Viewing network activity Skip Navigation
  1. BlackBerry Docs
  2. Cylance Endpoint Security
  3. Administration
  4. Cylance Endpoint Security Administration Guide
  5. Monitoring network connections with CylanceGATEWAY
  6. Viewing network activity

Viewing network activity

CylanceGATEWAY
 logs all network activity for devices that have Work Mode enabled. The network activity log records the user, device model and OS, hostname, destination, date and time, and other details about each attempted connection event. If Traffic privacy is enabled in an ACL rule, the network access attempts that the rule applies to are not logged on the Network Events screen or sent to the SIEM solution or syslog server, if configured.
If a connection is identified as a potential threat, the
Anomaly
 column specifies the type of threat detected.
  • Behavioral risk
     anomalies are potential threats based on unusual user behavior (for example, when a user's upload and download volume are not consistent with past behavior). Behavioral risk anomalies do not block user traffic.
  • DNS Tunneling
     anomalies are potential threats based on analysis of the DNS traffic from the client to the attacker's DNS server (for example, when a host is infected, the malware can initiate a command and control (C2) channel with its creator to attempt to exfiltrate data).
  • Reputation
     anomalies are potential threats from addresses on the
    BlackBerry
     list of unsafe Internet destinations and are detected by destination reputation. Each destination is assigned a risk score. You can configure the risk level of the destination reputations to block.
  • Signature detection
     anomalies refer to potential threats detected by intrusion protection. Signature-based detection is a methodology used to detect known malware that are stored as a part of a database. When a new malware signature is identified, cybersecurity experts will add the signature to a database. 
  • Zero Day Detection
     anomalies refer to newly identified malicious destinations that have not been identified previously. After they are identified, these destinations are assigned a risk score. They are subsequently blocked or alerted upon based on the risk level that you set for your network protection. For more information, see Configure network protection settings in the
    Cylance Endpoint Security
     Setup content.
To view the network activity log in the management console, on the menu bar, click
CylanceGATEWAY > Events
.
To view the details of a network event, click the activity log row. For more information on the event details, see Viewing the Event Details page.
To filter any column, click at the top of the column.
To perform a free form search, click and type the search query. As you type the characters in the search field, you can select from the displayed matching options.
To change which columns are displayed, click at the right side of the column headings.
To change the order of events columns, drag the column to where you want it to appear. 
To export the network activity information to a .csv file, click The Export icon. Select to export everything or only the filtered network activity and click
Export
.