Viewing the Event Details page
You can view additional metadata and details for a network event that has been logged on the Events page. The metadata displayed depends on several factors such as the type of network request that is made and how you configured the ACL rules. For example, DNS events display DNS specific details and TLS events display TLS specific details. Similarly, if network protection is enabled in an ACL rule, additional metadata is displayed. You can share the network event with other console users to audit or investigate the destinations that the user has tried to access. Console users must have the appropriate permissions to view the shared event. Click 
to copy the link to the event.
to copy the link to the event. You can filter the logged network events using the following data filters:
Filter | Description |
|---|---|
Event Overview | |
Event ID | This is a unique identifier for the network event for your tenant. |
Source IP | This is the private Gateway IP that was assigned to the endpoint tunnel during the event. |
Source port | This is the port number of the destination. |
DNS Query Name | This is the Resource Requested (RR) name of the DNS server that the CylanceGATEWAY agent queried. |
DNS Query Type | This is the type of DNS query (for example, A, AAAA, TXT, or SRV record) that was sent to the DNS server. |
Destination | This is the destination of the event. The destination IP address is always included. The event may also show the network service name, or hostname if applicable. |
Destination port | This is the port of the destination that was being accessed. |
Private NAT Source IP | This is the source IP address of this event as it left the CylanceGATEWAY Connector for one of your private networks. If the source IP is not available or the feature has not been enabled, the filter displays "Unknown". You must ensure the CylanceGATEWAY Connector system time is accurate. If the CylanceGATEWAY Connector system time does not maintain an accurate system time, the NAT details reported by the connector might not be matched with the network event within the BlackBerry Infrastructure . By default, the CylanceGATEWAY Connector uses Ubuntu's timeserver (ntp.ubuntu.com server) for time synchronization or you can specify a custom NTP server. If you use Ubuntu time-server make sure that it can be accessed from your private network. For more information, see Configure the CylanceGATEWAY Connector. The CylanceGATEWAY Connector sends the updated NAT details to the Event Details screen every minute. This feature is enabled by default. If the Private NAT Source details are not displayed in the Event Details page in the Cylance console, ensure that you have installed the latest CylanceGATEWAY Connector and restarted the connector. |
Private NAT Source Port | This is the source IP port of this event as it left the CylanceGATEWAY Connector for one of your private networks. If the port number is not available or the feature has not been enabled, the filter displays "Unknown". This feature is enabled by default. If the Private NAT Source details are not displayed in the Event Details page in the Cylance console, ensure that you have installed the latest CylanceGATEWAY Connector and restarted the connector. |
BlackBerry source IP | This is the IP address of this event as it left the BlackBerry Infrastructure . This BlackBerry source IP is not available for flows that do not use the CylanceGATEWAY tunnel (for example, Safe Mode). |
Tunnel source IP | This is the IP address of the endpoint as seen by the BlackBerry Infrastructure when it comes to the CylanceGATEWAY tunnel. |
Protocol | This is the protocol (Layer 4) that the network event used to access the destination. The protocol can be UDP or TCP. |
App protocol | This is the protocol (Layer 6 or 7), such as TLS, DNS, or HTTP that was used for the communication. |
Access Type | This is the access type (for example, Safe Mode or the Gateway tunnel) that the network event used to access the destination. |
Network Route | This provides the traffic as public or private connections that were used to route traffic. For private connections, you can filter by the connector group name and each CylanceGATEWAY Connector . |
Connector | This is CylanceGATEWAY Connector that the network event is associated with. To view more information about the connector, click the connector name. |
Category | This is the category that is applied to the event. For example, if CylanceGATEWAY has identified the destination as containing possibly malicious threats, the category might display Dynamic Risk. For more information on the Dynamic Risk category, see Configuring network protection in the Setup content. The destination might also be categorized based on the content it contains such as "Computer and Information Technology". For more information on categories for destination content, see Destination content categories in the Setup content. |
Subcategory | This is the network traffic subcategory description for the category that is associated with the destination. For more information on the subcategories that might be displayed if the category is Dynamic Risk, see Configuring network protection in the Setup content. For more information on the subcategories that might be displayed for if the category is a destination content category, see Destination content categories in the Setup content. |
Start time (UTC) | This is the time when the network activity communication started. The time is displayed in UTC. |
End time (UTC) | This is the time when the network activity communication ended. The time is displayed in UTC. |
PID | This is the numerical process ID of the process that initiated the DNS request. The PID is reported by the Windows or macOS device when the agent is enabled with Safe Mode. |
Pathname | This is the path to the executable that the process was executed from. This is commonly displayed as the path to the svchost.exe. The path is truncated to 1024 characters. The path is reported by the Windows or macOS device when enabled with Safe Mode. |
Transferred | This provides how many bytes were exchanged between the destination and the CylanceGATEWAY agent. This is displayed as the total bytes uploaded and downloaded to the server and CylanceGATEWAY agent. |
Packet flow | This is the number of packets that were sent between the destination and the CylanceGATEWAY agent. |
User | This is the username that the network event is associated with. You can filter the network events by a user's Active
Directory username and display name. When you export the Events page, only the username is exported. You can click the username to view the events that are associated with the user. |
OS | This is the device that was used to initiate the network activity (for example, Android , iOS , macOS , or Windows ). |
Model | This is the model of the device (for example, iPhone , Samsung Galaxy , Google Pixel ). |
Device | This is the host name of the user's macOS or Windows device (for example, example.com). |
Action | This identifies whether the network event is allowed or blocked based on your network protection settings and the ACL rules that you have specified for the environment. Additional information for the action is included in the Action section. |
Action | |
Connection phase | This is the evaluation phase when the access attempt properties were compared against the destinations and conditions of each ACL rule. One or more of the phases (for example, during DNS lookup, connection attempt, and TLS handshake) which were evaluated against the ACL rules is displayed. |
Time (UTC) | This is the time when the network activity was evaluated with an ACL rule. The time is displayed in UTC. |
Applied rule | This is the name of the ACL rule that was applied at the time of the evaluation during the various phases of the ACL rules. |
Action | This displays whether the action was allowed or blocked for evaluated phases. |
Alerts | |
Type | This identifies the anomaly that was triggered by the network activity with the associated network protection level that is specified. For more information on the supported anomalies, see Viewing network activity. |
Time (UTC) | This is the time that the network activity triggered the alert. The time is displayed in UTC. |
Category | This is the anomaly that triggered the alert. For more information on anomalies, see Viewing network activity. |
Signature | This is the signature anomaly that was triggered by the network event. |
Transferred | |
Downloaded | This is the total bytes of data that were sent from the destination to the CylanceGATEWAY agent. |
Uploaded | This is the total bytes of data that were sent from the server destination to the CylanceGATEWAY agent. |
TLS | |
TLS version | This is the version of the TLS protocol that was used to connect to the destination. |
Client ALPN | This is the ALPN header information that was sent to the CylanceGATEWAY agent from the destination. |
Server ALPN | This is the header information that was sent from the destination to the CylanceGATEWAY agent. |
SNI | This is the host name of the destination that the CylanceGATEWAY agent attempted to connect to. |
Issuer | This is the certificate presented by the destination. |
Subject | This is the name of the rule that was applied at the time of the evaluation during the various phases (for example, DNS lookup, connection establishment, and TLS handshake) in relation to the ACL rules. |
Not valid before | This is the date before which the certificate is not valid. |
Not valid after | This is the date after which the certificate is not valid. |
HTTP Events | This reports the original plain-text, unencrypted HTTP flows for analysis and threat hunting. Note that HTTP flows are not decrypted. A summary of the request and response details include the following request and response details:
The first three HTTP events of the total number of events are displayed. A badge displays the total number of events that have been logged for the event. Click All HTTP Events to view all of the events on the Events Overview page. Click each event to view more details, such as header information. You cannot search or filter within the HTTP events at this time. The HTTP details are truncated to the following limitations:
|
DNS | This reports the DNS query and all of the associated response details for the event. A summary of the request and response details include the following request and response details:
A badge displays the total number of responses for the DNS query. |