Viewing the Event Details page
You can view additional metadata and details for a network event that has been logged on the Events page. The metadata displayed depends on several factors such as the type of network request that is made and how you configured the ACL rules. For example, DNS events display DNS specific details and TLS events display TLS specific details. Similarly, if network protection is enabled in an ACL rule, additional metadata is displayed. You can share the network event with other console users to audit or investigate the destinations that the user has tried to access. Console users must have the appropriate permissions to view the shared event. Click 
to copy the link to the event.
to copy the link to the event. You can filter the logged network events using the following data filters:
Filter | Description |
|---|---|
Event Overview | |
Event ID | This is a unique identifier for the network event for your tenant. |
Source | This is the private Gateway IP that was assigned to the end point tunnel during the event. |
Source port | This is the port number of the destination. |
DNS Query Name | This is the Resource Requested (RR) name of the DNS server that the CylanceGATEWAY agent queried. |
DNS Query Type | This is the type of DNS query (for example, A, AAAA, or SRV record) that was sent to the DNS server. |
Destination | The destination IP address is always included. The event may also show the network service name, or hostname if applicable. |
Destination port | This is the port of the destination that was being accessed. |
Protocol | This is the protocol (Layer 4) that the network event used to access the destination. The protocol can be UDP or TCP. |
App protocol | This is the protocol (Layer 6 or 7), such as TLS or DNS, that was used for the communication. |
Network Route | This provides the traffic as public or private connections that were used to route traffic. For private connections, the CylanceGATEWAY Connector is identified. |
Start time (UTC) | This is the time when the network activity communication started. The time is displayed in UTC. |
End time (UTC) | This is the time when the network activity communication ended. The time is displayed in UTC. |
Transferred | This provides how many bytes were exchanged between the destination and the CylanceGATEWAY agent. This is displayed as the total bytes uploaded and downloaded to the server and CylanceGATEWAY agent. |
Packet flow | This is the number of packets that were sent between the destination and the CylanceGATEWAY agent. |
User | This is the username that the network event is associated with. You can filter the network events by a user's Active
Directory username and display name. When you export the Events page, only the username is exported. You can click the username to view the events that are associated with the user. |
Platform | This is the device that was used to initiate the network activity (for example, Android, iOS, macOS, or Windows). |
Model | This is the model of the device (for example, iPhone , Samsung Galaxy , Google Pixel ). |
Device | This is the host name of the user's macOS or Windows device (for example, example.com). |
Action | This identifies whether the network event is allowed or blocked based on your network protection settings and the ACL rules that you have specified for the environment. Additional information for the action is included in the Action section. |
Action | |
Connection phase | This is the evaluation phase when the access attempt properties were compared against the destinations and conditions of each ACL rule. One or more of the phases (for example, during DNS lookup, connection attempt, and TLS handshake) which were evaluated against the ACL rules is displayed. |
Time (UTC) | This is the time when the network activity was evaluated with an ACL rule. The time is displayed in UTC. |
Applied rule | This is the name of the ACL rule that was applied at the time of the evaluation during the various phases of the ACL rules. |
Action | This displays whether the action was allowed or blocked for evaluated phases. |
Alerts | |
Type | This identifies the anomaly that was triggered by the network activity with the associated network protection level that is specified. For more information on the supported anomalies, see Viewing network activity. |
Time (UTC) | This is the time that the network activity triggered the alert. The time is displayed in UTC. |
Category | This is the anomaly that triggered the alert. For more information on anomalies, see Viewing network activity. |
Signature | This is the signature anomaly that was triggered by the network event. |
Transferred | |
Downloaded | This is the total bytes of data that were sent from the destination to the CylanceGATEWAY agent. Abnormal download volumes can be a sign of exfiltration attempts or malicious software installed on the device. |
Uploaded | This is the total bytes of data that were sent from the server destination to the CylanceGATEWAY agent. Abnormal upload volumes can be a sign of exfiltration attempts or malicious software installed on the device. |
TLS | |
TLS version | This is the version of the TLS protocol that was used to connect to the destination. |
Client ALPN | This is the ALPN header information that was sent to the CylanceGATEWAY agent from the destination. |
Server ALPN | This is the header information that was sent from the destination to the CylanceGATEWAY agent. |
SNI | This is the host name of the destination that the CylanceGATEWAY agent attempted to connect to. |
Issuer | This is the certificate presented by the destination. |
Subject | This is the name of the rule that was applied at the time of the evaluation during the various phases (for example, DNS lookup, connection establishment, and TLS handshake) in relation to the ACL rules. |
Not valid before | This is the date before which the certificate is not valid. |
Not valid after | This is the date after which the certificate is not valid. |