - [StoryFilterInput!]!
|
Example
{
"paging": PagingInput,
"sort": [StorySortInput],
"filter": [StoryFilterInput]
}
StoryProducerEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"AnomalyStats"
StoryProducerPredicate
Fields
Input Field | Description |
---|---|
in - [StoryProducerEnum!]
|
|
not_in - [StoryProducerEnum!]
|
Example
{"in": ["AnomalyStats"], "not_in": ["AnomalyStats"]}
StorySeverityPredicate
Fields
Input Field | Description |
---|---|
in - [SeverityEnum!]
|
|
not_in - [SeverityEnum!]
|
Example
{"in": ["High"], "not_in": ["High"]}
StorySortFieldName
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"firstSignal"
StorySortInput
Fields
Input Field | Description |
---|---|
fieldName - StorySortFieldName!
|
|
order - SortDirectionEnum
|
Example
{"fieldName": "firstSignal", "order": "asc"}
StoryStatusEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
Example
"Open"
StoryStatusPredicate
Fields
Input Field | Description |
---|---|
in - [StoryStatusEnum!]
|
|
not_in - [StoryStatusEnum!]
|
Example
{"in": ["Open"], "not_in": ["Open"]}
StoryVerdictEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"Suspicious"
StoryVerdictPredicate
Fields
Input Field | Description |
---|---|
in - [StoryVerdictEnum!]
|
|
not_in - [StoryVerdictEnum!]
|
Example
{"in": ["Suspicious"], "not_in": ["Suspicious"]}
String
Description
The String
scalar type represents textual data, represented as UTF-8 character sequences. The String type is most often used by GraphQL to represent free-form human-readable text.
Example
"abc123"
StringPredicate
StringValue
Fields
Field Name | Description |
---|---|
string - String
|
Example
{"string": "abc123"}
SubDomain
SubnetType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
Example
"Routed"
TargetType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
Example
"ip"
Threat
Fields
Field Name | Description |
---|---|
id - ID!
|
Unique Cato ID for this threat |
firstSignal - DateTime!
|
Timestamp for the first incident signal related to this story |
lastSignal - DateTime!
|
Timestamp for the first incident signal related to this story |
engineType - StoryEngineTypeEnum
|
XDR engine involved with the incident |
vendor - VendorEnum
|
Vendor that identified the incident, such as Cato or Microsoft |
producer - StoryProducerEnum!
|
Enum for the Producer (specific XDR engine and service) involved with the incident |
producerName - String!
|
Full name of the Producer (specific XDR engine and service) involved with the incident |
connectionType - ConnectionTypeEnum
|
Enum for the connection for this incident (ie. site, host, user) |
indication - String!
|
An indication is a set of actions and behaviors for the Network or Security incident. Each producer has different indications. |
queryName - String
|
Category for the indication ID related to the story |
source - String
|
IP address, name of device, or SDP user on your network involved in the story |
criticality - Int
|
Cato's risk analysis of the story. Values are from 1 (low risk) to 10 (high risk) |
ticket - String
|
The ticket an analyst created for this story |
status - StoryStatusEnum
|
Enum for the status of this story (ie. Open, Closed, Monitoring) |
research - Boolean
|
The value is TRUE when the story is currently being researched by Security Analysts |
siteName - String
|
Site name related to the story |
storyDuration - Int
|
Amount of time since the story was opened (no value for closed stories) |
description - String
|
Description of the threat |
analystFeedback - AnalystFeedback
|
Fields related to analysts research of the threat incident |
site - SiteRef
|
Cato ID and name for the site |
user - UserRef
|
Cato ID and name for the user |
similarStoriesData - [SimilarStoryData!]!
|
Data for stories that are similar |
predictedVerdict - StoryVerdictEnum
|
Enum for Cato’s predicted verdict of the story (ie. Malicious, Benign) |
predictedThreatType - String
|
Cato’s predicted threat type for the story |
srcSiteId - String
|
Cato ID for the site that is the source of the threat |
flowsCardinality - Int
|
Cardinality of traffic flows for the threat |
riskLevel - RiskLevelEnum
|
The estimated risk level of the threat (ie. Malicious, High, Low) |
os - String
|
OS for device or host that is the threat target |
deviceName - String
|
Name of the device |
macAddress - String
|
MAC address of the device |
sourceIp - String
|
The source IP address of the device in your network sending or receiving the flow |
logonName - String
|
Username for the device |
direction - String
|
Traffic direction for the threat |
clientClass - [String!]!
|
Client Class for the traffic flow |
events - [Event!]
|
Data for the Cato event for this story |
mitres - [Mitre!]
|
Mitre data for the story (ie. ID, name) |
timeSeries - [IncidentTimeseries!]
|
Timeseries data for the incident |
targets - [IncidentTargetRep!]!
|
Data about the target of the threat |
flows - [IncidentFlow!]
|
Data about the traffic flow for the threat |
Example
{
"id": 4,
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "xyz789",
"connectionType": "Site",
"indication": "xyz789",
"queryName": "abc123",
"source": "xyz789",
"criticality": 987,
"ticket": "abc123",
"status": "Open",
"research": true,
"siteName": "xyz789",
"storyDuration": 987,
"description": "abc123",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"similarStoriesData": [SimilarStoryData],
"predictedVerdict": "Suspicious",
"predictedThreatType": "xyz789",
"srcSiteId": "abc123",
"flowsCardinality": 987,
"riskLevel": "Malicious",
"os": "abc123",
"deviceName": "xyz789",
"macAddress": "xyz789",
"sourceIp": "abc123",
"logonName": "xyz789",
"direction": "xyz789",
"clientClass": ["xyz789"],
"events": [Event],
"mitres": [Mitre],
"timeSeries": [IncidentTimeseries],
"targets": [IncidentTargetRep],
"flows": [IncidentFlow]
}
ThreatPrevention
Fields
Field Name | Description |
---|---|
id - ID!
|
|
firstSignal - DateTime!
|
|
lastSignal - DateTime!
|
|
engineType - StoryEngineTypeEnum
|
|
vendor - VendorEnum
|
|
producer - StoryProducerEnum!
|
|
producerName - String!
|
|
connectionType - ConnectionTypeEnum
|
|
indication - String!
|
|
queryName - String
|
|
source - String
|
|
criticality - Int
|
|
ticket - String
|
|
status - StoryStatusEnum
|
|
research - Boolean
|
|
siteName - String
|
|
storyDuration - Int
|
|
description - String
|
|
analystFeedback - AnalystFeedback
|
|
site - SiteRef
|
|
user - UserRef
|
|
similarStoriesData - [SimilarStoryData!]!
|
|
predictedVerdict - StoryVerdictEnum
|
|
predictedThreatType - String
|
|
srcSiteId - String
|
|
flowsCardinality - Int
|
|
riskLevel - RiskLevelEnum
|
|
os - String
|
|
deviceName - String
|
|
macAddress - String
|
|
sourceIp - String
|
|
logonName - String
|
|
direction - String
|
|
clientClass - [String!]!
|
|
events - [Event!]
|
|
mitres - [Mitre!]
|
|
timeSeries - [IncidentTimeseries!]
|
|
targets - [IncidentTargetRep!]!
|
|
threatPreventionsEvents - [ThreatPreventionEvents!]
|
Example
{
"id": 4,
"firstSignal": "2007-12-03T10:15:30Z",
"lastSignal": "2007-12-03T10:15:30Z",
"engineType": "ANOMALY",
"vendor": "CATO",
"producer": "AnomalyStats",
"producerName": "abc123",
"connectionType": "Site",
"indication": "abc123",
"queryName": "xyz789",
"source": "xyz789",
"criticality": 987,
"ticket": "xyz789",
"status": "Open",
"research": true,
"siteName": "abc123",
"storyDuration": 987,
"description": "abc123",
"analystFeedback": AnalystFeedback,
"site": SiteRef,
"user": UserRef,
"similarStoriesData": [SimilarStoryData],
"predictedVerdict": "Suspicious",
"predictedThreatType": "abc123",
"srcSiteId": "abc123",
"flowsCardinality": 987,
"riskLevel": "Malicious",
"os": "abc123",
"deviceName": "xyz789",
"macAddress": "xyz789",
"sourceIp": "abc123",
"logonName": "xyz789",
"direction": "xyz789",
"clientClass": ["xyz789"],
"events": [Event],
"mitres": [Mitre],
"timeSeries": [IncidentTimeseries],
"targets": [IncidentTargetRep],
"threatPreventionsEvents": [ThreatPreventionEvents]
}
ThreatPreventionEvents
Fields
Field Name | Description |
---|---|
appName - String
|
|
clientClass - String
|
|
sourceIp - String
|
|
sourcePort - Int
|
|
destinationCountry - String
|
|
destinationIp - String
|
|
destinationPort - Int
|
|
direction - String
|
|
createdAt - DateTime
|
|
method - String
|
|
url - String
|
|
target - String
|
|
domain - String
|
|
sourceGeolocation - String
|
|
destinationGeolocation - String
|
|
tunnelGeolocation - String
|
|
dnsResponseIP - String
|
|
smbFileName - String
|
|
user - String
|
|
userAgent - String
|
|
fileHash - String
|
|
ja3 - String
|
|
referrer - String
|
|
httpResponseCode - Int
|
Example
{
"appName": "xyz789",
"clientClass": "abc123",
"sourceIp": "abc123",
"sourcePort": 123,
"destinationCountry": "xyz789",
"destinationIp": "xyz789",
"destinationPort": 123,
"direction": "xyz789",
"createdAt": "2007-12-03T10:15:30Z",
"method": "abc123",
"url": "abc123",
"target": "abc123",
"domain": "abc123",
"sourceGeolocation": "xyz789",
"destinationGeolocation": "abc123",
"tunnelGeolocation": "abc123",
"dnsResponseIP": "abc123",
"smbFileName": "abc123",
"user": "xyz789",
"userAgent": "xyz789",
"fileHash": "abc123",
"ja3": "abc123",
"referrer": "xyz789",
"httpResponseCode": 123
}
TimeAnnotation
Description
An object for marking specific events in time.
Fields
Field Name | Description |
---|---|
time - Float!
|
Timestamp of the event |
label - String!
|
Description of the event |
shortLabel - String!
|
Brief description of the event |
type - AnnotationType!
|
Type identifies which annotation this is: e.g. connectivity, rolechange, missingdata, which allows charts to attach to it. |
Example
{
"time": 123.45,
"label": "abc123",
"shortLabel": "abc123",
"type": "popChange"
}
TimeFrame
Description
Enter the time frame for the data that the query returns. The argument is in the format <type>.<time value> This argument is mandatory.
These are the supported options to define the time frame:
last.<time duration> - The
- timeFrame = last.PT5M shows the previous 5 minutes
- timeFrame = last.PT2H shows the previous 2 hours
- timeFrame = last.P1D shows the previous 1 day
- timeFrame = last.P3M shows the previous 3 months
- timeFrame = last.P1Y shows the previous 1 year
utc.<short-time-frame-spec> - The time frame combines a start and end date in the format YY-MM-DD/hh:mm:ss according to the specified time zone. You must enter all the date and time values for the argument. For example:
- timeFrame = utc.2020-02-{11/04:50:00--21/04:50:00} shows 10 days of analytics data from February 11, 2020 4:50:00 am to February 21, 2020 4:50:00 am
- timeFrame = utc.2020-02-11/{04:50:15--16:50:15} shows 12 hours of analytics data on February 11, 2020, from 4:50:15 am to 16:50:15 pm
- timeFrame = utc.2020-{02-11/04:50:00--04-11/04:50:00} shows 2 months of analytics data from February 11, 2020 4:50:00 am to April 11 4:50:00 am
- timeFrame = utc.{2019-10-01/04:50:00--2020/02-01/04:50:00} shows 4 months of analytics data from October 1, 2019 4:50:00 am to February 11 4:50:00 am
This format lets you configure a time frame the includes more than one calendar year
Example
TimeFrame
TimeFrameModifier
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"StoryUpdate"
TimeFramePredicate
Fields
Input Field | Description |
---|---|
time - TimeFrame!
|
|
timeFrameModifier - TimeFrameModifier
|
Example
{"time": TimeFrame, "timeFrameModifier": "StoryUpdate"}
TimePeriod
Description
An object for marking durations!
Fields
Field Name | Description |
---|---|
duration - [Float!]!
|
An tuple of two numbers representing start time, end time in ms since epoch, start bucket index, end bucket index |
title - String!
|
Label that describes the metrics |
type - PeriodType!
|
Type identifies which annotation this is: e.g. connectivity, rolechange, missingdata, which allows charts to attach to it. |
Example
{
"duration": [123.45],
"title": "xyz789",
"type": "packetLoss"
}
TimelineItem
Fields
Field Name | Description |
---|---|
createdAt - DateTime!
|
Timestamp the story was created |
description - String!
|
Description for the story in the timeline |
context - String!
|
Status of the timeline item |
type - TimelineTypeEnum!
|
Enum for the type (ie. Diff, Action, Comment) |
descriptions - [String!]!
|
Description for the story in the timeline |
category - TimelineItemCategoryEnum
|
Enum for the timeline category (ie. Information, Warning, Error) |
additionalInfo - String
|
Additional information about this timeline item |
analystInfo - AnalystInfo
|
Data about the analyst for this timeline item (ie. name, email) |
Example
{
"createdAt": "2007-12-03T10:15:30Z",
"description": "xyz789",
"context": "abc123",
"type": "Diff",
"descriptions": ["abc123"],
"category": "Information",
"additionalInfo": "abc123",
"analystInfo": AnalystInfo
}
TimelineItemCategoryEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"Information"
TimelineTypeEnum
Values
Enum Value | Description |
---|---|
|
|
|
|
|
Example
"Diff"
Timeseries
Fields
Field Name | Description |
---|---|
data - [Float!]
|
Data is an array of tuples, each containing two values: [timestamp, metric], where the timestamp is in milliseconds from the epoch (1.1.1970), and the metric is a number (according to the unit type) |
label - String!
|
Indicates the type of the timeseries |
dimensions - [DimensionData!]
|
List of dimension values for this timeseries |
key - TimeseriesKey
|
Timeseries key: measure and dimension values |
sum - Float
|
Summary of the metrics over the given time frame |
units - UnitType
|
Identifies what unit of data this timeseries represents. Note that toRate is only available for particular types of data to make sense. |
info - [String!]
|
Specific information about the timeseries, used to build its name, title etc |
Example
{
"data": [987.65],
"label": "abc123",
"dimensions": [DimensionData],
"key": TimeseriesKey,
"sum": 987.65,
"units": "bytes",
"info": ["abc123"]
}
TimeseriesKey
Fields
Field Name | Description |
---|---|
measureFieldName - String!
|
Measure field |
dimensions - [DimensionKey!]
|
List of dimension key-value pair for this timeseries key |
Example
{
"measureFieldName": "xyz789",
"dimensions": [DimensionKey]
}
TimeseriesMetricType
Values
Enum Value | Description |
---|---|
|
Total avg upstream traffic (from the site to the Cato Cloud) |
|
Total avg downstream traffic (from the Cato Cloud to the site) |
|
Total max upstream traffic (from the site to the Cato Cloud) |
|
Total max downstream traffic (from the site to the Cato Cloud) |
|
Total upstream packets |
|
Total downstream packets |
|
Number of packets lost for upstream traffic |
|
Number of packets lost for downstream traffic |
|
Percent of packet loss for upstream traffic |
|
Percent of packet loss for downstream traffic |
|
Total packets discarded for downstream traffic |
|
Total packets discarded for upstream traffic |
|
Percent packets discarded for upstream traffic |
|
Percent packets discarded for downstream traffic |
|
Jitter for upstream traffic (difference in time delay in milliseconds (ms) between data packets) |
|
Jitter for downstream traffic (difference in time delay in milliseconds (ms) between data packets) |
|
Total number of bytes of upstream and downstream traffic |
|
Round-trip time from the Socket to the Cato Cloud |
|
Health analytics for the site No longer supported |
|
The age of the physical tunnel in milliseconds (It is zeroed even on transparent reconnect) |
|
Packet loss from socket directly to a well known global services, not through Cato This is used to measure last mile provider's performance, independent of the service. |
|
Latency from socket directly to a well known global service, not through Cato. This is used to measure last mile provider's performance, independent of the service. |
Example
"bytesUpstream"
TrafficDirectionEnum
Values
Enum Value | Description |
---|---|
|
|
|
Example
"UPSTREAM"
UnitType
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
health analytics for the site |
|
The number of occurrences for this unit |
|
For metrics that are measured in seconds, such as tunnelAge, the number of seconds |
|
Bits per second |
|
Bytes per second |
|
Example
"bytes"
UpdateAccountRoleInput
UpdateAdminInput
Fields
Input Field | Description |
---|---|
firstName - String
|
|
lastName - String
|
|
passwordNeverExpires - Boolean
|
|
mfaEnabled - Boolean
|
|
managedRoles - [UpdateAdminRoleInput!]
|
|
resellerRoles - [UpdateAdminRoleInput!]
|
Example
{
"firstName": "abc123",
"lastName": "abc123",
"passwordNeverExpires": true,
"mfaEnabled": true,
"managedRoles": [UpdateAdminRoleInput],
"resellerRoles": [UpdateAdminRoleInput]
}
UpdateAdminPayload
Fields
Field Name | Description |
---|---|
adminID - ID!
|
Example
{"adminID": 4}
UpdateAdminRoleInput
Fields
Input Field | Description |
---|---|
role - UpdateAccountRoleInput!
|
|
allowedEntities - [EntityInput!]
|
|
allowedAccounts - [ID!]
|
Example
{
"role": UpdateAccountRoleInput,
"allowedEntities": [EntityInput],
"allowedAccounts": [4]
}
UpdateHaInput
UpdateHaPayload
Fields
Field Name | Description |
---|---|
siteId - ID!
|
Example
{"siteId": "4"}
UpdateNetworkRangeInput
Fields
Input Field | Description |
---|---|
name - String
|
|
rangeType - SubnetType
|
|
subnet - IPSubnet
|
|
translatedSubnet - IPSubnet
|
|
localIp - IPAddress
|
Only relevant for NATIVE, SECONDARY_NATIVE, DIRECT_ROUTE, VLAN rangeType |
gateway - IPAddress
|
Only relevant for ROUTED_ROUTE rangeType |
vlan - Int
|
Only relevant for VLAN network rangeType |
azureFloatingIp - IPAddress
|
Only relevant for AZURE HA sites |
dhcpSettings - NetworkDhcpSettingsInput
|
Only relevant for NATIVE, VLAN rangeType |
Example
{
"name": "xyz789",
"rangeType": "Routed",
"subnet": IPSubnet,
"translatedSubnet": IPSubnet,
"localIp": IPAddress,
"gateway": IPAddress,
"vlan": 123,
"azureFloatingIp": IPAddress,
"dhcpSettings": NetworkDhcpSettingsInput
}
UpdateNetworkRangePayload
Fields
Field Name | Description |
---|---|
networkRangeId - ID!
|
Example
{"networkRangeId": 4}
UpdateSiteGeneralDetailsInput
Fields
Input Field | Description |
---|---|
name - String
|
|
siteType - SiteType
|
|
description - String
|
|
siteLocation - UpdateSiteLocationInput
|
Example
{
"name": "abc123",
"siteType": "BRANCH",
"description": "xyz789",
"siteLocation": UpdateSiteLocationInput
}
UpdateSiteGeneralDetailsPayload
Fields
Field Name | Description |
---|---|
siteId - ID!
|
Example
{"siteId": 4}
UpdateSiteLocationInput
UpdateSocketInterfaceInput
Fields
Input Field | Description |
---|---|
destType - SocketInterfaceDestType!
|
|
name - String
|
|
lan - SocketInterfaceLanInput
|
Only relevant for LAN, VRRP_AND_LAN, LAN_LAG_MASTER, LAN_LAG_MASTER_AND_VRRP |
bandwidth - SocketInterfaceBandwidthInput
|
Only relevant for CATO, ALTERNATIVE, LAYER_2_WAN |
wan - SocketInterfaceWanInput
|
Only relevant for CATO |
offCloud - SocketInterfaceOffCloudInput
|
Only relevant for CATO |
altWan - SocketInterfaceAltWanInput
|
Only relevant for ALTERNATIVE, LAYER_2_WAN |
lag - SocketInterfaceLagInput
|
Only relevant for LAN_LAG_MASTER, LAN_LAG_MASTER_AND_VRRP |
vrrp - SocketInterfaceVrrpInput
|
Only relevant for VRRP |
Example
{
"destType": "CATO",
"name": "xyz789",
"lan": SocketInterfaceLanInput,
"bandwidth": SocketInterfaceBandwidthInput,
"wan": SocketInterfaceWanInput,
"offCloud": SocketInterfaceOffCloudInput,
"altWan": SocketInterfaceAltWanInput,
"lag": SocketInterfaceLagInput,
"vrrp": SocketInterfaceVrrpInput
}
UpdateSocketInterfacePayload
Fields
Field Name | Description |
---|---|
siteId - ID!
|
|
socketInterfaceId - SocketInterfaceIDEnum!
|
Example
{"siteId": 4, "socketInterfaceId": "LAN1"}
UpdateStaticHostInput
UpdateStaticHostPayload
Fields
Field Name | Description |
---|---|
hostId - ID!
|
Example
{"hostId": 4}
UserInfo
Description
Basic User configuration information
Fields
Field Name | Description |
---|---|
name - String
|
Name of the VPN user |
status - OperationalStatus
|
Status of the Client as the type STRING |
email - String
|
Email address of the VPN user |
creationTime - DateTime
|
Timestamp when the VPN user was created in the account |
phoneNumber - String
|
Phone number for the VPN user |
origin - String
|
User creation mechanism, current supported REGULAR or LDAP |
authMethod - String
|
Additional authentication mechanism, currently MFA or NONE |
Example
{
"name": "abc123",
"status": "active",
"email": "xyz789",
"creationTime": "2007-12-03T10:15:30Z",
"phoneNumber": "xyz789",
"origin": "abc123",
"authMethod": "xyz789"
}
UserRef
UserRole
Values
Enum Value | Description |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
Example
"OWNER"
UserSnapshot
Fields
Field Name | Description |
---|---|
id - ID
|
VPN user ID |
connectivityStatus - ConnectivityStatus
|
Connectivity to the Cato Cloud |
operationalStatus - OperationalStatus
|
Status for a site or VPN user |
name - String
|
User name from configuration, same as info.name |
deviceName - String
|
The host name of the device |
uptime - Int
|
How long has the user been connected (in seconds) |
lastConnected - DateTime
|
Last time the user was connected (relevant if not currently connected) |
version - String
|
VPN client version string |
versionNumber - Int
|
VPN client version number |
popID - Int
|
ID of the PoP that the Client is connected to |
popName - String
|
Name of the PoP that the VPN user is connected to |
remoteIP - String
|
IP address of the Client |
remoteIPInfo - IPInfo
|
IP address, ISP, and geographical information related to the Client |
internalIP - String
|
IP address of the PoP that the Client is connected to |
osType - String
|
Operating system of the device the Client is running on |
osVersion - String
|
Version of the operating system for the device |
devices - [DeviceSnapshot!]
|
Data related to the Client |
connectedInOffice - Boolean
|
In this state the client does not create its own connection, but reuses the Office's socket connection |
info - UserInfo
|
General information about the VPN user |
recentConnections - [RecentConnection!]
|
Data related to the most recent completed VPN connections |
Example
{
"id": 4,
"connectivityStatus": "connected",
"operationalStatus": "active",
"name": "abc123",
"deviceName": "xyz789",
"uptime": 987,
"lastConnected": "2007-12-03T10:15:30Z",
"version": "xyz789",
"versionNumber": 123,
"popID": 123,
"popName": "xyz789",
"remoteIP": "xyz789",
"remoteIPInfo": IPInfo,
"internalIP": "abc123",
"osType": "xyz789",
"osVersion": "xyz789",
"devices": [DeviceSnapshot],
"connectedInOffice": false,
"info": UserInfo,
"recentConnections": [RecentConnection]
}
Value
Types
Union Types |
---|
Example
StringValue
VendorEnum
Values
Enum Value | Description |
---|---|
|
|
|
Example
"CATO"
VendorPredicate
Fields
Input Field | Description |
---|---|
in - [VendorEnum!]
|
|
not_in - [VendorEnum!]
|
Example
{"in": ["CATO"], "not_in": ["CATO"]}
VrrpType
Values
Enum Value | Description |
---|---|
|
|
|
Example
"VIA_SWITCH"