Viewing the Event Details page Skip Navigation

Viewing the Event Details page

You can view additional metadata and details for a network event that has been logged on the Events page. The metadata displayed depends on several factors such as the type of network request that is made and how you configured the ACL rules. For example, DNS events display DNS specific details and TLS events display TLS specific details. Similarly, if network protection is enabled in an ACL rule, additional metadata is displayed. You can share the network event with other console users to audit or investigate the destinations that the user has tried to access. Console users must have the appropriate permissions to view the shared event. Click The Share icon to copy the link to the event. 
You can filter the logged network events using the following data filters: 
Filter
Description
Event Overview
Event ID
This is a unique identifier for the network event for your tenant.   
Source
This is the private Gateway IP that was assigned to the end point tunnel during the event.
Source port
This is the port number of the destination.
DNS Query Name
This is the Resource Requested (RR) name of the DNS server that the
CylanceGATEWAY
agent queried.
DNS Query Type
This is the type of DNS query (for example, A, AAAA, or SRV record) that was sent to the DNS server.
Destination
The destination IP address is always included. The event may also show the network service name, or hostname if applicable.
Destination port
This is the port of the destination that was being accessed.
Protocol
This is the protocol (Layer 4) that the network event used to access the destination. The protocol can be UDP or TCP.
App protocol
This is the protocol (Layer 6 or 7), such as TLS or DNS, that was used for the communication.
Network Route
This provides the traffic as public or private connections that were used to route traffic. For private connections, the
CylanceGATEWAY Connector
is identified.
Start time (UTC)
This is the time when the network activity communication started. The time is displayed in UTC.
End time (UTC)
This is the time when the network activity communication ended. The time is displayed in UTC.
Transferred
This provides how many bytes were exchanged between the destination and the
CylanceGATEWAY
agent. This is displayed as the total bytes uploaded and downloaded to the server and
CylanceGATEWAY
agent.
Packet flow
This is the number of packets that were sent between the destination and the
CylanceGATEWAY
agent.
User
This is the username that the network event is associated with. You can filter the network events by a user's
Active Directory
username and display name. When you export the Events page, only the username is exported. You can click the username to view the events that are associated with the user.
Platform
This is the device that was used to initiate the network activity (for example, Android, iOS, macOS, or Windows).
Model
This is the model of the device (for example,
iPhone
,
Samsung Galaxy
,
Google
Pixel
).
Device
This is the host name of the user's
macOS
or
Windows
device (for example, example.com).
Action
This identifies whether the network event is allowed or blocked based on your network protection settings and the ACL rules that you have specified for the environment. Additional information for the action is included in the Action section.
Action
Connection phase
This is the evaluation phase when the access attempt properties were compared against the destinations and conditions of each ACL rule. One or more of the phases (for example, during DNS lookup, connection attempt, and TLS handshake) which were evaluated against the ACL rules is displayed.
Time (UTC)
This is the time when the network activity was evaluated with an ACL rule. The time is displayed in UTC.
Applied rule
This is the name of the ACL rule that was applied at the time of the evaluation during the various phases of the ACL rules.
Action
This displays whether the action was allowed or blocked for evaluated phases.
Alerts
Type
This identifies the anomaly that was triggered by the network activity with the associated network protection level that is specified. For more information on the supported anomalies, see Viewing network activity.
Time (UTC)
This is the time that the network activity triggered the alert. The time is displayed in UTC.
Category
This is the anomaly that triggered the alert. For more information on anomalies, see Viewing network activity.
Signature
This is the signature anomaly that was triggered by the network event. 
Transferred
Downloaded
This is the total bytes of data that were sent from the destination to the
CylanceGATEWAY
agent. Abnormal download volumes can be a sign of exfiltration attempts or malicious software installed on the device.
Uploaded
This is the total bytes of data that were sent from the server destination to the
CylanceGATEWAY
agent. Abnormal upload volumes can be a sign of exfiltration attempts or malicious software installed on the device.
TLS
TLS version
This is the version of the TLS protocol that was used to connect to the destination.
Client ALPN
This is the ALPN header information that was sent to the
CylanceGATEWAY
agent from the destination.
Server ALPN
This is the header information that was sent from the destination to the
CylanceGATEWAY
agent.
SNI
This is the host name of the destination that the
CylanceGATEWAY
agent attempted to connect to.
Issuer
This is the certificate presented by the destination.
Subject
This is the name of the rule that was applied at the time of the evaluation during the various phases (for example, DNS lookup, connection establishment, and TLS handshake) in relation to the ACL rules.
Not valid before
This is the date before which the certificate is not valid.
Not valid after
This is the date after which the certificate is not valid.