Cato Networks GraphQL API Reference

Reference documentation for Cato GraphQL API

Contact

Cato Networks Support

api@catonetworks.com

API Endpoints
https://api.catonetworks.com/api/v1/graphql2

Further readings

GraphQL Introspection Query

Use the GraphQL Introspection system to learn more about queries and types with the Cato API schema.

For more information, see the GraphQL Documentation.

Queries

accountBySubdomain

Response

Returns [AccountDataPayload!]

Arguments
Name Description
accountID - ID!
subdomains - [String!]! a list of required subdomains

Example

Query
query accountBySubdomain($accountID:ID!, $subdomains:[String!]!) {
  accountBySubdomain(accountID:$accountID, subdomains:$subdomains) {
    id
    subdomain
  }
}
Variables
{"accountID": "123", "subdomains": ["company"]}
Response
{"data": {"accountBySubdomain": [{"id": "123", "subdomain": "company"}]}}

accountMetrics

Description

The accountMetrics query helps you analyze the state and quality of the connections of sites and SDP users to the Cato Cloud. This data is for the traffic inside the DTLS tunnel between the site and the Cato Cloud. accountMetrics shows historical metrics, statics, and analytics for the account.

Response

Returns an AccountMetrics

Arguments
Name Description
accountID - ID Unique Identifier of Account.
timeFrame - TimeFrame! The time frame for the data that the query returns. The argument is in the format type.time value. This argument is mandatory.
groupInterfaces - Boolean When the boolean argument groupInterfaces is set to true, then the data for all the interfaces are aggregated to a single interface.
groupDevices - Boolean

When the boolean argument groupDevices is set to true, then the analytics for all the Sockets (usually two in high availability) are aggregated as one result.

For the best results for aggregated Sockets, we recommend that there is consistent names and functionality (for example Destination) for the links on both Sockets.

Note: This argument is mandatory for queries of multiple sites and the only valid value for groupDevices value is true.

Example

Query
query accountMetrics(
  $accountID:ID!,
  $timeFrame:TimeFrame!,
  $groupInterfaces: Boolean,
  $groupDevices: Boolean,
  $siteIDs: [ID!]
) {
  accountMetrics(
    accountID:$accountID,
    timeFrame: $timeFrame,
    groupInterfaces: $groupInterfaces,
    groupDevices: $groupDevices
  ) {
    id
    from
    to
    sites(siteIDs:$siteIDs) {
      id
      metrics {
        bytesUpstream
        bytesDownstream
      }
      interfaces {
        name
        metrics {
          bytesUpstream
          bytesDownstream
        }
      }
    }
  }
}
Variables
{
  "accountID": "123",
  "timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}",
  "groupInterfaces": false,
  "groupDevices": true,
  "siteIDs": ["456", "789"]
}
Response
{
  "data": {
    "accountMetrics": {
      "id": "123",
      "from": "2023-02-28T00:00:00Z",
      "to": "2023-02-28T23:59:59Z",
      "sites": [
        {
          "id": "456",
          "metrics": {"bytesUpstream": 122324400, "bytesDownstream": 8354720},
          "interfaces": [
            {
              "name": "WAN 01",
              "metrics": {
                "bytesUpstream": 122324400,
                "bytesDownstream": 8354720
              }
            }
          ]
        },
        {
          "id": "789",
          "metrics": {"bytesUpstream": 100254955, "bytesDownstream": 3907080},
          "interfaces": [
            {
              "name": "WAN 01",
              "metrics": {
                "bytesUpstream": 100254955,
                "bytesDownstream": 3907080
              }
            }
          ]
        }
      ]
    }
  }
}

accountRoles

Response

Returns an AccountRolesResult!

Arguments
Name Description
accountID - ID!
accountType - AccountType

Example

Query
query accountRoles($accountID:ID!){
  accountRoles(accountID: $accountID) {
    items {
      name
      isPredefined
    }
    total
  }
}
Variables
{"accountID": "123"}
Response
{
  "data": {
    "accountRoles": {
      "items": [
        {"name": "Editor", "isPredefined": true},
        {"name": "Viewer", "isPredefined": true},
        {"name": "Network admin", "isPredefined": true},
        {"name": "Security Admin", "isPredefined": true},
        {"name": "Access Admin", "isPredefined": true}
      ],
      "total": 5
    }
  }
}

accountSnapshot

Description

Current snapshot-based metrics that show near real‑time data for the account. Provides analytics that are similar to the Topology page for the account.

Response

Returns an AccountSnapshot

Arguments
Name Description
accountID - ID Unique Identifier of Account.

Example

Query
query accountSnapshot($accountID:ID!) {
  accountSnapshot(accountID:$accountID) {
    sites {
      connectivityStatus
      haStatus{
        readiness
        wanConnectivity
        keepalive
        socketVersion
      }
      operationalStatus
      lastConnected
      connectedSince
      devices {
        connected
        version
      }
    }
    users {
      connectivityStatus
      connectedInOffice
      name
      deviceName
    }
    timestamp
  }
}
Variables
{"accountID": "123"}
Response
{
  "data": {
    "accountSnapshot": {
      "sites": [
        {
          "connectivityStatus": "connected",
          "haStatus": {
            "readiness": "ready",
            "wanConnectivity": "ok",
            "keepalive": "ok",
            "socketVersion": "ok"
          },
          "operationalStatus": "active",
          "lastConnected": "2023-02-28T13:21:05Z",
          "connectedSince": "2023-02-27T15:10:06Z",
          "devices": [
            {"connected": true, "version": "17.0.16303"},
            {"connected": true, "version": "17.0.16303"}
          ]
        },
        {
          "connectivityStatus": "disconnected",
          "haStatus": null,
          "operationalStatus": "active",
          "lastConnected": "2020-03-11T13:43:40Z",
          "connectedSince": null,
          "devices": [{"connected": false, "version": ""}]
        }
      ],
      "users": [
        {
          "connectivityStatus": "connected",
          "connectedInOffice": false,
          "name": "Employee Domywork",
          "deviceName": "Employee’s MacBook Pro"
        },
        {
          "connectivityStatus": "connected",
          "connectedInOffice": false,
          "name": "Alice Bobs",
          "deviceName": "Alice’s MacBook Pro"
        }
      ],
      "timestamp": "2023-02-28T13:22:21Z"
    }
  }
}

admin

Response

Returns a GetAdminPayload

Arguments
Name Description
accountId - ID!
adminID - ID!

Example

Query
query admin($accountId:ID!, $adminID:ID!) {
  admin(accountId:$accountId, adminID:$adminID) {
    id
    firstName
    lastName
    email
    creationDate
    mfaEnabled
    managedRoles {
      role {
        name
      }
    }
  }
}
Variables
{"accountId": "123", "adminID": "456"}
Response
{
  "data": {
    "admin": {
      "id": "456",
      "firstName": "Name",
      "lastName": "Surname",
      "email": "name.surname@company.org",
      "creationDate": "Dec 27, 2020 9:30:34 AM",
      "mfaEnabled": false,
      "managedRoles": [{"role": {"name": "Viewer"}}]
    }
  }
}

admins

Response

Returns an AdminsResult

Arguments
Name Description
accountID - ID!
limit - Int
Default
50
from - Int
Default
0
search - String
Default
""
sort - [SortInput]
adminIDs - [ID!]

Example

Query
query admins($accountId:ID!, $limit: Int) {
  admins(accountID:$accountId, limit: $limit) {
    items {
      id
      email
      managedRoles {
        role {
          name
        }
      }
    }
    total
  }
}
Variables
{"accountId": "123", "limit": 2}
Response
{
  "data": {
    "admins": {
      "items": [
        {
          "id": "1",
          "email": "editor@company.org",
          "managedRoles": [{"role": {"name": "Editor"}}]
        },
        {
          "id": "2",
          "email": "viewer@company.org",
          "managedRoles": [{"role": {"name": "Viewer"}}]
        }
      ],
      "total": 3
    }
  }
}

appStats

Description

BETA

Response

Returns an AppStats

Arguments
Name Description
accountID - ID! Account ID
timeFrame - TimeFrame!
measures - [Measure]
dimensions - [Dimension]
filters - [AppStatsFilter!]
sort - [AppStatsSort!]

Example

Query
query appStats(
  $accountID:ID!, 
  $timeFrame:TimeFrame!,
  $measures: [Measure],
  $dimensions:[Dimension],
  $sort:[AppStatsSort!],
  $limit:Int,
  $from:Int,
) {
  appStats(
    accountID: $accountID,
    timeFrame: $timeFrame,
    measures: $measures,
    dimensions:$dimensions,
    sort:$sort,
  ) {
    from
    to
    records(limit:$limit, from:$from){
      fieldsMap
      fieldsUnitTypes
    }
  }
}
Variables
{
  "accountID": "123",
  "timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}",
  "dimensions": [{"fieldName": "app"}],
  "sort": [{"fieldName": "traffic", "order": "desc"}],
  "measures": [
    {"fieldName": "traffic", "aggType": "sum"},
    {"fieldName": "application", "aggType": "any"}
  ],
  "limit": 5,
  "from": 0
}
Response
{
  "data": {
    "appStats": {
      "from": "2023-02-28T00:00:00Z",
      "to": "2023-03-01T00:00:00Z",
      "records": [
        {
          "fieldsMap": {
            "app": "zoom",
            "application": "Zoom",
            "traffic": "95138282696"
          },
          "fieldsUnitTypes": ["none", "none", "bytes"]
        },
        {
          "fieldsMap": {
            "app": "udp",
            "application": "UDP",
            "traffic": "45401221439"
          },
          "fieldsUnitTypes": ["none", "none", "bytes"]
        },
        {
          "fieldsMap": {
            "app": "Tech",
            "application": "Technological apps",
            "traffic": "13982474567"
          },
          "fieldsUnitTypes": ["none", "none", "bytes"]
        },
        {
          "fieldsMap": {
            "app": "AppleSoftwareupdate",
            "application": "Apple software update",
            "traffic": "11624258191"
          },
          "fieldsUnitTypes": ["none", "none", "bytes"]
        }
      ]
    }
  }
}

appStatsTimeSeries

Description

BETA

Response

Returns an AppStatsTimeSeries

Arguments
Name Description
accountID - ID! Account ID
timeFrame - TimeFrame!
measures - [Measure]
dimensions - [Dimension]
filters - [AppStatsFilter!]

Example

Query
query appStatsTimeSeries(
  $accountID:ID!,
  $timeFrame:TimeFrame!,
  $measures: [Measure],
  $buckets:Int!
) {
  appStatsTimeSeries(
    accountID:$accountID,
    timeFrame:$timeFrame,
    measures: $measures
  ) {
    from
    to
    granularity
    timeseries(buckets:$buckets) {
      label
      data
      key {
        measureFieldName
      }
    }
  }
}
Variables
{
  "accountID": "123",
  "timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}",
  "measures": [
    {"fieldName": "upstream", "aggType": "sum"},
    {"fieldName": "downstream", "aggType": "sum"}
  ],
  "buckets": 5
}
Response
{
  "data": {
    "appStatsTimeSeries": {
      "from": "2023-02-28T00:00:00Z",
      "to": "2023-03-01T00:00:00Z",
      "granularity": 14400,
      "timeseries": [
        {
          "label": "sum(upstream)",
          "data": [
            [1677542400000, 77192],
            [1677556800000, 742410],
            [1677571200000, 5335372],
            [1677585600000, 2239509],
            [1677600000000, 0],
            [1677614400000, 0]
          ],
          "key": {"measureFieldName": "upstream"}
        },
        {
          "label": "sum(downstream)",
          "data": [
            [1677542400000, 209763],
            [1677556800000, 1713925],
            [1677571200000, 7719290],
            [1677585600000, 2573650],
            [1677600000000, 0],
            [1677614400000, 0]
          ],
          "key": {"measureFieldName": "downstream"}
        }
      ]
    }
  }
}

auditFeed

Description

Audit Feed for account changes

Response

Returns an AuditFeed

Arguments
Name Description
accountIDs - [ID!] List of Unique Account Identifiers.
timeFrame - TimeFrame!
filters - [AuditFieldFilterInput!]
marker - String Marker to use to get results from

Example

Query
query auditFeed($accountID:ID!, $timeFrame: TimeFrame!){
  auditFeed(accountIDs:[$accountID], timeFrame:$timeFrame) {
    from
    to
    fetchedCount
    accounts {
      id
      records{
        admin {
          name
        }
        object {
          name
        }
        time
        fields {
          name
          value {
            ... on Entity {
              name
              id
              type
            }
            ... on StringValue {
              string
            }
            ... on DateValue {
              date
            }
          }
        }
      }
    }
  }
}
Variables
{"accountID": "123", "timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}"}
Response
{
  "data": {
    "auditFeed": {
      "from": "2023-02-28T00:00:00Z",
      "to": "2023-02-28T23:59:59Z",
      "fetchedCount": 1,
      "accounts": [
        {
          "id": "123",
          "records": [
            {
              "time": "2023-02-28T08:48:21Z",
              "fields": [
                {
                  "name": "admin",
                  "value": {
                    "name": "admin@company.org",
                    "id": "456",
                    "type": "admin"
                  }
                },
                {
                  "name": "change.Before.description",
                  "value": {"string": "Description before change"}
                },
                {
                  "name": "change.After.description",
                  "value": {"string": "Description after change"}
                },
                {"name": "model_name", "value": {"string": "Site name"}},
                {"name": "module", "value": {"string": "Configuration"}},
                {"name": "change_type", "value": {"string": "MODIFIED"}},
                {"name": "creation_date", "value": {"string": "1677574090000"}},
                {"name": "model_type", "value": {"string": "Site"}},
                {"name": "admin_id", "value": {"string": "456"}},
                {
                  "name": "insertion_date",
                  "value": {"date": "2023-02-28T08:48:21Z"}
                },
                {"name": "account_id", "value": {"string": "123"}}
              ]
            }
          ]
        }
      ]
    }
  }
}

entityLookup

Description

Lookup entities with a specific type, potentially filtered and paged

Response

Returns an EntityLookupResult!

Arguments
Name Description
accountID - ID! The account ID (or 0 for non-authenticated requests)
type - EntityType! Type of entity to lookup for
limit - Int Sets the maximum number of items to retrieve
Default
50
from - Int Sets the offset number of items (for paging)
Default
0
parent - EntityInput Return items under a parent entity (can be site, vpn user, etc), used to filter for networks that belong to a specific site for example
search - String Adds additional search parameters for the lookup. Available options: country lookup: "removeExcluded" to return only allowed countries countryState lookup: country code ("US", "CN", etc) to get country's states
Default
""
entityIDs - [ID!] Adds additional search criteria to fetch by the selected list of entity IDs. This option is not universally available, and may not be applicable specific Entity types. If used on non applicable entity type, an error will be generated.
sort - [SortInput] Adds additional sort criteria(s) for the lookup. This option is not universally available, and may not be applicable specific Entity types.
filters - [LookupFilterInput] Custom filters for entityLookup
helperFields - [String!] Additional helper fields

Example

Query
query entityLookup($accountID:ID!, $limit:Int, $type:EntityType!) {
  entityLookup(accountID: $accountID, type:$type, limit: $limit) {
    items {
      entity{
        id
        name
      }
    }
    total
  }
}
Variables
{"accountID": "123", "limit": 2, "type": "site"}
Response
{
  "data": {
    "entityLookup": {
      "items": [
        {"entity": {"id": "45040", "name": "azure_test"}},
        {"entity": {"id": "75791", "name": "esx_test"}}
      ],
      "total": 5
    }
  }
}

events

Description

BETA

Response

Returns an Events

Arguments
Name Description
accountID - ID! Account ID
timeFrame - TimeFrame!
measures - [EventsMeasure]
dimensions - [EventsDimension]
filters - [EventsFilter!]
sort - [EventsSort!]

Example

Query
query events($accountID:ID!, $timeFrame:TimeFrame!, ) {
  events(accountID: $accountID, timeFrame:$timeFrame, measures: {fieldName: event_count, aggType: sum}) {
    records {
      flatFields
      fieldsMap
    }
  }
}
Variables
{"accountID": "123", "timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}"}
Response
{
  "data": {
    "events": {
      "records": [
        {
          "flatFields": [["event_count", "2"]],
          "fieldsMap": {"event_count": "2"}
        }
      ]
    }
  }
}

eventsFeed

Description

Event Feed for events paged by a topic partitions offsets marker

Response

Returns an EventsFeedData

Arguments
Name Description
accountIDs - [ID!] List of Unique Account Identifiers.
filters - [EventFeedFieldFilterInput!]
marker - String Marker to use to get results from

Example

Query
query eventsFeed(
  $accountIDs: [ID!],
  $filters: [EventFeedFieldFilterInput!]
) {
  eventsFeed(
    accountIDs: $accountIDs,
    filters: $filters,
  ) {
    marker
    fetchedCount
    accounts {
      id
      errorString
      records {
        fieldsMap
      }
    }
  }
}
Variables
{
  "accountIDs": [123],
  "filters": [
    {
      "fieldName": "event_type",
      "operator": "is_not",
      "values": ["Sockets Management"]
    },
    {
      "fieldName": "event_sub_type",
      "operator": "is",
      "values": ["Disconnected"]
    }
  ]
}
Response
{
  "data": {
    "eventsFeed": {
      "marker": "W3siVG9waWMiOiIxODIiLCJQYXJ0aXRpb24iOjAsIk9mZnNldCI6MzIxNTM4fV0=",
      "fetchedCount": 1,
      "accounts": [
        {
          "id": "123",
          "errorString": "",
          "records": [
            {
              "fieldsMap": {
                "ISP_name": "IP Addresses Are Assigned Statically",
                "account_id": "123",
                "client_version": "8.0.4127",
                "event_count": "1",
                "event_sub_type": "Disconnected",
                "event_type": "Connectivity",
                "internalId": "7r0c7xUYIf",
                "link_type": "Cato",
                "pop_name": "Amsterdam",
                "socket_interface": "WAN1",
                "src_country": "Israel",
                "src_country_code": "IL",
                "src_is_site_or_vpn": "Site",
                "src_isp_ip": "1.2.3.4",
                "src_site": "native-range",
                "time": "1677170467000",
                "tunnel_protocol": "DTLS"
              }
            }
          ]
        }
      ]
    }
  }
}

eventsTimeSeries

Description

BETA

Response

Returns an EventsTimeSeries

Arguments
Name Description
accountID - ID! Account ID
timeFrame - TimeFrame!
measures - [EventsMeasure]
dimensions - [EventsDimension]
filters - [EventsFilter!]

Example

Query
query eventsTimeSeries(
  $accountID: ID!,
  $filters: [EventsFilter!],
  $timeFrame: TimeFrame!,
  $measures: [EventsMeasure],
  $buckets: Int!
) {
  eventsTimeSeries(
    accountID: $accountID,
    filters: $filters,
    timeFrame:$timeFrame,
    measures: $measures
  ) {
    id
    from
    to
    granularity
    timeseries(buckets:$buckets) {
      label
      data
    }
  }
}
Variables
{
  "accountID": "4125",
  "timeFrame": "utc.2023-02-{28/00:00:00--28/23:59:59}",
  "measures": [{"fieldName": "event_count", "aggType": "sum"}],
  "buckets": 4
}
Response
{
  "data": {
    "eventsTimeSeries": {
      "id": "4125",
      "from": "2023-02-28T00:00:00Z",
      "to": "2023-03-01T00:00:00Z",
      "granularity": 21600,
      "timeseries": [
        {
          "label": "sum(event_count)",
          "data": [
            [1677542400000, 5],
            [1677564000000, 2],
            [1677585600000, 0],
            [1677607200000, 5]
          ]
        }
      ]
    }
  }
}

subDomains

Description

The subdomain query helps you retrieve the URL of an account. The usage of this query supports 3 different scenarios:

  1. Regular account - Return only 1 subdomain relating to the regular account
  2. Reseller account - Return all subdomains including the reseller account subdomain
  3. Reseller account - Return only the reseller account subdomain
Response

Returns [SubDomain!]!

Arguments
Name Description
accountID - ID! Unique Identifier of Account
managedAccount - Boolean When the boolean argument managedAccount is set to true (default), then the query returns all subdomains related to the account

Example

Query
query subDomains($accountID:ID!, $managedAccount:Boolean) {
  subDomains(accountID:$accountID, managedAccount:$managedAccount) {
      accountId
      accountName
      accountType
      subDomain
  }
}
Variables
{"accountID": "123", "managedAccount": true}
Response
{
  "data": {
    "subDomains": [
      {
        "accountId": "123",
        "accountName": "Gamma LLC",
        "accountType": "Reseller",
        "subdomain": "subdomain3"
      },
      {
        "accountId": "1235",
        "accountName": "Delta Inc.",
        "accountType": "Regular",
        "subdomain": "subdomain4"
      }
    ]
  }
}

LicensingQueries

licensingInfo

Description

BETA

Response

Returns a LicensingInfo

Example

Query
query licensingInfo($accountId: ID!){
                            licensing(accountId: $accountId) {
                                licensingInfo {
                                    globalLicenseAllocations {
                                        publicIps {
                                            total
                                            allocated
                                            available
                                        }
                                        ztnaUsers {
                                            total
                                            allocated
                                            available
                                        }
                                    }
                                    licenses {
                                        sku
                                        plan
                                        status
                                        expirationDate
                                        startDate
                                        lastUpdated
                                    
                                        ... on QuantifiableLicense {
                                            total
                                        }
                                        ... on DataLakeLicense {
                                            dpaVersion
                                        }
                                        ... on PooledBandwidthLicense {
                                            siteLicenseGroup
                                            siteLicenseType
                                            allocatedBandwidth
                                            sites {
                                                site {
                                                    id
                                                    name
                                                }
                                                allocatedBandwidth
                                            }
                                        }
                                        ... on SiteLicense {
                                            siteLicenseGroup
                                            regionality
                                            siteLicenseType
                                            site {
                                                id
                                                name
                                            }
                                        }
                                        ... on ZtnaUsersLicense {
                                            ztnaUsersLicenseGroup
                                        }
                                    }
                                }
                            }
                        }
                        
Variables
{"accountId": "12345"}
Response
{
  "data": {
    "licensing": {
      "licensingInfo": {
        "globalLicenseAllocations": {
          "publicIps": {"total": 68, "allocated": 0, "available": 68},
          "ztnaUsers": {"total": 15, "allocated": 5, "available": 10}
        },
        "licenses": [
          {
            "sku": "CATO_CASB",
            "plan": "COMMERCIAL",
            "status": "ACTIVE",
            "expirationDate": "2025-04-30T00:00:00.000Z",
            "startDate": "2024-04-24T21:00:00.000Z",
            "lastUpdated": "2024-04-30T08:14:29.884Z"
          },
          {
            "sku": "CATO_DATALAKE_3M",
            "plan": "COMMERCIAL",
            "status": "ACTIVE",
            "expirationDate": "2025-04-30T00:00:00.000Z",
            "startDate": "2024-04-24T21:00:00.000Z",
            "lastUpdated": "2024-04-25T10:08:32.586Z",
            "total": 1,
            "dpaVersion": "DPA_2023_01"
          },
          {
            "sku": "CATO_IP_ADD",
            "plan": "COMMERCIAL",
            "status": "ACTIVE",
            "expirationDate": "2025-04-30T00:00:00.000Z",
            "startDate": null,
            "lastUpdated": null,
            "total": 68
          },
          {
            "sku": "CATO_MDR",
            "plan": "COMMERCIAL",
            "status": "ACTIVE",
            "expirationDate": "2025-04-30T00:00:00.000Z",
            "startDate": "2024-04-24T21:00:00.000Z",
            "lastUpdated": "2024-04-30T08:14:30.294Z"
          },
          {
            "sku": "CATO_PB",
            "plan": "COMMERCIAL",
            "status": "ACTIVE",
            "expirationDate": "2024-07-04T00:00:00.000Z",
            "startDate": "2024-03-31T00:00:00.000Z",
            "lastUpdated": "2024-03-31T11:26:19.233Z",
            "total": 250,
            "siteLicenseGroup": "GROUP_2",
            "siteLicenseType": "SASE",
            "allocatedBandwidth": 50,
            "sites": [
              {
                "site": {"id": "456", "name": "Tokyo"},
                "allocatedBandwidth": 20
              },
              {
                "site": {"id": "789", "name": "Sydney"},
                "allocatedBandwidth": 30
              }
            ]
          },
          {
            "sku": "CATO_ZTNA_USERS",
            "plan": "COMMERCIAL",
            "status": "ACTIVE",
            "expirationDate": "2025-04-30T00:00:00.000Z",
            "startDate": null,
            "lastUpdated": "2024-04-30T10:54:29.294Z",
            "total": 21,
            "ztnaUsersLicenseGroup": "GENERAL"
          },
          {
            "sku": "CATO_SITE",
            "plan": "COMMERCIAL",
            "status": "ACTIVE",
            "expirationDate": "2025-04-30T00:00:00.000Z",
            "startDate": "2024-04-24T21:00:00.000Z",
            "lastUpdated": "2024-04-30T16:45:10.517Z",
            "total": 100,
            "siteLicenseGroup": "GROUP_1",
            "regionality": null,
            "siteLicenseType": "SASE",
            "site": {"id": "123", "name": "London"}
          },
          {
            "sku": "CATO_THREAT_PREVENTION",
            "plan": "COMMERCIAL",
            "status": "ACTIVE",
            "expirationDate": "2025-04-30T00:00:00.000Z",
            "startDate": "2024-04-24T21:00:00.000Z",
            "lastUpdated": "2024-04-25T10:08:32.464Z"
          }
        ]
      }
    }
  }
}

PolicyQueries

internetFirewall

Response

Returns an InternetFirewallPolicyQueries

Example

Query

 query InternetFirewall($accountId: ID!, $input: InternetFirewallInput) {
       policy(accountId: $accountId) {
      internetFirewall(input: $input) {
        enabled
      revision {
        revisionId
        changes 
        createdTime
      }
        rules {
          properties
          rule {
            id
            index
            name
          }
        }
        sections {
          properties
          section {
            id
            name
          }
        }
      }
    }
}
Variables
{"accountId": 12345, "input": {"revision": {"type": "PRIVATE"}}}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {
        "enabled": true,
        "revision": {
          "revisionId": "firstname.surname@mycompany.com",
          "changes": 1,
          "createdTime": "2024-05-15T14:32:57.260"
        },
        "rules": [
          {
            "properties": ["SYSTEM"],
            "rule": {"id": "2021642", "index": 1, "name": "Block any P2P"}
          },
          {
            "properties": [],
            "rule": {"id": "2021933", "index": 2, "name": "First Rule"}
          },
          {
            "properties": [],
            "rule": {
              "id": "0a647dae-3d64-448e-9e23-9bb4d403754b",
              "index": 3,
              "name": "Second Rule"
            }
          },
          {
            "properties": ["ADDED"],
            "rule": {
              "id": "c59ea10e-436e-41ed-94b4-416ffd626af5",
              "index": 4,
              "name": "Example Rule"
            }
          }
        ],
        "sections": [
          {
            "properties": [],
            "section": {
              "id": "bf2a5a59-26c3-49d6-a8e3-b72b212ff056",
              "name": "My Section"
            }
          },
          {
            "properties": [],
            "section": {
              "id": "be080378-842d-4df7-9d4e-55741dc71339",
              "name": "My Section 2"
            }
          }
        ]
      }
    }
  }
}

XDR

stories

Description

Define the paging, sort, and filter arguments to define the XDR stories that are returned in the query

Response

Returns a StoriesData

Arguments
Name Description
input - StoryInput!

Example

Query
query Stories($accountId: ID!, $from: Int!, $limit: Int!, $sort: [StorySortInput!], $filter: [StoryFilterInput!]!) {
                          xdr(accountID: $accountId) {
                            stories(
                              input: {paging: {from: $from, limit: $limit}, sort: $sort, filter: $filter}
                            ) {
                              paging {
                                from
                                limit
                                total
                                __typename
                              }
                              items {
                                ...StoryBrief
                                __typename
                              }
                              __typename
                            }
                            __typename
                          }
                        }
                        
                        fragment StoryBrief on Story {
                          id
                          accountId
                          accountName
                          updatedAt
                          createdAt
                          analystName
                          incident {
                            __typename
                            id
                            status
                            lastSignal
                            firstSignal
                            producer
                            connectionType
                            indication
                            queryName
                            description
                            criticality
                            source
                            ticket
                            research
                            vendor
                            sourceIp
                            analystFeedback {
                              severity
                              __typename
                            }
                            ... on Threat {
                              ...ThreatIncidentBrief
                              __typename
                            }
                            ... on ThreatPrevention {
                              ...ThreatPreventionIncidentBrief
                              __typename
                            }
                            ... on AnomalyStats {
                              ...AnomalyStatsIncidentBrief
                              __typename
                            }
                            ... on AnomalyEvents {
                              ...AnomalyEventsIncidentBrief
                              __typename
                            }
                            ... on NetworkIncident {
                              ...NetworkIncidentBrief
                              __typename
                            }
                            ... on NetworkXDRIncident {
                              ...NetworkXDRIncidentBrief
                              __typename
                            }
                          }
                          __typename
                        }
                        
                        fragment ThreatIncidentBrief on Threat {
                          __typename
                          site {
                            id
                            name
                            __typename
                          }
                          user {
                            id
                            name
                            __typename
                          }
                          direction
                        }
                        
                        fragment ThreatPreventionIncidentBrief on ThreatPrevention {
                          __typename
                          site {
                            id
                            name
                            __typename
                          }
                          user {
                            id
                            name
                            __typename
                          }
                          direction
                        }
                        
                        fragment AnomalyStatsIncidentBrief on AnomalyStats {
                          __typename
                          srcSiteId
                          subjectType
                          drillDownFilter {
                            name
                            value
                            __typename
                          }
                        }
                        
                        fragment AnomalyEventsIncidentBrief on AnomalyEvents {
                          __typename
                          srcSiteId
                          subjectType
                          drillDownFilter {
                            name
                            value
                            __typename
                          }
                        }
                        
                        fragment NetworkIncidentBrief on NetworkIncident {
                          __typename
                          siteId
                          confidence
                          internalSubType
                          resourceName
                          prioritySite
                          siteConnectionType
                          hostIp
                          availability
                          siteGeoLocation
                          eventsInternalIds
                          storyDuration
                          insights {
                            timestamp
                            insight
                            __typename
                          }
                        }
                        
                        fragment NetworkXDRIncidentBrief on NetworkXDRIncident {
                          __typename
                          storyDuration
                          siteId
                          internalProducerId
                          storyType
                          incidentCount
                          siteConnectionType
                          siteConfigLocation
                          acknowledged
                          linkId
                          linkName
                          linkConfigPrecedence
                          deviceConfigHaRole
                          licenseRegion
                          licenseBandwidth
                          popLocation
                          isp
                          bgpConnection {
                            connectionName
                            peerIp
                            peerAsn
                            catoIp
                            catoAsn
                            __typename
                          }
                          networkIncidentTimeline {
                            created
                            validated
                            description
                            eventType
                            internalIncidentId
                            eventIds
                            acknowledged
                            networkEventSource
                            linkId
                            linkName
                            linkConfigPrecedence
                            linkStatus
                            linkConfigBandwidth
                            deviceConfigHaRole
                            deviceHaRoleState
                            popLocation
                            isp
                            bgpConnection {
                              connectionName
                              peerIp
                              peerAsn
                              catoIp
                              catoAsn
                              __typename
                            }
                            linkQualityIssue {
                              issueType
                              direction
                              current
                              threshold
                              __typename
                            }
                            __typename
                          }
                        }
                        
Variables
{
  "accountId": "123",
  "from": 0,
  "limit": 25,
  "filter": [
    {
      "timeFrame": {"time": "last.P14D", "timeFrameModifier": "StoryUpdate"},
      "producer": {
        "in": [
          "AnomalyEvents",
          "AnomalyStats",
          "ThreatHunt",
          "ThreatPrevention",
          "MicrosoftEndpointDefender",
          "CatoEndpointAlert"
        ]
      }
    }
  ],
  "sort": [{"fieldName": "updatedAt", "order": "desc"}]
}
Response
{
  "data": {
    "xdr": {
      "__typename": "XDR",
      "stories": {
        "paging": {"from": 0, "limit": 25, "total": 5, "__typename": "Paging"},
        "items": [
          {
            "id": "65ba47966e0c8517cf2de805",
            "accountId": 123,
            "accountName": "account",
            "updatedAt": "2024-01-31T13:13:58Z",
            "createdAt": "2024-01-31T13:13:58Z",
            "analystName": "abc123",
            "incident": {
              "__typename": "CatoEndpoint",
              "id": "29ebcff1",
              "status": "PendingMoreInfo",
              "lastSignal": "2024-01-18T01:48:25Z",
              "firstSignal": "2024-01-18T01:48:25Z",
              "producer": "CatoEndpointAlert",
              "connectionType": null,
              "indication": "Cato Endpoint Alert",
              "queryName": null,
              "description": null,
              "criticality": 5,
              "source": "source",
              "ticket": null,
              "research": false,
              "vendor": "CATO",
              "sourceIp": null,
              "analystFeedback": {
                "severity": "Medium",
                "__typename": "AnalystFeedback"
              }
            },
            "__typename": "Story"
          }
        ]
      }
    }
  }
}
XDR

story

Description

Define either the story ID, or the incident ID and producer arguments, to query the specific XDR story

Response

Returns a Story

Arguments
Name Description
storyId - ID
producer - StoryProducerEnum
incidentId - ID

Example

Query
query StoryDetails($accountId: ID!, $storyId: ID!) {
                          xdr(accountID: $accountId) {
                            ... on XDR {
                              story(storyId: $storyId) {
                                ...StoryDetailed
                                __typename
                              }
                              __typename
                            }
                            __typename
                          }
                        }
                        
                        
                        fragment StoryDetailed on Story {
                          __typename
                          id
                          summary
                          updatedAt
                          createdAt
                          playbook
                          timeline {
                            ...TimelineItem
                            __typename
                          }
                          incident {
                            __typename
                            id
                            status
                            producer
                            ticket
                            connectionType
                            indication
                            queryName
                            criticality
                            source
                            research
                            firstSignal
                            lastSignal
                            description
                            site {
                              id
                              name
                              __typename
                            }
                            user {
                              id
                              name
                              __typename
                            }
                            ... on AnomalyStats {
                              ...AnomalyStatsIncidentDetailed
                              __typename
                            }
                            ... on AnomalyEvents {
                              ...AnomalyEventsIncidentDetailed
                              __typename
                            }
                            ... on Threat {
                              ...ThreatIncidentDetailed
                              __typename
                            }
                            ... on ThreatPrevention {
                              ...ThreatPreventionIncidentDetailed
                              __typename
                            }
                            ... on NetworkIncident {
                              ...NetworkIncidentDetailed
                              __typename
                            }
                            ... on NetworkXDRIncident {
                              ...NetworkXDRIncidentDetailed
                              __typename
                            }
                            ... on MicrosoftEndpoint {
                              ...MicrosoftEndpointIncidentDetailed
                              __typename
                            }
                            ... on CatoEndpoint {
                              ...CatoEndpointIncidentDetailed
                              __typename
                            }
                          }
                        }
                        
                        fragment TimelineItem on TimelineItem {
                          createdAt
                          type
                          descriptions
                          additionalInfo
                          analystInfo {
                            name
                            __typename
                          }
                          context
                          category
                          __typename
                        }
                        
                        fragment AnomalyStatsIncidentDetailed on AnomalyStats {
                          __typename
                          srcSiteId
                          subjectType
                          metric {
                            name
                            value
                            __typename
                          }
                          drillDownFilter {
                            name
                            value
                            __typename
                          }
                          gaussian {
                            n
                            avg
                            __typename
                          }
                          mitres {
                            id
                            name
                            __typename
                          }
                          logonName
                          sourceIp
                          os
                          clientClass
                          deviceName
                          macAddress
                          breakdownField
                          predictedVerdict
                          predictedThreatType
                          similarStoriesData {
                            storyId
                            indication
                            threatTypeName
                            verdict
                            similarityPercentage
                            __typename
                          }
                          targets {
                            name
                            analysisScore
                            infectionSource
                            catoPopularity
                            threatFeeds
                            creationTime
                            categories
                            countryOfRegistration
                            searchHits
                            engines
                            eventData {
                              signatureId
                              eventType
                              threatType
                              threatName
                              severity
                              action
                              __typename
                            }
                            __typename
                          }
                          analystFeedback {
                            ...AnalystFeedback
                            __typename
                          }
                        }
                        
                        fragment AnalystFeedback on AnalystFeedback {
                          verdict
                          severity
                          threatType {
                            name
                            details
                            recommendedAction
                            __typename
                          }
                          threatClassification
                          additionalInfo
                          __typename
                        }
                        
                        fragment AnomalyEventsIncidentDetailed on AnomalyEvents {
                          __typename
                          srcSiteId
                          subjectType
                          metric {
                            name
                            value
                            __typename
                          }
                          drillDownFilter {
                            name
                            value
                            __typename
                          }
                          gaussian {
                            n
                            avg
                            __typename
                          }
                          mitres {
                            id
                            name
                            __typename
                          }
                          logonName
                          sourceIp
                          os
                          clientClass
                          deviceName
                          macAddress
                          breakdownField
                          predictedVerdict
                          predictedThreatType
                          similarStoriesData {
                            storyId
                            indication
                            threatTypeName
                            verdict
                            similarityPercentage
                            __typename
                          }
                          targets {
                            name
                            analysisScore
                            infectionSource
                            catoPopularity
                            threatFeeds
                            creationTime
                            categories
                            countryOfRegistration
                            searchHits
                            engines
                            eventData {
                              signatureId
                              eventType
                              threatType
                              threatName
                              severity
                              action
                              __typename
                            }
                            __typename
                          }
                          analystFeedback {
                            ...AnalystFeedback
                            __typename
                          }
                        }
                        
                        fragment ThreatIncidentDetailed on Threat {
                          __typename
                          srcSiteId
                          flowsCardinality
                          storyDuration
                          os
                          deviceName
                          macAddress
                          sourceIp
                          logonName
                          direction
                          predictedVerdict
                          predictedThreatType
                          similarStoriesData {
                            storyId
                            indication
                            threatTypeName
                            verdict
                            similarityPercentage
                            __typename
                          }
                          queryName
                          events {
                            signatureId
                            eventType
                            threatType
                            threatName
                            severity
                            __typename
                          }
                          mitres {
                            id
                            name
                            __typename
                          }
                          timeSeries {
                            info
                            units
                            label
                            data(perSecond: false)
                            sum
                            key {
                              measureFieldName
                              dimensions {
                                fieldName
                                value
                                __typename
                              }
                              __typename
                            }
                            __typename
                          }
                          targets {
                            type
                            name
                            analysisScore
                            infectionSource
                            catoPopularity
                            threatFeeds
                            creationTime
                            categories
                            countryOfRegistration
                            searchHits
                            engines
                            eventData {
                              signatureId
                              eventType
                              threatType
                              threatName
                              severity
                              action
                              __typename
                            }
                            __typename
                          }
                          flows {
                            appName
                            clientClass
                            sourceIp
                            sourcePort
                            direction
                            createdAt
                            referer
                            userAgent
                            method
                            destinationCountry
                            destinationPort
                            destinationIp
                            destinationGeolocation
                            url
                            tunnelGeolocation
                            domain
                            target
                            httpResponseCode
                            dnsResponseIP
                            smbFileName
                            fileHash
                            ja3
                            __typename
                          }
                          analystFeedback {
                            ...AnalystFeedback
                            __typename
                          }
                        }
                        
                        fragment ThreatPreventionIncidentDetailed on ThreatPrevention {
                          __typename
                          srcSiteId
                          flowsCardinality
                          storyDuration
                          os
                          deviceName
                          macAddress
                          sourceIp
                          logonName
                          direction
                          predictedVerdict
                          predictedThreatType
                          similarStoriesData {
                            storyId
                            indication
                            threatTypeName
                            verdict
                            similarityPercentage
                            __typename
                          }
                          queryName
                          events {
                            signatureId
                            eventType
                            threatType
                            threatName
                            severity
                            __typename
                          }
                          mitres {
                            id
                            name
                            __typename
                          }
                          timeSeries {
                            info
                            units
                            label
                            data(perSecond: false)
                            sum
                            key {
                              measureFieldName
                              dimensions {
                                fieldName
                                value
                                __typename
                              }
                              __typename
                            }
                            __typename
                          }
                          targets {
                            type
                            name
                            analysisScore
                            infectionSource
                            catoPopularity
                            threatFeeds
                            creationTime
                            categories
                            countryOfRegistration
                            searchHits
                            engines
                            eventData {
                              signatureId
                              eventType
                              threatType
                              threatName
                              severity
                              action
                              __typename
                            }
                            __typename
                          }
                          threatPreventionsEvents {
                            appName
                            clientClass
                            sourceIp
                            sourcePort
                            direction
                            createdAt
                            referrer
                            userAgent
                            method
                            destinationCountry
                            destinationPort
                            destinationIp
                            destinationGeolocation
                            url
                            tunnelGeolocation
                            domain
                            target
                            httpResponseCode
                            dnsResponseIP
                            smbFileName
                            fileHash
                            ja3
                            __typename
                          }
                          analystFeedback {
                            ...AnalystFeedback
                            __typename
                          }
                        }
                        
                        fragment NetworkIncidentDetailed on NetworkIncident {
                          __typename
                          siteId
                          confidence
                          internalSubType
                          resourceName
                          prioritySite
                          siteConnectionType
                          hostIp
                          availability
                          siteGeoLocation
                          eventsInternalIds
                          storyDuration
                          muted
                          insights {
                            timestamp
                            insight
                            __typename
                          }
                          analystFeedback {
                            ... on AnalystFeedback {
                              severity
                              __typename
                            }
                            __typename
                          }
                        }
                        
                        fragment NetworkXDRIncidentDetailed on NetworkXDRIncident {
                          __typename
                          storyDuration
                          storyType
                          occurrences
                          siteConnectionType
                          siteConfigLocation
                          acknowledged
                          description
                          linkId
                          linkName
                          linkConfigPrecedence
                          deviceConfigHaRole
                          licenseRegion
                          licenseBandwidth
                          pop
                          isp
                          hostIp
                          ruleName
                          bgpConnection {
                            connectionName
                            peerIp
                            peerAsn
                            catoIp
                            catoAsn
                            __typename
                          }
                          networkIncidentTimeline {
                            created
                            validated
                            description
                            eventType
                            incidentId
                            eventIds
                            acknowledged
                            networkEventSource
                            linkId
                            linkName
                            linkConfigPrecedence
                            linkStatus
                            linkConfigBandwidth
                            deviceConfigHaRole
                            deviceHaRoleState
                            pop
                            isp
                            hostIp
                            ruleName
                            tunnelResetCount
                            bgpConnection {
                              connectionName
                              peerIp
                              peerAsn
                              catoIp
                              catoAsn
                              __typename
                            }
                            linkQualityIssue {
                              issueType
                              direction
                              current
                              threshold
                              __typename
                            }
                            __typename
                          }
                          analystFeedback {
                            ... on AnalystFeedback {
                              severity
                              __typename
                            }
                            __typename
                          }
                        }
                        
                        fragment MicrosoftEndpointIncidentDetailed on MicrosoftEndpoint {
                          storyDuration
                          sourceIp
                          analystFeedback {
                            ...AnalystFeedback
                            __typename
                          }
                          device {
                            deviceName
                            osDetails {
                              ... on OsDetails {
                                ...MicrosoftEndpointIncidentDeviceOsDetails
                                __typename
                              }
                              __typename
                            }
                            loggedOnUsers {
                              ... on EndpointUser {
                                ...MicrosoftEndpointIncidentDeviceLoggedOnUser
                                __typename
                              }
                              __typename
                            }
                            __typename
                          }
                          alerts {
                            ... on MicrosoftDefenderEndpointAlert {
                              ...StoryDetailsMicrosoftEndpointAlert
                              __typename
                            }
                            __typename
                          }
                          __typename
                        }
                        
                        fragment MicrosoftEndpointIncidentDeviceOsDetails on OsDetails {
                          osType
                          osBuild
                          osVersion
                          __typename
                        }
                        
                        fragment MicrosoftEndpointIncidentDeviceLoggedOnUser on EndpointUser {
                          ... on MicrosoftEndpointUser {
                            ...MicrosoftEndpointIncidentUserDetails
                            __typename
                          }
                          __typename
                        }
                        
                        fragment MicrosoftEndpointIncidentUserDetails on MicrosoftEndpointUser {
                          name
                          domainName
                          __typename
                        }
                        
                        fragment StoryDetailsMicrosoftEndpointAlert on MicrosoftDefenderEndpointAlert {
                          id
                          title
                          localIp
                          destinationIp
                          destinationUrl
                          mitreTechnique {
                            id
                            name
                            __typename
                          }
                          firstActivityDateTime
                          lastActivityDateTime
                          threatName
                          activities {
                            ...StoryDetailsMicrosoftEndpointActivity
                            __typename
                          }
                          resources {
                            ...StoryDetailsMicrosoftEndpointResource
                            __typename
                          }
                          ... on MicrosoftDefenderEndpointAlert {
                            criticality
                            msStatus: status
                            __typename
                          }
                          __typename
                        }
                        
                        fragment StoryDetailsMicrosoftEndpointActivity on MicrosoftActivity {
                          id
                          resourceId
                          parentResourceId
                          action
                          __typename
                        }
                        
                        fragment StoryDetailsMicrosoftEndpointResource on MicrosoftEndpointResource {
                          id
                          remediationStatus
                          createdDateTime
                          verdict
                          roles
                          ...StoryDetailsMicrosoftEndpointFileResource
                          ...StoryDetailsMicrosoftEndpointProcessResource
                          ...StoryDetailsMicrosoftEndpointRegistryResource
                          __typename
                        }
                        
                        fragment StoryDetailsMicrosoftEndpointFileResource on MicrosoftFileResource {
                          detectionStatus
                          fileDetails {
                            ...StoryDetailsMicrosoftEndpointFileDetails
                            __typename
                          }
                          __typename
                        }
                        
                        fragment StoryDetailsMicrosoftEndpointFileDetails on FileDetails {
                          path
                          name
                          size
                          sha1
                          sha256
                          issuer
                          signer
                          __typename
                        }
                        
                        fragment StoryDetailsMicrosoftEndpointProcessResource on MicrosoftProcessResource {
                          processId
                          processCommandLine
                          imageFile {
                            ...StoryDetailsMicrosoftEndpointFileDetails
                            __typename
                          }
                          userAccount {
                            ...StoryDetailsMicrosoftEndpointUserDetails
                            __typename
                          }
                          __typename
                        }
                        
                        fragment StoryDetailsMicrosoftEndpointUserDetails on EndpointUser {
                          id
                          ... on MicrosoftEndpointUser {
                            userSid
                            __typename
                          }
                          __typename
                        }
                        
                        fragment StoryDetailsMicrosoftEndpointRegistryResource on MicrosoftRegistryResource {
                          valueName
                          valueType
                          value
                          key
                          hive
                          __typename
                        }
                        
                        fragment CatoEndpointIncidentDetailed on CatoEndpoint {
                          storyDuration
                          sourceIp
                          analystFeedback {
                            ...AnalystFeedback
                            __typename
                          }
                          device {
                            deviceName
                            macAddress
                            osDetails {
                              ... on OsDetails {
                                ...CatoEndpointIncidentDeviceOsDetails
                                __typename
                              }
                              __typename
                            }
                            loggedOnUsers {
                              ... on EndpointUser {
                                ...CatoEndpointIncidentDeviceLoggedOnUser
                                __typename
                              }
                              __typename
                            }
                            __typename
                          }
                          alerts {
                            ... on CatoEndpointAlert {
                              ...StoryDetailsCatoEndpointAlert
                              __typename
                            }
                            __typename
                          }
                          __typename
                        }
                        
                        fragment CatoEndpointIncidentDeviceOsDetails on OsDetails {
                          osType
                          osBuild
                          osVersion
                          __typename
                        }
                        
                        fragment CatoEndpointIncidentDeviceLoggedOnUser on EndpointUser {
                          ... on CatoEndpointUser {
                            ...CatoEndpointIncidentUserDetails
                            __typename
                          }
                          __typename
                        }
                        
                        fragment CatoEndpointIncidentUserDetails on CatoEndpointUser {
                          name
                          __typename
                        }
                        
                        fragment StoryDetailsCatoEndpointAlert on CatoEndpointAlert {
                          id
                          title
                          mitreTechnique {
                            id
                            name
                            __typename
                          }
                          createdDateTime
                          threatName
                          activities {
                            ...StoryDetailsCatoEndpointActivity
                            __typename
                          }
                          resources {
                            ...StoryDetailsCatoEndpointResource
                            __typename
                          }
                          ... on CatoEndpointAlert {
                            criticality
                            catoStatus: status
                            __typename
                          }
                          __typename
                        }
                        
                        fragment StoryDetailsCatoEndpointActivity on CatoActivity {
                          id
                          resourceId
                          parentResourceId
                          __typename
                        }
                        
                        fragment StoryDetailsCatoEndpointResource on CatoResource {
                          id
                          createdDateTime
                          remediationStatus
                          ...StoryDetailsCatoEndpointFileResource
                          ...StoryDetailsCatoEndpointProcessResource
                          __typename
                        }
                        
                        fragment StoryDetailsCatoEndpointFileResource on CatoFileResource {
                          detectionStatus
                          fileDetails {
                            ...StoryDetailsCatoEndpointFileDetails
                            __typename
                          }
                          __typename
                        }
                        
                        fragment StoryDetailsCatoEndpointFileDetails on FileDetails {
                          path
                          name
                          size
                          sha1
                          sha256
                          issuer
                          signer
                          __typename
                        }
                        
                        fragment StoryDetailsCatoEndpointProcessResource on CatoProcessResource {
                          processId
                          processCommandLine
                          imageFile {
                            ...StoryDetailsCatoEndpointFileDetails
                            __typename
                          }
                          userAccount {
                            ...StoryDetailsCatoEndpointUserDetails
                            __typename
                          }
                          __typename
                        }
                        
                        fragment StoryDetailsCatoEndpointUserDetails on EndpointUser {
                          id
                          ... on CatoEndpointUser {
                            name
                            __typename
                          }
                          __typename
                        }
                        
Variables
{"accountId": "123", "storyId": "abc123"}
Response
{
  "data": {
    "xdr": {
      "__typename": "XDR",
      "story": {
        "playbook": null,
        "incident": {
          "__typename": "Threat",
          "id": "abc123",
          "status": "Open",
          "producer": "ThreatHunt",
          "ticket": null,
          "connectionType": "Site",
          "indication": "abc123",
          "queryName": "abc123",
          "criticality": 5,
          "source": "abc123",
          "research": false,
          "firstSignal": "2024-02-29T09:00:00Z",
          "lastSignal": "2024-02-29T13:00:00Z",
          "description": "abc123",
          "site": null,
          "user": null,
          "srcSiteId": "123",
          "flowsCardinality": 4,
          "storyDuration": 14400,
          "os": "OS_WINDOWS",
          "deviceName": "abc123",
          "macAddress": "aa:aa:11:22:33:44",
          "sourceIp": "1.2.3.4",
          "logonName": null,
          "direction": "OUTBOUND",
          "predictedVerdict": null,
          "predictedThreatType": null,
          "similarStoriesData": [],
          "events": [],
          "mitres": [],
          "timeSeries": [],
          "targets": [
            {
              "type": "domain",
              "name": "123",
              "analysisScore": 0.75688803,
              "infectionSource": true,
              "catoPopularity": -1,
              "threatFeeds": 2,
              "creationTime": "2023-01-10T06:16:40Z",
              "categories": "abc123",
              "countryOfRegistration": "CZ",
              "searchHits": "123",
              "engines": null,
              "eventData": [],
              "__typename": "IncidentTargetRep"
            }
          ],
          "flows": [
            {
              "appName": "http",
              "clientClass": null,
              "sourceIp": "11.22.33.111",
              "sourcePort": 123,
              "direction": "INBOUND",
              "createdAt": "2024-02-29T09:45:00Z",
              "referer": null,
              "userAgent": null,
              "method": null,
              "destinationCountry": "US",
              "destinationPort": 123,
              "destinationIp": "11.22.33.644",
              "destinationGeolocation": "11.1,22.2",
              "url": null,
              "tunnelGeolocation": "11.1,22.2",
              "domain": "abc123",
              "target": "abc123",
              "httpResponseCode": null,
              "dnsResponseIP": null,
              "smbFileName": null,
              "fileHash": null,
              "ja3": null,
              "__typename": "IncidentFlow"
            }
          ],
          "analystFeedback": {
            "verdict": null,
            "severity": null,
            "threatType": {
              "name": "PuP",
              "details": null,
              "recommendedAction": null,
              "__typename": "AnalystFeedbackThreatType"
            },
            "threatClassification": null,
            "additionalInfo": null,
            "__typename": "AnalystFeedback"
          }
        },
        "__typename": "Story",
        "id": "abc123",
        "summary": "abc123",
        "updatedAt": "2024-03-27T08:32:44Z",
        "createdAt": "2024-03-27T08:22:51Z",
        "timeline": [
          {
            "createdAt": "2024-03-27T08:22:51Z",
            "type": "Diff",
            "descriptions": ["abc123"],
            "additionalInfo": null,
            "analystInfo": null,
            "context": "Story created",
            "category": null,
            "__typename": "TimelineItem"
          }
        ]
      }
    }
  }
}

Mutations

AdminMutations

addAdmin

Response

Returns an AddAdminPayload

Arguments
Name Description
input - AddAdminInput!

Example

Query
mutation addAdmin($accountId:ID!, $input: AddAdminInput!) {
  admin(accountId:$accountId) {
    addAdmin(input:$input) {
      adminID
    }
  }
}
Variables
{
  "accountId": "123",
  "input": {
    "firstName": "Name",
    "lastName": "Surname",
    "email": "name.surname@company.org",
    "passwordNeverExpires": false,
    "mfaEnabled": true,
    "managedRoles": [{"role": {"id": 2, "name": "Viewer"}}]
  }
}
Response
{"data": {"admin": {"addAdmin": {"adminID": "456"}}}}

removeAdmin

Response

Returns a RemoveAdminPayload

Arguments
Name Description
adminID - ID!

Example

Query
mutation removeAdmin($accountId:ID!, $adminID:ID!){
  admin(accountId:$accountId) {
    removeAdmin(adminID:$adminID) {
      adminID
    }
  }
}
Variables
{"accountId": "123", "adminID": "456"}
Response
{"data": {"admin": {"removeAdmin": {"adminID": "456"}}}}

updateAdmin

Response

Returns an UpdateAdminPayload

Arguments
Name Description
adminID - ID!
input - UpdateAdminInput!

Example

Query
mutation updateAdmin($accountId:ID!, $adminID:ID!, $input: UpdateAdminInput!){
  admin(accountId:$accountId) {
    updateAdmin(adminID:$adminID,input:$input) {
      adminID
    }
  }
}
Variables
{
  "accountId": "123",
  "adminID": "456",
  "input": {
    "managedRoles": [
      {"role": {"id": 1, "name": "Editor"}},
      {"role": {"id": 2, "name": "Viewer"}}
    ]
  }
}
Response
{"data": {"admin": {"updateAdmin": {"adminID": "456"}}}}

InternetFirewallPolicyMutations

addRule

Description

Add a new rule to the Internet Firewall policy.

Arguments
Name Description
input - InternetFirewallAddRuleInput!

Example

Query

mutation AddInternetFirewallRule($accountId:ID!, $input: InternetFirewallAddRuleInput!) {
  policy(accountId: $accountId) {
    internetFirewall {
      addRule(input: $input) {
        status
        errors {
          errorMessage
          errorCode
        }
        rule {
          rule {
            id
            name
            description
            enabled
            source {
              ip
              subnet
            }
          }
        }
      }
    }
  }
}
Variables
{
  "accountId": 12345,
  "input": {
    "rule": {
      "enabled": true,
      "name": "Example Rule",
      "description": "Example description",
      "source": {"ip": ["192.0.2.1", "198.51.100.1"], "subnet": ["10.0.0.0/24"]}
    },
    "at": {"position": "LAST_IN_POLICY"}
  }
}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {
        "addRule": {
          "status": "SUCCESS",
          "errors": [],
          "rule": {
            "rule": {
              "id": "41a884bf-eaee-44d5-bbb1-6db5612d45cb",
              "name": "Example Rule",
              "description": "Example description",
              "enabled": true,
              "source": {
                "ip": ["192.0.2.1", "198.51.100.1"],
                "subnet": ["10.0.0.0/24"]
              }
            }
          }
        }
      }
    }
  }
}

addSection

Description

TODO: add documentation

Response

Returns a PolicySectionMutationPayload!

Arguments
Name Description
input - PolicyAddSectionInput!

Example

Query

mutation AddSection($accountId:ID!, $input: PolicyAddSectionInput!) {
  policy(accountId: $accountId) {
    internetFirewall {
       addSection(input: $input) {
        section {
          section {
            id
            name
          }
        }
          status
          errors {
            errorMessage
            errorCode
          }
        }
    }
  }
}
Variables
{
  "accountId": 12345,
  "input": {
    "section": {"name": "My new section"},
    "at": {
      "position": "BEFORE_SECTION",
      "ref": "be080378-842d-4df7-9d4e-55741dc71339"
    }
  }
}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {
        "addSection": {
          "section": {
            "section": {
              "id": "1f4aa454-4065-45a5-985e-1b4aa4228471",
              "name": "My new section"
            }
          },
          "status": "SUCCESS",
          "errors": []
        }
      }
    }
  }
}

createPolicyRevision

Description

Create the policy revision. Create a new empty policy revision.

Arguments
Name Description
input - PolicyCreateRevisionInput!

Example

Query

mutation CreateRevision($accountId: ID!, $input: PolicyCreateRevisionInput!) {
  policy(accountId: $accountId) {
    internetFirewall {
      createPolicyRevision(input: $input) {
        status
        errors {
          errorCode
          errorMessage
        }
        policy {
          revision {
            description
            name
            id
            changes
            createdTime
            updatedTime
          }
        }
      }
    }
  }
}
Variables
{
  "accountId": 12345,
  "input": {
    "name": "Test Revision",
    "description": "Testing working with multiple revisions"
  }
}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {
        "createPolicyRevision": {
          "status": "SUCCESS",
          "errors": [],
          "policy": {
            "revision": {
              "description": "Testing working with multiple revisions",
              "name": "Test Revision",
              "id": "RevisionId"
            }
          }
        }
      }
    }
  }
}

discardPolicyRevision

Description

Discard the policy revision. All changes in this discarded revision are discarded, and the revision is deleted.

Arguments
Name Description
input - PolicyDiscardRevisionInput

Example

Query

mutation DiscardPolicy($accountId:ID!, $input: PolicyDiscardRevisionInput!) {
  policy(accountId: $accountId) {
    internetFirewall {
      discardPolicy(input: $input) {
        status
        errors {
          errorMessage
          errorCode
        }
      }
    }
  }
}
Variables
{"accountId": 12345, "input": {"id": "firstname.surname@mycompany.com"}}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {"discardPolicy": {"status": "SUCCESS", "errors": []}}
    }
  }
}

moveRule

Description

Change the relative location of an existing rule within the Internet Firewall policy.

Arguments
Name Description
input - PolicyMoveRuleInput!

Example

Query

mutation MoveInternetFirewallRule($accountId:ID!, $input: PolicyMoveRuleInput!) {
    policy(accountId: $accountId){
      internetFirewall {
        moveRule(input: $input) {
          status
          rule {
            rule {
              id
              section {
                id
                name
              }
            }
          }
          errors {
            errorMessage
            errorCode
          }
        }
      }
    }
}
Variables
{
  "accountId": 12345,
  "input": {
    "id": "0a647dae-3d64-448e-9e23-9bb4d403754b",
    "to": {
      "position": "FIRST_IN_SECTION",
      "ref": "bf2a5a59-26c3-49d6-a8e3-b72b212ff056"
    }
  }
}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {
        "moveRule": {
          "status": "SUCCESS",
          "rule": {
            "rule": {
              "id": "0a647dae-3d64-448e-9e23-9bb4d403754b",
              "section": {
                "id": "bf2a5a59-26c3-49d6-a8e3-b72b212ff056",
                "name": "My Section"
              }
            }
          },
          "errors": []
        }
      }
    }
  }
}

moveSection

Description

TODO: add documentation

Response

Returns a PolicySectionMutationPayload!

Arguments
Name Description
input - PolicyMoveSectionInput!

Example

Query

mutation MoveInternetFirewallSection($accountId:ID!, $input: PolicyMoveSectionInput!) {
  policy(accountId: $accountId) {
    internetFirewall {
      moveSection(input: $input) {
        status
        section {
          properties
          section {
            id
            name
          }
        }
        errors {
          errorMessage
          errorCode
        }
      }
    }
  }
}
Variables
{
  "accountId": 12345,
  "input": {
    "id": "be080378-842d-4df7-9d4e-55741dc71339",
    "to": {"position": "LAST_IN_POLICY"}
  }
}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {
        "moveSection": {
          "status": "SUCCESS",
          "section": {
            "properties": ["MOVED"],
            "section": {
              "id": "be080378-842d-4df7-9d4e-55741dc71339",
              "name": "My Section 2"
            }
          },
          "errors": []
        }
      }
    }
  }
}

publishPolicyRevision

Description

Publish the policy revision. A published revision becomes the active policy, and its content is merged with all unpublished revisions for other admins.

Arguments
Name Description
input - PolicyPublishRevisionInput

Example

Query

mutation PublishPolicy($accountId:ID!, $input: PolicyPublishRevisionInput!) {
  policy(accountId: $accountId) {
    internetFirewall {
      publishPolicy(input: $input) {
        status
        errors {
          errorMessage
          errorCode
        }
      }
    }
  }
}
Variables
{"accountId": 12345, "input": {"id": "firstname.surname@mycompany.com"}}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {"publishPolicy": {"status": "SUCCESS", "errors": []}}
    }
  }
}

removeRule

Description

Remove an existing rule from the Internet Firewall policy.

Arguments
Name Description
input - InternetFirewallRemoveRuleInput!

Example

Query

mutation RemoveInternetFirewallRule($accountId:ID!, $input: InternetFirewallRemoveRuleInput!) {
   policy(accountId: $accountId) {
      internetFirewall {
        removeRule(input: $input) {
          status
          errors {
            errorMessage
            errorCode
          }
        }
      }
    }
}
Variables
{"accountId": 12345, "input": {"id": "41a884bf-eaee-44d5-bbb1-6db5612d45cb"}}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {"removeRule": {"status": "SUCCESS", "errors": []}}
    }
  }
}

removeSection

Description

TODO: add documentation

Response

Returns a PolicySectionMutationPayload!

Arguments
Name Description
input - PolicyRemoveSectionInput!

Example

Query

mutation RemoveSection($accountId:ID!, $input: PolicyRemoveSectionInput!) {
  policy(accountId: $accountId) {
    internetFirewall {
       removeSection(input: $input) {
          status
          errors {
            errorMessage
            errorCode
          }
        }
    }
  }
}
Variables
{"accountId": 12345, "input": {"id": "1f4aa454-4065-45a5-985e-1b4aa4228471"}}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {"removeSection": {"status": "SUCCESS", "errors": []}}
    }
  }
}

updatePolicy

Description

Update policy settings like toggle state

Arguments
Name Description
input - InternetFirewallPolicyUpdateInput!

Example

Query

                        mutation UpdatePolicyState($accountId:ID!, $input: PolicyStateInput!) {
                          policy(accountId: $accountId) {
                            internetFirewall {
                               updatePolicyState(input: $input) {
                                  status
                                  policy {
                                  enabled   
                                  }
                                  errors {
                                    errorMessage
                                    errorCode
                                  }
                                }
                            }
                          }
                        }
                        
                          
                        
Variables
{"accountId": 12345, "input": {"state": "DISABLED"}}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {
        "updatePolicyState": {
          "status": "SUCCESS",
          "policy": {"enabled": false},
          "errors": []
        }
      }
    }
  }
}

updateRule

Description

Update an existing rule of the Internet Firewall policy.

Arguments
Name Description
input - InternetFirewallUpdateRuleInput!

Example

Query

                        mutation UpdateInternetFirewallRule($accountId:ID!, $input: InternetFirewallUpdateRuleInput!) {
                          policy(accountId: $accountId) {
                            internetFirewall {
                              updateRule(input: $input) {
                                status
                                errors {
                                  errorMessage
                                  errorCode
                                }
                              
                                rule{
                                  rule {
                                    id
                                    name
                                    description
                                    enabled
                                    source {
                                      ip
                                      subnet
                                    }
                                  }
                                }
                              }
                            }
                          }
                        }
                        
Variables
{
  "accountId": 12345,
  "input": {
    "id": "41a884bf-eaee-44d5-bbb1-6db5612d45cb",
    "rule": {
      "enabled": true,
      "name": "New rule name",
      "description": "Updated description",
      "source": {"ip": ["192.0.2.2"]}
    }
  }
}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {
        "updateRule": {
          "status": "SUCCESS",
          "errors": [],
          "rule": {
            "rule": {
              "id": "41a884bf-eaee-44d5-bbb1-6db5612d45cb",
              "name": "New rule name",
              "description": "Updated description",
              "enabled": true,
              "source": {"ip": ["192.0.2.2"], "subnet": ["10.0.0.0/8"]}
            }
          }
        }
      }
    }
  }
}

updateSection

Description

TODO: add documentation

Response

Returns a PolicySectionMutationPayload!

Arguments
Name Description
input - PolicyUpdateSectionInput!

Example

Query

mutation UpdateSection($accountId:ID!, $input: PolicyUpdateSectionInput!) {
  policy(accountId: $accountId) {
    internetFirewall {
       updateSection(input: $input) {
          status
        section {
            section {
              id
              name
            }
          }
          errors {
            errorMessage
            errorCode
          }
        }
    }
  }
}
Variables
{
  "accountId": 12345,
  "input": {
    "id": "be080378-842d-4df7-9d4e-55741dc71339",
    "section": {"name": "updated section name"}
  }
}
Response
{
  "data": {
    "policy": {
      "internetFirewall": {
        "updateSection": {
          "status": "SUCCESS",
          "section": {
            "section": {
              "id": "be080378-842d-4df7-9d4e-55741dc71339",
              "name": "updated section name"
            }
          },
          "errors": []
        }
      }
    }
  }
}

SiteMutations

addNetworkRange

Response

Returns an AddNetworkRangePayload

Arguments
Name Description
lanSocketInterfaceId - ID!
input - AddNetworkRangeInput!

Example

Query
mutation addNetworkRange(
  $accountId:ID!,
  $lanSocketInterfaceId: ID!,
  $input:AddNetworkRangeInput!
) {
  site(accountId:$accountId){
    addNetworkRange(lanSocketInterfaceId:$lanSocketInterfaceId, input:$input){
      networkRangeId
    }
  }
}
Variables
{
  "accountId": "123",
  "lanSocketInterfaceId": "456",
  "input": {
    "name": "Printers",
    "rangeType": "Routed",
    "subnet": "123.0.1.0/30",
    "gateway": "123.0.0.2"
  }
}
Response
{"data": {"site": {"addNetworkRange": {"networkRangeId": "UzQ3MDcw"}}}}

addSocketSite

Response

Returns an AddSocketSitePayload

Arguments
Name Description
input - AddSocketSiteInput!

Example

Query
mutation addSocketSite($accountId:ID!, $input:AddSocketSiteInput!){
  site(accountId:$accountId) {
    addSocketSite(input:$input) {
      siteId
    }
  }
}
Variables
{
  "accountId": 123,
  "input": {
    "name": "New Site",
    "connectionType": "SOCKET_X1700",
    "siteType": "DATACENTER",
    "description": "Data warehouse",
    "nativeNetworkRange": "123.0.0.0/24",
    "siteLocation": {
      "countryCode": "IL",
      "timezone": "Asia/Jerusalem",
      "city": "Asheklon"
    }
  }
}
Response
{"data": {"site": {"addSocketSite": {"siteId": "456"}}}}

addStaticHost

Response

Returns an AddStaticHostPayload

Arguments
Name Description
siteId - ID!
input - AddStaticHostInput!

Example

Query
mutation addStaticHost($accountId:ID!,$siteId: ID!, $input: AddStaticHostInput!) {
  site(accountId:$accountId){
    addStaticHost(siteId:$siteId, input:$input){
      hostId
    }
  }
}
Variables
{
  "accountId": "123",
  "siteId": "456",
  "input": {"name": "Printer", "ip": "123.0.0.10"}
}
Response
{"data": {"site": {"addStaticHost": {"hostId": "789"}}}}

removeNetworkRange

Response

Returns a RemoveNetworkRangePayload

Arguments
Name Description
networkRangeId - ID!

Example

Query
mutation removeNetworkRange(
  $accountId:ID!,
  $networkRangeId: ID!,
) {
  site(accountId:$accountId){
    removeNetworkRange(networkRangeId:$networkRangeId){
      networkRangeId
    }
  }
}
Variables
{"accountId": "123", "networkRangeId": "UzQ3MDcw"}
Response
{"data": {"site": {"removeNetworkRange": {"networkRangeId": "UzQ3MDcw"}}}}

removeSite

Response

Returns a RemoveSitePayload

Arguments
Name Description
siteId - ID!

Example

Query
mutation removeSite($accountId:ID!, $siteId:ID!){
  site(accountId:$accountId) {
    removeSite(siteId:$siteId) {
      siteId
    }
  }
}
Variables
{"accountId": "123", "siteId": "456"}
Response
{"data": {"site": {"removeSite": {"siteId": "456"}}}}

removeStaticHost

Response

Returns a RemoveStaticHostPayload

Arguments
Name Description
hostId - ID!

Example

Query
mutation removeStaticHost($accountId:ID!,$hostId: ID!) {
  site(accountId:$accountId){
    removeStaticHost(hostId:$hostId){
      hostId
    }
  }
}
Variables
{"accountId": "123", "hostId": "789"}
Response
{"data": {"site": {"removeStaticHost": {"hostId": "789"}}}}

updateHa

Response

Returns an UpdateHaPayload

Arguments
Name Description
siteId - ID!
input - UpdateHaInput!

Example

Query
mutation updateHa($accountId:ID!,$siteId: ID!, $input: UpdateHaInput!) {
  site(accountId:$accountId){
    updateHa(siteId:$siteId, input:$input){
      siteId
    }
  }
}
Variables
{
  "accountId": "123",
  "siteId": "456",
  "input": {
    "primaryManagementIp": "123.0.0.231",
    "secondaryManagementIp": "123.0.0.232",
    "vrid": 123
  }
}
Response
{"data": {"site": {"updateHa": {"siteId": "456"}}}}

updateNetworkRange

Response

Returns an UpdateNetworkRangePayload

Arguments
Name Description
networkRangeId - ID!
input - UpdateNetworkRangeInput!

Example

Query
mutation updateNetworkRange(
  $accountId:ID!,
  $networkRangeId: ID!,
  $input:UpdateNetworkRangeInput!
) {
  site(accountId:$accountId){
    updateNetworkRange(networkRangeId:$networkRangeId, input:$input){
      networkRangeId
    }
  }
}
Variables
{"accountId": "123", "networkRangeId": "UzQ3MDcw", "input": {"name": "Devs"}}
Response
{"data": {"site": {"updateNetworkRange": {"networkRangeId": "UzQ3MDcw"}}}}

updateSiteGeneralDetails

Response

Returns an UpdateSiteGeneralDetailsPayload

Arguments
Name Description
siteId - ID!
input - UpdateSiteGeneralDetailsInput!

Example

Query
mutation updateSiteGeneralDetails($accountId:ID!, $siteId:ID!, $input:UpdateSiteGeneralDetailsInput!) {
  site(accountId: $accountId){
    updateSiteGeneralDetails(siteId:$siteId, input:$input) {
      siteId
    }
  }
}
Variables
{"accountId": "123", "siteId": "456", "input": {"siteType": "BRANCH"}}
Response
{"data": {"site": {"updateSiteGeneralDetails": {"siteId": "456"}}}}

updateSocketInterface

Response

Returns an UpdateSocketInterfacePayload

Arguments
Name Description
siteId - ID!
socketInterfaceId - SocketInterfaceIDEnum!
input - UpdateSocketInterfaceInput!

Example

Query
mutation updateSocketInterface(
  $accountId:ID!,
  $siteId: ID!,
  $socketInterfaceId: SocketInterfaceIDEnum!,
  $input:UpdateSocketInterfaceInput!
) {
  site(accountId:$accountId){
    updateSocketInterface(siteId:$siteId, socketInterfaceId: $socketInterfaceId, input:$input){
      siteId
      socketInterfaceId
    }
  }
}
Variables
{
  "accountId": "123",
  "siteId": "456",
  "socketInterfaceId": "INT_1",
  "input": {
    "destType": "CATO",
    "bandwidth": {"upstreamBandwidth": 100, "downstreamBandwidth": 100}
  }
}
Response
{
  "data": {
    "site": {
      "updateSocketInterface": {"siteId": "456", "socketInterfaceId": "INT_1"}
    }
  }
}

updateStaticHost

Response

Returns an UpdateStaticHostPayload

Arguments
Name Description
hostId - ID!
input - UpdateStaticHostInput!

Example

Query
mutation updateStaticHost($accountId:ID!,$hostId: ID!, $input: UpdateStaticHostInput!) {
  site(accountId:$accountId){
    updateStaticHost(hostId:$hostId, input:$input){
      hostId
    }
  }
}
Variables
{
  "accountId": "123",
  "hostId": "789",
  "input": {"name": "Printer", "ip": "123.0.0.11"}
}
Response
{"data": {"site": {"updateStaticHost": {"hostId": "789"}}}}

Types

AccountDataPayload

Fields
Field Name Description
id - ID!
name - String!
subdomain - String!
Example
{
  "id": "4",
  "name": "xyz789",
  "subdomain": "xyz789"
}

AccountIdPredicate

Fields
Input Field Description
in - [ID!]
not_in - [ID!]
Example
{"in": [4], "not_in": [4]}

AccountMetrics

Fields
Field Name Description
id - ID Unique Identifier of Account.
from - DateTime Starting time
to - DateTime Ending time
granularity - Int The size of a single time bucket in seconds
sites - [SiteMetrics!] Site connectivity metrics for the requested sites.
Arguments
siteIDs - [ID!]

A list of unique IDs for each site. If specified, only sites in this list are returned. Otherwise, all sites are returned.

users - [SiteMetrics!] Connectivity metrics for the requested users connecting remotely with the Client. Doesn’t include user traffic behind a site.
Arguments
userIDs - [ID!]

A list of unique IDs for each user. If specified, only users in this list are returned. Otherwise, no user metrics are returned.

timeseries - [Timeseries!]
Arguments
buckets - Int

number of buckets, defaults to 10, max 1000

Example
{
  "id": "4",
  "from": "2007-12-03T10:15:30Z",
  "to": "2007-12-03T10:15:30Z",
  "granularity": 123,
  "sites": [SiteMetrics],
  "users": [SiteMetrics],
  "timeseries": [Timeseries]
}

AccountRolesResult

Fields
Field Name Description
items - [RBACRole!]!
total - Int!
Example
{"items": [RBACRole], "total": 987}

AccountSnapshot

Fields
Field Name Description
id - ID Unique Identifier of Account
sites - [SiteSnapshot!] Sites includes information about online as well as offline sites
Arguments
siteIDs - [ID!]

List of Unique Site Identifiers. If specified, only sites in list will be returned

users - [UserSnapshot!] VPN users information includes only connected users by default (Unlike sites), unless specific ID is requested
Arguments
userIDs - [ID!]

request specific IDs, regardless of if connected or not

timestamp - DateTime
Example
{
  "id": "4",
  "sites": [SiteSnapshot],
  "users": [UserSnapshot],
  "timestamp": "2007-12-03T10:15:30Z"
}

AccountType

Values
Enum Value Description

SYSTEM

REGULAR

RESELLER

ALL

Example
"SYSTEM"

Activity

Fields
Field Name Description
id - ID!
resourceId - ID!
parentResourceId - ID!
Possible Types
Activity Types

CatoActivity

MicrosoftActivity

Example
{
  "id": "4",
  "resourceId": 4,
  "parentResourceId": "4"
}

AddAdminInput

Fields
Input Field Description
firstName - String!
lastName - String!
email - String!
passwordNeverExpires - Boolean!
mfaEnabled - Boolean!
managedRoles - [UpdateAdminRoleInput!]
resellerRoles - [UpdateAdminRoleInput!]
Example
{
  "firstName": "abc123",
  "lastName": "abc123",
  "email": "xyz789",
  "passwordNeverExpires": false,
  "mfaEnabled": true,
  "managedRoles": [UpdateAdminRoleInput],
  "resellerRoles": [UpdateAdminRoleInput]
}

AddAdminPayload

Fields
Field Name Description
adminID - ID!
Example
{"adminID": 4}

AddNetworkRangeInput

Fields
Input Field Description
name - String!
rangeType - SubnetType!
subnet - IPSubnet!
translatedSubnet - IPSubnet
localIp - IPAddress Only relevant for NATIVE, SECONDARY_NATIVE, DIRECT_ROUTE, VLAN rangeType
gateway - IPAddress Only relevant for ROUTED_ROUTE rangeType
vlan - Int Only relevant for VLAN network rangeType
azureFloatingIp - IPAddress Only relevant for AZURE HA sites
dhcpSettings - NetworkDhcpSettingsInput Only relevant for NATIVE, VLAN rangeType
Example
{
  "name": "xyz789",
  "rangeType": "Routed",
  "subnet": IPSubnet,
  "translatedSubnet": IPSubnet,
  "localIp": IPAddress,
  "gateway": IPAddress,
  "vlan": 123,
  "azureFloatingIp": IPAddress,
  "dhcpSettings": NetworkDhcpSettingsInput
}

AddNetworkRangePayload

Fields
Field Name Description
networkRangeId - ID!
Example
{"networkRangeId": "4"}

AddSiteLocationInput

Fields
Input Field Description
countryCode - String! country code
stateCode - String optional state code
timezone - String! time zone
address - String optional address
city - String city name, must belong to the country or country and state
Example
{
  "countryCode": "abc123",
  "stateCode": "xyz789",
  "timezone": "xyz789",
  "address": "abc123",
  "city": "abc123"
}

AddSocketSiteInput

Fields
Input Field Description
name - String!
connectionType - SiteConnectionTypeEnum!
siteType - SiteType!
description - String
nativeNetworkRange - IPSubnet!
translatedSubnet - IPSubnet
siteLocation - AddSiteLocationInput!
Example
{
  "name": "xyz789",
  "connectionType": "SOCKET_X1500",
  "siteType": "BRANCH",
  "description": "xyz789",
  "nativeNetworkRange": IPSubnet,
  "translatedSubnet": IPSubnet,
  "siteLocation": AddSiteLocationInput
}

AddSocketSitePayload

Fields
Field Name Description
siteId - ID!
Example
{"siteId": 4}

AddStaticHostInput

Fields
Input Field Description
name - String!
ip - IPAddress!
macAddress - String
Example
{
  "name": "xyz789",
  "ip": IPAddress,
  "macAddress": "abc123"
}

AddStaticHostPayload

Fields
Field Name Description
hostId - ID!
Example
{"hostId": 4}

Admin

Description

A CC2 administrator

Fields
Field Name Description
id - ID!
version - String!
role - UserRole
firstName - String
lastName - String
email - String
creationDate - DateTime
modifyDate - DateTime
status - OperationalStatus
passwordNeverExpires - Boolean
mfaEnabled - Boolean
nativeAccountID - ID
allowedItems - [Entity!]
presentUsageAndEvents - Boolean
managedRoles - [AdminRole!]
resellerRoles - [AdminRole!]
Example
{
  "id": "4",
  "version": "xyz789",
  "role": "OWNER",
  "firstName": "xyz789",
  "lastName": "abc123",
  "email": "abc123",
  "creationDate": "2007-12-03T10:15:30Z",
  "modifyDate": "2007-12-03T10:15:30Z",
  "status": "active",
  "passwordNeverExpires": true,
  "mfaEnabled": false,
  "nativeAccountID": 4,
  "allowedItems": [Entity],
  "presentUsageAndEvents": false,
  "managedRoles": [AdminRole],
  "resellerRoles": [AdminRole]
}

AdminRole

Fields
Field Name Description
role - RBACRole!
allowedEntities - [Entity!]
allowedAccounts - [ID!]
Example
{
  "role": RBACRole,
  "allowedEntities": [Entity],
  "allowedAccounts": ["4"]
}

AdminsResult

Fields
Field Name Description
items - [Admin!]!
total - Int!
Example
{"items": [Admin], "total": 123}

AggregationType

Values
Enum Value Description

sum

count

count_distinct

distinct

avg

max

min

any

changes

uniq_set

Example
"sum"

AlertClassificationEnum

Values
Enum Value Description

FALSE_POSITIVE

TRUE_POSITIVE

INFORMATIONAL_EXPECTED_ACTIVITY

Example
"FALSE_POSITIVE"

AlertDeterminationEnum

Values
Enum Value Description

APT

MALWARE

SECURITY_PERSONNEL

SECURITY_TESTING

UNWANTED_SOFTWARE

MULTI_STAGED_ATTACK

COMPROMISED_ACCOUNT

PHISHING

MALICIOUS_USER_ACTIVITY

NOT_MALICIOUS

NOT_ENOUGH_DATA_TO_VALIDATE

CONFIRMED_ACTIVITY

LINE_OF_BUSINESS_APPLICATION

OTHER

Example
"APT"

AnalystFeedback

Fields
Field Name Description
verdict - StoryVerdictEnum
severity - SeverityEnum
threatType - AnalystFeedbackThreatType
threatClassification - String
additionalInfo - String
Example
{
  "verdict": "Suspicious",
  "severity": "High",
  "threatType": AnalystFeedbackThreatType,
  "threatClassification": "xyz789",
  "additionalInfo": "xyz789"
}

AnalystFeedbackThreatType

Fields
Field Name Description
name - String
recommendedAction - String
details - String
Example
{
  "name": "xyz789",
  "recommendedAction": "abc123",
  "details": "abc123"
}

AnalystInfo

Fields
Field Name Description
name - String Security analyst name
email - String Security analyst email address
Example
{
  "name": "abc123",
  "email": "abc123"
}

AnnotationType

Values
Enum Value Description

popChange

The site connects to a different PoP

roleChange

Change for HA status role

remoteIPChange

The ISP IP address (remote IP) changed

generic

Other events that are included in annotations
Example
"popChange"

Anomalies

Fields
Field Name Description
id - ID!
firstSignal - DateTime!
lastSignal - DateTime!
engineType - StoryEngineTypeEnum
vendor - VendorEnum
producer - StoryProducerEnum!
producerName - String!
connectionType - ConnectionTypeEnum
indication - String!
queryName - String
source - String
criticality - Int
ticket - String
status - StoryStatusEnum
research - Boolean
siteName - String
storyDuration - Int
description - String
analystFeedback - AnalystFeedback
site - SiteRef
user - UserRef
sourceIp - String
similarStoriesData - [SimilarStoryData!]!
predictedVerdict - StoryVerdictEnum
predictedThreatType - String
direction - String
Possible Types
Anomalies Types

AnomalyStats

AnomalyEvents

Example
{
  "id": "4",
  "firstSignal": "2007-12-03T10:15:30Z",
  "lastSignal": "2007-12-03T10:15:30Z",
  "engineType": "ANOMALY",
  "vendor": "CATO",
  "producer": "AnomalyStats",
  "producerName": "abc123",
  "connectionType": "Site",
  "indication": "xyz789",
  "queryName": "xyz789",
  "source": "xyz789",
  "criticality": 123,
  "ticket": "abc123",
  "status": "Open",
  "research": false,
  "siteName": "xyz789",
  "storyDuration": 987,
  "description": "xyz789",
  "analystFeedback": AnalystFeedback,
  "site": SiteRef,
  "user": UserRef,
  "sourceIp": "xyz789",
  "similarStoriesData": [SimilarStoryData],
  "predictedVerdict": "Suspicious",
  "predictedThreatType": "xyz789",
  "direction": "abc123"
}

AnomalyEvents

Fields
Field Name Description
id - ID!
firstSignal - DateTime!
lastSignal - DateTime!
engineType - StoryEngineTypeEnum
vendor - VendorEnum
producer - StoryProducerEnum!
producerName - String!
connectionType - ConnectionTypeEnum
indication - String!
queryName - String
source - String
criticality - Int
ticket - String
status - StoryStatusEnum
research - Boolean
siteName - String
storyDuration - Int
description - String
analystFeedback - AnalystFeedback
site - SiteRef
user - UserRef
sourceIp - String
similarStoriesData - [SimilarStoryData!]!
predictedVerdict - StoryVerdictEnum
predictedThreatType - String
srcSiteId - String
os - String
deviceName - String
macAddress - String
logonName - String
clientClass - [String!]!
drillDownFilter - [StoryDrillDownFilter!]
breakdownField - String
subjectType - String
extra - [Extra!]
gaussian - Gaussian
metric - Metric
metricDetails - MetricDetails
mitres - [Mitre!]
rules - [String!]
timeSeries - [IncidentTimeseries!]
targets - [IncidentTargetRep!]!
direction - String
Example
{
  "id": "4",
  "firstSignal": "2007-12-03T10:15:30Z",
  "lastSignal": "2007-12-03T10:15:30Z",
  "engineType": "ANOMALY",
  "vendor": "CATO",
  "producer": "AnomalyStats",
  "producerName": "abc123",
  "connectionType": "Site",
  "indication": "xyz789",
  "queryName": "xyz789",
  "source": "xyz789",
  "criticality": 987,
  "ticket": "abc123",
  "status": "Open",
  "research": false,
  "siteName": "abc123",
  "storyDuration": 987,
  "description": "xyz789",
  "analystFeedback": AnalystFeedback,
  "site": SiteRef,
  "user": UserRef,
  "sourceIp": "xyz789",
  "similarStoriesData": [SimilarStoryData],
  "predictedVerdict": "Suspicious",
  "predictedThreatType": "xyz789",
  "srcSiteId": "abc123",
  "os": "abc123",
  "deviceName": "xyz789",
  "macAddress": "xyz789",
  "logonName": "xyz789",
  "clientClass": ["abc123"],
  "drillDownFilter": [StoryDrillDownFilter],
  "breakdownField": "xyz789",
  "subjectType": "abc123",
  "extra": [Extra],
  "gaussian": Gaussian,
  "metric": Metric,
  "metricDetails": MetricDetails,
  "mitres": [Mitre],
  "rules": ["abc123"],
  "timeSeries": [IncidentTimeseries],
  "targets": [IncidentTargetRep],
  "direction": "abc123"
}

AnomalyStats

Fields
Field Name Description
id - ID!
firstSignal - DateTime!
lastSignal - DateTime!
engineType - StoryEngineTypeEnum
vendor - VendorEnum
producer - StoryProducerEnum!
producerName - String!
connectionType - ConnectionTypeEnum
indication - String!
queryName - String
source - String
criticality - Int
ticket - String
status - StoryStatusEnum
research - Boolean
siteName - String
storyDuration - Int
description - String
analystFeedback - AnalystFeedback
site - SiteRef
user - UserRef
sourceIp - String
similarStoriesData - [SimilarStoryData!]!
predictedVerdict - StoryVerdictEnum
predictedThreatType - String
srcSiteId - String
os - String
deviceName - String
macAddress - String
logonName - String
clientClass - [String!]!
drillDownFilter - [StoryDrillDownFilter!]
breakdownField - String
subjectType - String
extra - [Extra!]
gaussian - Gaussian
metric - Metric
metricDetails - MetricDetails
mitres - [Mitre!]
rules - [String!]
timeSeries - [IncidentTimeseries!]
targets - [IncidentTargetRep!]!
direction - String
Example
{
  "id": "4",
  "firstSignal": "2007-12-03T10:15:30Z",
  "lastSignal": "2007-12-03T10:15:30Z",
  "engineType": "ANOMALY",
  "vendor": "CATO",
  "producer": "AnomalyStats",
  "producerName": "xyz789",
  "connectionType": "Site",
  "indication": "xyz789",
  "queryName": "xyz789",
  "source": "abc123",
  "criticality": 987,
  "ticket": "abc123",
  "status": "Open",
  "research": false,
  "siteName": "xyz789",
  "storyDuration": 987,
  "description": "abc123",
  "analystFeedback": AnalystFeedback,
  "site": SiteRef,
  "user": UserRef,
  "sourceIp": "xyz789",
  "similarStoriesData": [SimilarStoryData],
  "predictedVerdict": "Suspicious",
  "predictedThreatType": "xyz789",
  "srcSiteId": "abc123",
  "os": "xyz789",
  "deviceName": "xyz789",
  "macAddress": "xyz789",
  "logonName": "abc123",
  "clientClass": ["abc123"],
  "drillDownFilter": [StoryDrillDownFilter],
  "breakdownField": "xyz789",
  "subjectType": "abc123",
  "extra": [Extra],
  "gaussian": Gaussian,
  "metric": Metric,
  "metricDetails": MetricDetails,
  "mitres": [Mitre],
  "rules": ["abc123"],
  "timeSeries": [IncidentTimeseries],
  "targets": [IncidentTargetRep],
  "direction": "xyz789"
}

ApnMethod

Values
Enum Value Description

METHOD_UNKNOWN

METHOD_AUTO

METHOD_MANUAL

Example
"METHOD_UNKNOWN"

AppStats

Fields
Field Name Description
id - ID
from - DateTime
to - DateTime
total - Int
totals - Map
records - [AppStatsRecord!]
Arguments
limit - Int
from - Int
Example
{
  "id": "4",
  "from": "2007-12-03T10:15:30Z",
  "to": "2007-12-03T10:15:30Z",
  "total": 987,
  "totals": Map,
  "records": [AppStatsRecord]
}

AppStatsField

Fields
Field Name Description
name - AppStatsFieldName!
value - Value!
Example
{"name": "app", "value": StringValue}

AppStatsFieldName

Values
Enum Value Description

app

The application identifier

application

The application name

new_app

new cloud application identifier

discovered_app

traffic

the total sum of upstream and downstream data in bytes

upstream

data uploaded to cloud applications

downstream

data downloaded from cloud applications

risk_score

the application risk score assigned by Cato

risk_level

sanctioned

Is the application defined as sanctioned?

hq_location

the country in which the registered application headquarteres is located

is_cloud_app

indicates whether the application is considered cloud app/SaaS app

category

Cato system category of the application

description

Application description

ip

subnet

Name of subnet as defined in Cato Management Application

domain

dest_ip

IP for destination host or Cato Client

user_id

User identifier

user_name

User name

src_site_id

Source site or remote user identifier

src_site_name

Source site or remote user name

site_country

Country in which the source host is located

site_state

State in which the source host is located

vpn_user_id

use user_id instead

flows_created

dest_site

Destination site or remote user identifier

dest_is_site_or_vpn

Destination is site or remote user

dest_site_id

Destination Site or remote user identifier

dest_site_name

Destination Site or remote user name

traffic_direction

Traffic direction

device_name

Name for device related to the traffic

ad_name

Active Directory name

src_ip

IP for source host or Cato Client

socket_interface

Name for Socket interface

src_is_site_or_vpn

Source is site or remote user
Example
"app"

AppStatsFilter

Fields
Input Field Description
fieldName - AppStatsFieldName!
operator - FilterOperator!
values - [String!]!
Example
{
  "fieldName": "app",
  "operator": "is",
  "values": ["xyz789"]
}

AppStatsRecord

Fields
Field Name Description
fields - [AppStatsField!]
fieldsUnitTypes - [UnitType!]
fieldsMap - Map fields in map format (see Map scalar)
trends - Map
prevTimeFrame - Map
flatFields - [String!] Simplified fields, as array of name value tuples, e.g: [ [ "name", "val" ], [ "name2", "val2" ] ... ]
Example
{
  "fields": [AppStatsField],
  "fieldsUnitTypes": ["bytes"],
  "fieldsMap": Map,
  "trends": Map,
  "prevTimeFrame": Map,
  "flatFields": ["abc123"]
}

AppStatsSort

Fields
Input Field Description
fieldName - AppStatsFieldName!
order - DirectionEnum!
Example
{"fieldName": "app", "order": "asc"}

AppStatsTimeSeries

Fields
Field Name Description
id - ID
from - DateTime
to - DateTime
granularity - Int
timeseries - [Timeseries!]
Arguments
buckets - Int!
Example
{
  "id": "4",
  "from": "2007-12-03T10:15:30Z",
  "to": "2007-12-03T10:15:30Z",
  "granularity": 987,
  "timeseries": [Timeseries]
}

ApplicationCategoryRef

Fields
Field Name Description
id - ID!
name - String!
Example
{
  "id": "4",
  "name": "abc123"
}

ApplicationCategoryRefInput

Fields
Input Field Description
by - ObjectRefBy!
input - String!
Example
{"by": "ID", "input": "xyz789"}

ApplicationRef

Fields
Field Name Description
id - ID!
name - String!
Example
{
  "id": "4",
  "name": "abc123"
}

ApplicationRefInput

Fields
Input Field Description
by - ObjectRefBy!
input - String!
Example
{"by": "ID", "input": "abc123"}

Asn16

Description

16 bit autonomous system number [0-65535]

Example
Asn16

AuditFeed

Fields
Field Name Description
from - DateTime
to - DateTime
marker - String
fetchedCount - Int!
hasMore - Boolean
accounts - [AuditFeedAccountRecords]
Example
{
  "from": "2007-12-03T10:15:30Z",
  "to": "2007-12-03T10:15:30Z",
  "marker": "xyz789",
  "fetchedCount": 123,
  "hasMore": false,
  "accounts": [AuditFeedAccountRecords]
}

AuditFeedAccountRecords

Fields
Field Name Description
id - ID
records - [AuditRecord!]
Arguments
fieldNames - [AuditFieldName!]
Example
{
  "id": "4",
  "records": [AuditRecord]
}

AuditField

Fields
Field Name Description
name - String!
value - Value!
Example
{
  "name": "abc123",
  "value": StringValue
}

AuditFieldFilterInput

Fields
Input Field Description
fieldName - FieldNameInput!
operator - ElasticOperator! Use AuditFieldName for audits
values - [String!]
Example
{
  "fieldName": FieldNameInput,
  "operator": "is",
  "values": ["abc123"]
}

AuditFieldName

Values
Enum Value Description

admin

The admin whose action generated the record

apiKey

The api key whose action generated the record

model_name

The name of the object that was affected, e.g. 'My Site'

admin_id

The ID of the admin whose action generated the record

module

Less granular than model_name, a general marker of the modified area: administration, configuration, security

audit_creation_type

insertion_date

Time the record was committed to storage

change_type

the nature of the change: CREATED, DELETED, MODIFIED, ENABLED, DISABLED, SKIPPED

creation_date

Time the record was created

model_type

The type of object that was affected. e.g. Site, Socket, SocketInterface

account

The name of the account on which the record was created

account_id

The id of the account on which the record was created
Example
"admin"

AuditRecord

Description

Represents a single event in the audit database

Fields
Field Name Description
admin - Entity
apiKey - Entity
object - Entity
account - EntityInfo
time - DateTime
fields - [AuditField!] All fields in the audit record (including the admin and object)
fieldsMap - Map fields in map format (see Map scalar)
flatFields - [String!] Simplified fields, as array of name value tuples, e.g: [ [ "name", "val" ], [ "name2", "val2" ] ... ]
Example
{
  "admin": Entity,
  "apiKey": Entity,
  "object": Entity,
  "account": EntityInfo,
  "time": "2007-12-03T10:15:30Z",
  "fields": [AuditField],
  "fieldsMap": Map,
  "flatFields": ["xyz789"]
}

BGPConnection

Fields
Field Name Description
connectionName - String
peerIp - String
peerAsn - Int
catoIp - String
catoAsn - Int
Example
{
  "connectionName": "xyz789",
  "peerIp": "xyz789",
  "peerAsn": 987,
  "catoIp": "xyz789",
  "catoAsn": 987
}

Boolean

Description

The Boolean scalar type represents true or false.

Example
true

BooleanPredicate

Fields
Input Field Description
is - String!
Example
{"is": "abc123"}

CasbLicense

Description

Cloud Access Security Broker (CASB) service license details

Fields
Field Name Description
description - String
plan - LicensePlan! License plan type
sku - LicenseSku! The license SKU
status - LicenseStatus! License activation status
startDate - DateTime License start date
expirationDate - DateTime! License expiration date
lastUpdated - DateTime The date of the last update to the license
Example
{
  "description": "abc123",
  "plan": "COMMERCIAL",
  "sku": "CATO_SITE",
  "status": "ACTIVE",
  "startDate": "2007-12-03T10:15:30Z",
  "expirationDate": "2007-12-03T10:15:30Z",
  "lastUpdated": "2007-12-03T10:15:30Z"
}

CatoActivity

Fields
Field Name Description
id - ID! Unique Cato ID for this activity
resourceId - ID! Unique Cato ID for the resource (process or file) involved in the alert
parentResourceId - ID! Unique Cato ID for the preceding resource (process or file) in the alert
Example
{
  "id": 4,
  "resourceId": 4,
  "parentResourceId": "4"
}

CatoEndpoint

Fields
Field Name Description
id - ID! ID for the Endpoint Protection story
firstSignal - DateTime! Timestamp for the first incident signal related to this story
lastSignal - DateTime! Timestamp for the last (most recent) incident signal related to this story
engineType - StoryEngineTypeEnum enum that shows XDR engine involved with the incident
vendor - VendorEnum Vendor that identified the incident, such as Cato or Microsoft
producer - StoryProducerEnum! enum for the Producer (specific XDR engine or service) involved with the incident
producerName - String! Full name of the Producer (specific XDR engine and service) involved with the incident
connectionType - ConnectionTypeEnum enum for the connection for this incident (ie. host, user)
indication - String! An indication is a set of actions and behaviors for the Network or Security incident. Each producer has different indications.
queryName - String
source - String IP address, name of device, or SDP user on your network involved in the story
criticality - Int Cato's risk analysis of the story. Values are from 1 (low risk) to 10 (high risk)
ticket - String The ticket for this story
status - StoryStatusEnum Enum for the status of this story (ie. Open, Closed, Monitoring)
research - Boolean TRUE indicates that the story is currently being researched by Security Analysts
siteName - String Site name related to the story
storyDuration - Int Amount of time since the story was opened (no value for closed stories)
description - String Description of the threat
sourceIp - String Source IP address of the device in your network sending or receiving the flow
analystFeedback - AnalystFeedback Fields related to analysts research of the threat incident
site - SiteRef Cato ID and name for the site
user - UserRef Cato ID and name for the site
similarStoriesData - [SimilarStoryData!]!
predictedVerdict - StoryVerdictEnum
predictedThreatType - String
device - CatoEndpointDeviceDetails Details for the EPP device (ie. device name, OS, MAC address)
alerts - [CatoEndpointAlert!]! Details for the threat detected by the EPP
Example
{
  "id": "4",
  "firstSignal": "2007-12-03T10:15:30Z",
  "lastSignal": "2007-12-03T10:15:30Z",
  "engineType": "ANOMALY",
  "vendor": "CATO",
  "producer": "AnomalyStats",
  "producerName": "abc123",
  "connectionType": "Site",
  "indication": "abc123",
  "queryName": "xyz789",
  "source": "abc123",
  "criticality": 987,
  "ticket": "abc123",
  "status": "Open",
  "research": true,
  "siteName": "abc123",
  "storyDuration": 987,
  "description": "abc123",
  "sourceIp": "abc123",
  "analystFeedback": AnalystFeedback,
  "site": SiteRef,
  "user": UserRef,
  "similarStoriesData": [SimilarStoryData],
  "predictedVerdict": "Suspicious",
  "predictedThreatType": "xyz789",
  "device": CatoEndpointDeviceDetails,
  "alerts": [CatoEndpointAlert]
}

CatoEndpointAlert

Fields
Field Name Description
id - ID! Unique Cato ID for the Endpoint Protection story
title - String Title of the endpoint alert
description - String Description of the threat
threatName - String Name of threat detected on the device
mitreTechnique - [Mitre!]! MITRE ATT&CK® technique for the threat
mitreSubTechnique - [Mitre!]! MITRE ATT&CK® sub-technique for the threat
createdDateTime - DateTime Timestamp that the threat was detected and the alert generated
resources - [CatoResource!]! Data for the remediation status of the alert
activities - [CatoActivity!]! Unique Cato IDs for the activities related to the alert
criticality - Int Cato's risk analysis of the story. Values are from 1 (low risk) to 10 (high risk)
engineType - CatoEndpointEngineType Enum for the EPP engine related to this story
status - RemediationStatusEnum Enum for the remediation status of the EPP alert
endpointProtectionProfile - String EPP profile that is assigned to this device
Example
{
  "id": "4",
  "title": "abc123",
  "description": "abc123",
  "threatName": "xyz789",
  "mitreTechnique": [Mitre],
  "mitreSubTechnique": [Mitre],
  "createdDateTime": "2007-12-03T10:15:30Z",
  "resources": [CatoResource],
  "activities": [CatoActivity],
  "criticality": 987,
  "engineType": "Behavioral",
  "status": "REMEDIATED",
  "endpointProtectionProfile": "xyz789"
}

CatoEndpointDeviceDetails

Fields
Field Name Description
id - ID! Unique Cato ID for this story
deviceName - String Name of the device
osDetails - OsDetails OS data (ie. type, build, version)
loggedOnUsers - [EndpointUser!]! Data for one or more users logged in to the device
macAddress - String MAC address of the device
Example
{
  "id": "4",
  "deviceName": "abc123",
  "osDetails": OsDetails,
  "loggedOnUsers": [EndpointUser],
  "macAddress": "xyz789"
}

CatoEndpointEngineType

Values
Enum Value Description

Behavioral

AntiMalware

Example
"Behavioral"

CatoEndpointUser

Fields
Field Name Description
id - ID! ID for the user
name - String! Username for the user whose activity generated the indication
Example
{"id": 4, "name": "abc123"}

CatoFileResource

Fields
Field Name Description
id - ID! Unique Cato ID for this file resource
createdDateTime - DateTime Timestamp that the this file resource was used
remediationStatus - RemediationStatusEnum Enum for the remediation status associated with this file resource
fileDetails - FileDetails Details of the file related to this resource
detectionStatus - DetectionStatusEnum Enum for the detection status of this file resource
Example
{
  "id": "4",
  "createdDateTime": "2007-12-03T10:15:30Z",
  "remediationStatus": "REMEDIATED",
  "fileDetails": FileDetails,
  "detectionStatus": "DETECTED"
}

CatoProcessResource

Fields
Field Name Description
id - ID! Unique Cato ID for this resource
createdDateTime - DateTime Timestamp that the this resource was used
remediationStatus - RemediationStatusEnum Enum for the remediation status associated with this resource
processId - Int! ID for the process
processCommandLine - String CLI command related to this process
imageFile - FileDetails Details of the file related to this process
userAccount - EndpointUser User account related to this process
Example
{
  "id": 4,
  "createdDateTime": "2007-12-03T10:15:30Z",
  "remediationStatus": "REMEDIATED",
  "processId": 123,
  "processCommandLine": "xyz789",
  "imageFile": FileDetails,
  "userAccount": EndpointUser
}

CatoResource

Fields
Field Name Description
id - ID! Unique Cato ID for this EPP resource
createdDateTime - DateTime Timestamp that the this resource was used
remediationStatus - RemediationStatusEnum Enum for the remediation status associated with this resource
Possible Types
CatoResource Types

CatoProcessResource

CatoFileResource

Example
{
  "id": 4,
  "createdDateTime": "2007-12-03T10:15:30Z",
  "remediationStatus": "REMEDIATED"
}

CellularDisconnectionReason

Values
Enum Value Description

REASON_NONE

REASON_TIMEOUT

Example
"REASON_NONE"

CellularInterface

Fields
Field Name Description
networkType - CellularNetworkType 2G, 3G, or 4G
simSlotId - Int Shows the currently active SIM slot; the other slot is in standby. Slot 1 is active by default.
modemStatus - CellularModemStatus Represents the current status of the modem. Valid values are Error, OK, or Unknown.
isModemConnected - Boolean! Indicates if the cellular modem is currently connected to the internet.
iccid - String Unique identifier (20-digit number) for the modem.
imei - String Unique identifier (15-digit number) for a specific SIM.
operatorName - String Displays the operator or carrier name, such as Verizon.
isModemSuspended - Boolean! Indicates if the modem is currently suspended.
apn - String Represents the Access Point Name (e.g., uwap.orange.co.il). Configurable from Socket WebUI or SIM switch.
apnSelectionMethod - ApnMethod Determines how the APN is selected. Valid values are Auto or Manual (configurable in WebUI).
signalStrength - String Represents the signal strength of the cellular connection, in units of calculation.
isRoamingAllowed - Boolean! Indicates whether roaming is enabled.
simNumber - String The phone number associated with the SIM.
disconnectionReason - CellularDisconnectionReason Displays the reason for the modem disconnecting. Valid values are 0 (No reason provided) or 1 (The session timed out).
isSimSlot1Detected - Boolean! Indicates whether a SIM is detected in the first slot.
isSimSlot2Detected - Boolean! Indicates whether a SIM is detected in the second slot.
Example
{
  "networkType": "TYPE_UNKNOWN",
  "simSlotId": 987,
  "modemStatus": "STATUS_UNKNOWN",
  "isModemConnected": false,
  "iccid": "xyz789",
  "imei": "xyz789",
  "operatorName": "abc123",
  "isModemSuspended": false,
  "apn": "abc123",
  "apnSelectionMethod": "METHOD_UNKNOWN",
  "signalStrength": "xyz789",
  "isRoamingAllowed": true,
  "simNumber": "abc123",
  "disconnectionReason": "REASON_NONE",
  "isSimSlot1Detected": false,
  "isSimSlot2Detected": false
}

CellularModemStatus

Values
Enum Value Description

STATUS_UNKNOWN

STATUS_OK

STATUS_ERROR

Example
"STATUS_UNKNOWN"

CellularNetworkType

Values
Enum Value Description

TYPE_UNKNOWN

TYPE_2G

TYPE_3G

TYPE_4G

Example
"TYPE_UNKNOWN"

ConnectionOriginEnum

Description

TODO: add documentation

Values
Enum Value Description

ANY

REMOTE

SITE

Example
"ANY"

ConnectionTypeEnum

Values
Enum Value Description

Site

Host

User

Example
"Site"

ConnectivityStatus

Values
Enum Value Description

connected

Connected to the Cato Cloud

disconnected

Disconnected from the Cato Cloud
Example
"connected"

CountryRef

Fields
Field Name Description
id - ID!
name - String!
Example
{
  "id": "4",
  "name": "xyz789"
}

CountryRefInput

Fields
Input Field Description
input - String!
by - ObjectRefBy!
Example
{"input": "abc123", "by": "ID"}

CustomApplicationRef

Fields
Field Name Description
id - ID!
name - String!
Example
{
  "id": "4",
  "name": "abc123"
}

CustomApplicationRefInput

Fields
Input Field Description
by - ObjectRefBy!
input - String!
Example
{"by": "ID", "input": "xyz789"}

CustomCategoryRef

Fields
Field Name Description
id - ID!
name - String!
Example
{"id": 4, "name": "abc123"}

CustomCategoryRefInput

Fields
Input Field Description
by - ObjectRefBy!
input - String!
Example
{"by": "ID", "input": "xyz789"}

CustomService

Fields
Field Name Description
port - [Port!]!
portRange - PortRange
protocol - IpProtocol!
Example
{
  "port": [52975],
  "portRange": PortRange,
  "protocol": "ANY"
}

CustomServiceInput

Fields
Input Field Description
port - [Port!]
portRange - PortRangeInput
protocol - IpProtocol!
Example
{
  "port": [52975],
  "portRange": PortRangeInput,
  "protocol": "ANY"
}

DataLakeLicense

Fields
Field Name Description
description - String
plan - LicensePlan! License plan type
sku - LicenseSku! The license SKU
status - LicenseStatus! License activation status
startDate - DateTime License start date
expirationDate - DateTime! License expiration date
lastUpdated - DateTime The date of the last update to the license
dpaVersion - DpaVersion! The version of the Data Processing Agreement (DPA) that your company signed with Cato.
retentionPeriod - Int! Data retention period, in months, during which the account data may remain on the Cato Cloud. After this period the data will be permanently deleted.
total - Int! Total number of the Data Storage Units under this license. Each Data Storage Unit increases the allowed ingestion rate (events per hour and total events storage)
Example
{
  "description": "xyz789",
  "plan": "COMMERCIAL",
  "sku": "CATO_SITE",
  "status": "ACTIVE",
  "startDate": "2007-12-03T10:15:30Z",
  "expirationDate": "2007-12-03T10:15:30Z",
  "lastUpdated": "2007-12-03T10:15:30Z",
  "dpaVersion": "DPA_2019_01",
  "retentionPeriod": 123,
  "total": 123
}

DateTime

Description

2006-01-02T15:04:05Z07:00 (RFC3339)

Example
"2007-12-03T10:15:30Z"

DateValue

Fields
Field Name Description
date - DateTime
Example
{"date": "2007-12-03T10:15:30Z"}

DayOfWeek

Values
Enum Value Description

SUNDAY

MONDAY

TUESDAY

WEDNESDAY

THURSDAY

FRIDAY

SATURDAY

Example
"SUNDAY"

DetectionSourceEnum

Values
Enum Value Description

MICROSOFT_DEFENDER_FOR_ENDPOINT

ANTIVIRUS

SMART_SCREEN

CUSTOM_TI

MICROSOFT_DEFENDER_FOR_OFFICE365

AUTOMATED_INVESTIGATION

MICROSOFT_THREAT_EXPERTS

CUSTOM_DETECTION

MICROSOFT_DEFENDER_FOR_IDENTITY

CLOUD_APP_SECURITY

MICROSOFT365_DEFENDER

AZURE_AD_IDENTITY_PROTECTION

MANUAL

MICROSOFT_DATA_LOSS_PREVENTION

APP_GOVERNANCE_POLICY

APP_GOVERNANCE_DETECTION

Example
"MICROSOFT_DEFENDER_FOR_ENDPOINT"

DetectionStatusEnum

Values
Enum Value Description

DETECTED

BLOCKED

PREVENTED

Example
"DETECTED"

DeviceAvStatusEnum

Values
Enum Value Description

NOT_REPORTING

DISABLED

NOT_UPDATED

UPDATED

Example
"NOT_REPORTING"

DeviceConfigHaRoleEnum

Values
Enum Value Description

PRIMARY

SECONDARY

Example
"PRIMARY"

DeviceDetails

Fields
Field Name Description
id - ID!
deviceName - String
osDetails - OsDetails
loggedOnUsers - [EndpointUser!]!
Possible Types
DeviceDetails Types

CatoEndpointDeviceDetails

MicrosoftDeviceDetails

Example
{
  "id": 4,
  "deviceName": "abc123",
  "osDetails": OsDetails,
  "loggedOnUsers": [EndpointUser]
}

DeviceHaRoleStateEnum

Values
Enum Value Description

MASTER

BACKUP

Example
"MASTER"

DeviceHealthStatusEnum

Values
Enum Value Description

ACTIVE

INACTIVE

IMPAIRED_COMMUNICATION

NO_SENSOR_DATA

NO_SENSOR_DATA_IMPAIRED_COMMUNICATION

Example
"ACTIVE"

DeviceProfileRef

Fields
Field Name Description
id - ID!
name - String!
Example
{"id": 4, "name": "xyz789"}

DeviceProfileRefInput

Fields
Input Field Description
by - ObjectRefBy!
input - String!
Example
{"by": "ID", "input": "abc123"}

DeviceSnapshot

Fields
Field Name Description
id - ID Unique internal Cato ID for the Socket
name - String Name of the device
identifier - String Unique identifier for the device
connected - Boolean A boolean value that indicates if the site is connected to the Cato Cloud
haRole - String Shows if this is the primary or secondary Socket in high availability mode
interfaces - [InterfaceSnapshot!] Snapshot data for outbound facing interfaces
lastConnected - DateTime The last time the device was seen
lastDuration - Int The uptime of the last tunnel from this device (or current), in seconds
connectedSince - DateTime For connected devices (this somewhat overlaps to last duration)
lastPopID - Int The ID of the PoP that the Socket is connected to
lastPopName - String The PoP name that the Socket is connected to
recentConnections - [RecentConnection!] Data related to the most recent completed traffic flows
type - String Shows the Socket model or vSocket type
socketInfo - SocketInfo Shows data related to the Socket, such as version and serial number
interfacesLinkState - [InterfaceLinkState!] Information of the link state of various interfaces in the devices. Unlike the interfacess field, it contains all links of the device, not just the outbound facing ones
osType - String Operating system of the Device.
osVersion - String Version of the Socket operating system
version - String Device version
versionNumber - Int Device major version
releaseGroup - String Shows the release group for the site
mfaExpirationTime - Int Shows the amount of time remaining before the MFA token expires
mfaCreationTime - Int The time the mfa cookie (for sdp users) was created
internalIP - String Device's internal IP in the account's routing table
Example
{
  "id": 4,
  "name": "abc123",
  "identifier": "xyz789",
  "connected": false,
  "haRole": "xyz789",
  "interfaces": [InterfaceSnapshot],
  "lastConnected": "2007-12-03T10:15:30Z",
  "lastDuration": 987,
  "connectedSince": "2007-12-03T10:15:30Z",
  "lastPopID": 987,
  "lastPopName": "xyz789",
  "recentConnections": [RecentConnection],
  "type": "abc123",
  "socketInfo": SocketInfo,
  "interfacesLinkState": [InterfaceLinkState],
  "osType": "abc123",
  "osVersion": "abc123",
  "version": "abc123",
  "versionNumber": 987,
  "releaseGroup": "xyz789",
  "mfaExpirationTime": 123,
  "mfaCreationTime": 123,
  "internalIP": "abc123"
}

DhcpType

Values
Enum Value Description

DHCP_RELAY

DHCP_RANGE

ACCOUNT_DEFAULT

DHCP_DISABLED

Example
"DHCP_RELAY"

Dimension

Fields
Input Field Description
fieldName - AppStatsFieldName!
Example
{"fieldName": "app"}

DimensionData

Fields
Field Name Description
label - String! Type of the dimension
value - String String value of the dimension
Example
{
  "label": "xyz789",
  "value": "abc123"
}

DimensionKey

Fields
Field Name Description
fieldName - String! Dimension field
value - String String value of the dimension
Example
{
  "fieldName": "xyz789",
  "value": "abc123"
}

DirectionEnum

Values
Enum Value Description

asc

desc

Example
"asc"

DirectionInput

Values
Enum Value Description

asc

desc

Example
"asc"

DlpLicense

Description

Data Loss Prevention (DLP) Service license details

Fields
Field Name Description
description - String
plan - LicensePlan! License plan type
sku - LicenseSku! The license SKU
status - LicenseStatus! License activation status
startDate - DateTime License start date
expirationDate - DateTime! License expiration date
lastUpdated - DateTime The date of the last update to the license
Example
{
  "description": "abc123",
  "plan": "COMMERCIAL",
  "sku": "CATO_SITE",
  "status": "ACTIVE",
  "startDate": "2007-12-03T10:15:30Z",
  "expirationDate": "2007-12-03T10:15:30Z",
  "lastUpdated": "2007-12-03T10:15:30Z"
}

Domain

Description

Top level domain is actually second level domain (e.g. example.com) It is recommended to use as a broad way of distinguishing domains, because they frequently use multiple hosts.

Example
Domain

DpaVersion

Description

The DPA agreement, based on your contract with Cato

Values
Enum Value Description

DPA_2019_01

DPA_2021_01

DPA_2023_01

Example
"DPA_2019_01"

ElasticOperator

Description

Search operators on ElasticSearch. Between operators are applicable only to numeric fields Note that not operators are slower

Values
Enum Value Description

is

is_not

in

not_in

exists

not_exists

between

not_between

Example
"is"

Endpoint

Fields
Field Name Description
id - ID! Unique Cato ID for the story
firstSignal - DateTime! Timestamp for the first incident signal related to this story
lastSignal - DateTime! Timestamp for the last (most recent) incident signal related to this story
engineType - StoryEngineTypeEnum XDR engine involved with the incident
vendor - VendorEnum Vendor that identified the incident, such as Cato or Microsoft
producer - StoryProducerEnum! Enum for the Producer (specific XDR engine and service) involved with the incident
producerName - String! Full name of the Producer (specific XDR engine and service) involved with the incident
connectionType - ConnectionTypeEnum Enum for the connection for this incident (ie. site, host, user)
indication - String! An indication is a set of actions and behaviors for the Network or Security incident. Each producer has different indications.
queryName - String Category for the indication ID related to the story
source - String IP address, name of device, or SDP user on your network involved in the story
criticality - Int
ticket - String
status - StoryStatusEnum
research - Boolean
siteName - String
storyDuration - Int
description - String
sourceIp - String
analystFeedback - AnalystFeedback
site - SiteRef
user - UserRef
similarStoriesData - [SimilarStoryData!]!
predictedVerdict - StoryVerdictEnum
predictedThreatType - String
device - DeviceDetails
alerts - [EndpointAlert!]!
Possible Types
Endpoint Types

CatoEndpoint

MicrosoftEndpoint

Example
{
  "id": 4,
  "firstSignal": "2007-12-03T10:15:30Z",
  "lastSignal": "2007-12-03T10:15:30Z",
  "engineType": "ANOMALY",
  "vendor": "CATO",
  "producer": "AnomalyStats",
  "producerName": "xyz789",
  "connectionType": "Site",
  "indication": "xyz789",
  "queryName": "abc123",
  "source": "abc123",
  "criticality": 123,
  "ticket": "abc123",
  "status": "Open",
  "research": true,
  "siteName": "abc123",
  "storyDuration": 987,
  "description": "abc123",
  "sourceIp": "xyz789",
  "analystFeedback": AnalystFeedback,
  "site": SiteRef,
  "user": UserRef,
  "similarStoriesData": [SimilarStoryData],
  "predictedVerdict": "Suspicious",
  "predictedThreatType": "abc123",
  "device": DeviceDetails,
  "alerts": [EndpointAlert]
}

EndpointAlert

Fields
Field Name Description
id - ID!
title - String
description - String
threatName - String
mitreTechnique - [Mitre!]!
mitreSubTechnique - [Mitre!]!
createdDateTime - DateTime
resources - [EndpointResource!]!
activities - [Activity!]!
criticality - Int
Possible Types
EndpointAlert Types

CatoEndpointAlert

MicrosoftDefenderEndpointAlert

Example
{
  "id": 4,
  "title": "abc123",
  "description": "xyz789",
  "threatName": "xyz789",
  "mitreTechnique": [Mitre],
  "mitreSubTechnique": [Mitre],
  "createdDateTime": "2007-12-03T10:15:30Z",
  "resources": [EndpointResource],
  "activities": [Activity],
  "criticality": 123
}

EndpointProtectionLicense

Description

End Point Protection (EPP) license details

Fields
Field Name Description
description - String
plan - LicensePlan! License plan type
sku - LicenseSku! The license SKU
status - LicenseStatus! License activation status
startDate - DateTime License start date
expirationDate - DateTime! License expiration date
lastUpdated - DateTime The date of the last update to the license
total - Int! The maximum number of users that can use this service
Example
{
  "description": "xyz789",
  "plan": "COMMERCIAL",
  "sku": "CATO_SITE",
  "status": "ACTIVE",
  "startDate": "2007-12-03T10:15:30Z",
  "expirationDate": "2007-12-03T10:15:30Z",
  "lastUpdated": "2007-12-03T10:15:30Z",
  "total": 987
}

EndpointResource

Fields
Field Name Description
id - ID!
createdDateTime - DateTime
remediationStatus - RemediationStatusEnum
Example
{
  "id": 4,
  "createdDateTime": "2007-12-03T10:15:30Z",
  "remediationStatus": "REMEDIATED"
}

EndpointUser

Fields
Field Name Description
id - ID!
name - String!
Possible Types
EndpointUser Types

CatoEndpointUser

MicrosoftEndpointUser

Example
{
  "id": "4",
  "name": "xyz789"
}

EngineTypePredicate

Fields
Input Field Description
in - [StoryEngineTypeEnum!]
not_in - [StoryEngineTypeEnum!]
Example
{"in": ["ANOMALY"], "not_in": ["ANOMALY"]}

Entity

Fields
Field Name Description
id - ID!
name - String
type - EntityType!
Example
{
  "id": 4,
  "name": "xyz789",
  "type": "country"
}

EntityInfo

Fields
Field Name Description
entity - Entity!
description - String!
helperFields - Map!
Example
{
  "entity": Entity,
  "description": "abc123",
  "helperFields": Map
}

EntityInput

Fields
Input Field Description
id - ID!
name - String
type - EntityType!
Example
{
  "id": "4",
  "name": "xyz789",
  "type": "country"
}

EntityLookupResult

Fields
Field Name Description
items - [EntityInfo!]!
total - Int
Example
{"items": [EntityInfo], "total": 123}

EntityType

Values
Enum Value Description

country

Geographical and political entity recognized internationally

countryState

Represents a state or territory within a country. It is a sub-division of the country

timezone

Time zone, which is a geographical region where clocks are set to the same time

site

A reference to a configured Site within Account

host

A reference to the configured Host within Site

any

Any entity (matches everything)

account

A reference to a configured Account under reseller

networkInterface

A reference to the configured Network Interface within Site

vpnUser

A reference to the configured VPN User within Account

admin

An account administrator (user in Cato Console)

localRouting

A reference to Local Routing Rule within Site

lanFirewall

A reference to LAN Firewall Rule within Site

allocatedIP

An external IP address in a specific PoP reserved for the account

siteRange

union of the globalRange and a Subnet

simpleService

l4 services for LAN firewall rules

availableSiteUsage

Site licenses available for use

availablePooledUsage

Pooled licenses available for use

dhcpRelayGroup

A reference to DHCP Relay Group within account

portProtocol

Combination of protocol (TCP, UDP, TCP/UDP, ICMP) and port number

city

A settlement with over 1K population

groupSubscription

mailingListSubscription

webhookSubscription

Example
"country"

Event

Fields
Field Name Description
signatureId - String
eventType - String
threatType - String
threatName - String
severity - String
action - String
ruleId - String
virusName - String
scanResult - ScanResult
appId - String
appName - String
dnsProtectionCategory - String
Example
{
  "signatureId": "abc123",
  "eventType": "abc123",
  "threatType": "xyz789",
  "threatName": "xyz789",
  "severity": "xyz789",
  "action": "xyz789",
  "ruleId": "abc123",
  "virusName": "xyz789",
  "scanResult": "VIRUS_FOUND",
  "appId": "abc123",
  "appName": "xyz789",
  "dnsProtectionCategory": "xyz789"
}

EventFeedFieldFilterInput

Fields
Input Field Description
fieldName - EventFeedFilterFieldName!
operator - EventFeedFilterOperator! Use event_type and event_sub_type for events
values - [String!]
Example
{
  "fieldName": "event_sub_type",
  "operator": "is",
  "values": ["xyz789"]
}

EventFeedFilterFieldName

Values
Enum Value Description

event_sub_type

Sub-type for Routing, Security, Connectivity, System or Sockets Management event

event_type

Routing, Security, Connectivity, System or Sockets Management event
Example
"event_sub_type"

EventFeedFilterOperator

Description

Search operators on Event Feed

Values
Enum Value Description

is

is_not

in

not_in

Example
"is"

EventField

Fields
Field Name Description
name - EventFieldName!
value - Value!
Example
{"name": "src_site", "value": StringValue}

EventFieldName

Values
Enum Value Description

src_site

Name of site or user initiating the connection use src_site_id/src_site_name instead

src_site_id

Unique internal Cato ID for the site or remote user

user_id

User ID

dest_site

For WAN traffic, name of destination site or SDP user use dest_site_id/dest_site_name instead

dest_site_id

Unique internal Cato ID for the destination site or remote user

src_or_dest_site_id

Source or destination site or remote user ID. This field can only be used in filter.

rule

Name of security rule related to the event use rule_name instead

ISP_name

The ISP related to this event (when the IP address isn't provided by the ISP, then the event message is IP Addresses are assigned statically)

socket_interface

Name for Socket interface

custom_category

Name for the custom category defined in the Cato Management Application use custom_category_id/custom_category_name instead

directory_host_name

Host name of Domain Controller that created LDAP event

dest_port

For Internet traffic, destination host port

bgp_peer_asn

BGP ASN for remote peer

user_reference_id

For Block/Prompt page, reference ID to report incorrect category

src_port

Internal port number

link_health_pkt_loss

Data that measures the packet loss for a specific link

pop_name

Name of PoP location

host_ip

IP address of host related to event

event_message

Cato's description of the event

src_site_name

Source site or remote user

domain_name

Domain name based on the SSL SNI, HTTP host name, or DNS name

dest_ip

For Internet traffic, destination host IP address

file_hash

File hash

src_isp_ip

IP address provided by ISP to site or Client

authentication_type

Examples: MFA or password

rule_name

Rule name

directory_sync_result

Result of LDAP Domain Controller sync event

host_mac

MAC address of host related to event

threat_type

Type of malware event

threat_verdict

Result of malware event (clean indicates a safe file)

device_name

Name for device related to the event

link_type

Link type – Cato, Alt. WAN or LAG

login_type

Login action, values are: User portal (myvpn.catonetworks.com) or VPN client (Client or site traffic)

configured_host_name

For hosts configured with a static IP in the Cato Management Application, the host name

internalId

Cato Internal-use only

directory_sync_type

Type of LDAP Domain Controller sync event

vpn_user_email

User’s email address

client_class

Type of process generating this traffic

incident_aggregation

For MDR service, a true/false value that indicates if this event is: A summary that aggregates many events (true) Raw network flows for a single event (false)

socket_reset

Type of Socket reset (Hardware/Software)

user_name

User that generated the event

client_version

Socket or SDP Client version

file_size

File size

registration_code

Registration code used the first time that a SDP user authenticates (the code is partially obfuscated)

bgp_error_code

BGP disconnect error code

bgp_peer_description

Description from Cato Management Application for BGP peer

threat_name

For anti-malware events, malware name For IPS events, explains the reason why the traffic was blocked

qos_reported_time

For QoS, the time that this QoS event started. The event is generated when the QoS event finishes

ip_protocol

Network protocol for this event

bgp_cato_asn

BGP ASN for Cato peer

src_ip

IP for host or Cato Client

threat_reference

Link to external malware reference

action

Firewall, QoS or LAG action

windows_domain_name

For LDAP sync events, name of the AD domain

risk_level

(IPS or SAM event) Indicates the overall impact of a threat for the host or network: Low – ie. adware Medium – ie. network scans High – ie. spyware or worms

socket_old_version

For Socket upgrade, previous version number

link_health_latency

Data that measures the latency for a specific link

tunnel_protocol

Protocol for the tunnel

socket_new_version

For Socket upgrades, new version number

link_health_jitter

Data that measures the jitter for a specific link

upgrade_start_time

Socket upgrade start time (Linux epoch format)

bgp_cato_ip

BGP IP for Cato peer

categories

Cato system category

rule_id

Unique Cato ID for the security rule related to the event

socket_role

For Socket HA events, indicates if the Socket is primary or secondary

targets_cardinality

Number of targets (servers) associated with this event

upgrade_initiated_by

Indicates if the Socket upgrade occurred during the maintenance window or initiated by Support (Cato Admin)

dest_is_site_or_vpn

For WAN traffic, destination is site or SDP user

bgp_peer_ip

BGP IP for remote peer

src_is_site_or_vpn

Source type: site or remote user

ad_name

Active Directory name

user_awareness_method

Method used to get identity with User Awareness (such as Identity Agent)

link_health_is_congested

Data that measures the congestion for a specific link

subnet_name

Name of subnet as defined in Cato Management Application

os_version

OS version for the device (such as 14.3.0)

event_sub_type

Sub-type for Routing, Security, Connectivity, System or Sockets Management event

os_type

Host OS or tunnel device

traffic_direction

Direction of network traffic for this event, values are inbound or outbound

bgp_suberror_code

BGP disconnect error message

bgp_route_cidr

CIDR for BGP route

incident_id

Unique Cato ID that identifies this security incident

application

For Internet firewall, app for this event use application_id/application_name instead

application_name

Application of the flow

upgrade_end_time

Socket upgrade end time (Linux epoch format):

socket_interface_id

Socket interface ID

custom_categories

Unique Cato ID for the custom category use custom_category_id/custom_category_name instead

custom_category_id

Custom category ID

custom_category_name

Custom category name

src_country

Country in which the source host is located (detected via public IP address)

src_country_code

Country Code of country in which the source host is located (detected via public IP address)

event_count

Count for events that are repeated multiple times during one minute

file_name

File name

directory_ip

IP address of Domain Controller that created LDAP event

time

Time stamp of event (Linux epoch format)

url

URL associated with the event

dest_country

For Internet traffic, country where the destination host is located

dest_country_code

For Internet traffic, the two letter country code where the destination host is located (based on ISO 3166-1 alpha-2)

flows_cardinality

Amount of flows for a given incident

dest_site_name

For Internet traffic, destination host IP address

event_type

Routing, Security, Connectivity, System or Sockets Management event

account_id

Account ID

signature_id

For IPS and SAM, ID of the IPS signature

client_cert_expires

Expiration date for Client certificate

client_cert_name

Name of Client certificate

is_sanctioned_app

Is the app for this event defined as a sanctioned app? (True/False)

app_activity

Name of application activity

device_posture_profile

Device posture profiles

device_posture_profiles

Device posture profiles use device_posture_profile instead

full_path_url

Full path URL application activity

application_risk

Application risk score

mitre_attack_techniques

Mitre attack techniques

mitre_attack_subtechniques

Mitre attack subtechniques

mitre_attack_tactics

Mitre attack tactics

indicator

Indicator

connector_type

For SaaS Security API, SaaS app for the connector

connector_name

For SaaS Security API, name of the connector

parent_connector_name

For SaaS Security API, parent Microsoft 365 connector

file_type

File type

dlp_profiles

DLP profiles related to the event

matched_data_types

Matched DLP data types related to the event

severity

Severity defined for the rule

owner

For SaaS Security API, email address of the file owner

collaborators

For SaaS Security API, email addresses of the users that received the file

email_subject

Email Subject

sharing_scope

Sharing Options for the file (such as SharePoint)

dns_protection_category

Cato’s DNS Protection type that matched the DNS request

final_object_status

object_name

object_type

alert_id

vendor

vendor_user_id

status

classification

quarantine_folder_path

title

recommended_actions

pid

use src_pid instead

parent_pid

use src_process_parent_pid instead

process_path

use src_process_path instead

failure_reason

out_of_band_access

logged_in_user

http_request_method

HTTP request method (ie. Get, Post)

xff

XFF HTTP header indicates the original IP address for the connections

dns_query

Domain queried in the DNS request

key_name

Name defined for the public API Key in the Cato Management Application

api_type

api_name

app_stack

Related Apps

tls_certificate_error

TLS Certificate Error

tls_version

TLS Version

tls_error_type

TLS Error Type

tls_error_description

TLS Error Description

cato_app

Cato App

prompt_action

Prompt Page Selected Action

device_id

Unique Cato ID for devices

visible_device_id

Unique Cato Visible ID for devices

auth_method

Connectivity authentication method: unauthenticated, OATH2, LDAP or VPN

bypass_method

Always-On Bypass Method

bypass_duration_sec

Always-On Bypass Duration In Seconds

bypass_reason

Always-On Bypass Reason

sign_in_event_types

Sign In Types

tenant_id

Tenant Id

tenant_name

Tenant Name

user_agent

User Agent

vendor_event_id

Vendor Event Id

vendor_device_id

Vendor Device Id

vendor_device_name

Vendor Device Name

is_compliant

Is Compliant

is_managed

Is Managed

trust_type

Trust Type

confidence_level

Confidence Level

dlp_scan_types

Data Classifiers

network_access

Network Access

analyst_verdict

Analyst Verdict

criticality

Criticality

indication

Indication

producer

Producer

story_id

Story Id

raw_data

Raw Data

trigger

Trigger

split_tunnel_configuration

Split Tunnel Configuration

pac_file

Pac File Enabled/Disabled

always_on_configuration

Always-on Configuration

vpn_lan_access

Lan access Allowed / Blocked

connect_on_boot

Connect on boot Enabled/Disabled

trusted_networks

Trusted networks Enabled/Disabled

office_mode

Office mode Enabled/Disabled

device_certificate

Device Certificate Validated/Not Validated

tunnel_ip_protocol

Tunnel Protocol TCP/UDP
Example
"src_site"

EventRecord

Fields
Field Name Description
time - DateTime
fieldsMap - Map fields in map format (see Map scalar)
flatFields - [String!] Simplified fields, as array of name value tuples, e.g: [ [ "name", "val" ], [ "name2", "val2" ] ... ]
Example
{
  "time": "2007-12-03T10:15:30Z",
  "fieldsMap": Map,
  "flatFields": ["abc123"]
}

Events

Fields
Field Name Description
id - ID
from - DateTime
to - DateTime
total - Int
totals - Map
records - [EventsRecord!]
Arguments
limit - Int
from - Int
Example
{
  "id": "4",
  "from": "2007-12-03T10:15:30Z",
  "to": "2007-12-03T10:15:30Z",
  "total": 123,
  "totals": Map,
  "records": [EventsRecord]
}

EventsDimension

Fields
Input Field Description
fieldName - EventFieldName!
Example
{"fieldName": "src_site"}

EventsFeedAccountRecords

Fields
Field Name Description
id - ID
errorString - String
records - [EventRecord!]
Arguments
fieldNames - [EventFieldName!]
Example
{
  "id": 4,
  "errorString": "xyz789",
  "records": [EventRecord]
}

EventsFeedData

Fields
Field Name Description
marker - String
fetchedCount - Int!
accounts - [EventsFeedAccountRecords]
Example
{
  "marker": "xyz789",
  "fetchedCount": 987,
  "accounts": [EventsFeedAccountRecords]
}

EventsFilter

Fields
Input Field Description
fieldName - EventFieldName!
operator - FilterOperator!
values - [String!]!
Example
{
  "fieldName": "src_site",
  "operator": "is",
  "values": ["xyz789"]
}

EventsMeasure

Fields
Input Field Description
fieldName - EventFieldName!
aggType - AggregationType!
trend - Boolean
Example
{"fieldName": "src_site", "aggType": "sum", "trend": true}

EventsRecord

Fields
Field Name Description
fields - [EventField!]
fieldsUnitTypes - [UnitType!]
fieldsMap - Map fields in map format (see Map scalar)
trends - Map
prevTimeFrame - Map
flatFields - [String!] Simplified fields, as array of name value tuples, e.g: [ [ "name", "val" ], [ "name2", "val2" ] ... ]
Example
{
  "fields": [EventField],
  "fieldsUnitTypes": ["bytes"],
  "fieldsMap": Map,
  "trends": Map,
  "prevTimeFrame": Map,
  "flatFields": ["abc123"]
}

EventsSort

Fields
Input Field Description
fieldName - EventFieldName!
order - DirectionEnum!
Example
{"fieldName": "src_site", "order": "asc"}

EventsTimeSeries

Fields
Field Name Description
id - ID
from - DateTime
to - DateTime
granularity - Int
timeseries - [Timeseries!]
Arguments
buckets - Int!
Example
{
  "id": "4",
  "from": "2007-12-03T10:15:30Z",
  "to": "2007-12-03T10:15:30Z",
  "granularity": 987,
  "timeseries": [Timeseries]
}

Extra

Fields
Field Name Description
name - String!
type - String!
value - String!
Example
{
  "name": "xyz789",
  "type": "xyz789",
  "value": "xyz789"
}

FieldNameInput

Description

FieldName for the different types of FieldName inputs Use the EventFieldName for events, and AuditFieldName for audit

Fields
Input Field Description
EventFieldName - EventFieldName
AuditFieldName - AuditFieldName
Example
{"EventFieldName": "src_site", "AuditFieldName": "admin"}

FileDetails

Fields
Field Name Description
name - String
path - String
size - Int
sha1 - String
sha256 - String
md5 - String
issuer - String
signer - String
publisher - String
Example
{
  "name": "abc123",
  "path": "xyz789",
  "size": 123,
  "sha1": "abc123",
  "sha256": "xyz789",
  "md5": "abc123",
  "issuer": "xyz789",
  "signer": "xyz789",
  "publisher": "abc123"
}

FileResource

Fields
Field Name Description
id - ID!
createdDateTime - DateTime
remediationStatus - RemediationStatusEnum
fileDetails - FileDetails
detectionStatus - DetectionStatusEnum
Possible Types
FileResource Types

CatoFileResource

MicrosoftFileResource

Example
{
  "id": "4",
  "createdDateTime": "2007-12-03T10:15:30Z",
  "remediationStatus": "REMEDIATED