You should read this post first then check on the difference in the query from this post.
The major change below is that unrated websites are now classified as UNRATED. I should have caught this when I was writing the original post but in my testing I did not have many of the unrated items showing up and it didn’t show up on my radar.
_index=security_logs _sourceCategory=fw_security "subtype=webfilter"
| parse " catdesc=\"*\"" as category nodrop
| parse " error=\"*\"" as error nodrop
| keyvalue regex "=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}) " keys "srcip"
| keyvalue regex "=(\d+) " keys "sentbyte", "rcvdbyte"
// Line below does the work
| if (error matches "unknown", "UNRATED", category) as category
| sentbyte+rcvdbyte as bytes
| sum(bytes) as bytes by category
| where bytes >=500
| sort by bytes
| limit 20