CylanceGATEWAY network events Skip Navigation

CylanceGATEWAY
network events

This option is visible only if
CylanceGATEWAY
is enabled. When this option is turned on, the events it detects are sent to your organization’s syslog server.
Field
Value
Description
Tenant
string
This is the
Cylance Endpoint Security
tenant associated with the endpoint.
User Eco Id
[varies]
This is the user's EcoID, if available.
Event Name
Blocked Connection
Allowed Connection
This is the defined event name for network alerts:
  • Allowed connections: A detection happened and a syslog event was generated, but the connection was allowed based on the applied risk criteria.
  • Blocked connections: A detection happened and a syslog event was generated, and the connection was blocked based on the applied risk criteria.
Event Type
NetworkThreat
This is the defined event type for network alerts.
Message
[varies]
This is the message contains information related to the event, in JSON string format.
Source
big.blackberry.com
This is the BlackBerry product generating the event.
Timestamp
[varies]
This is the date and time the event occurred.
Message descriptions
Field
Value
Description
tenantId
string
This is the
Cylance Endpoint Security
tenant associated with the endpoint.
action
string
This is the action performed against this traffic. This is unique to the associated event.
alertType
string
This is the alert type associated with the event. The alert types determine when a syslog event is generated. The supported types are:
  • ipReputation - event triggered due to destination risk
  • signature - event triggered due to inspection of packets
  • dnsTunnelling - event triggered by analysis of DNS traffic between the client and DNS servers
  • accessControl - event triggered due to user's network access rules
  • zeroDay - event triggered due to newly identified malicious destinations that have not been identified previously. After they are identified, these destinations are assigned a risk score. They are subsequently blocked or alerted upon based on the risk level that you set for your network protection. When they are blocked or alerted upon, they will display as ipReputation alerts in your organization's syslog server. For more information, see Configure network protection settings.
ipRepRisk
string
This is the destination risk associated with the event. The supported risk levels are:
  • High
  • Medium
  • Low
signature
string
These are the Packet Inspection Rule details of the identified network threat, if applicable.
threatDetails
string
This is the Packet Inspection Rule category of the identified network threat, if applicable.
This threat detail only applies to the signature alertType.
policyName
string
This is the name of the user's policy that triggered the event, if applicable.
appName
string
This is the name of the application or network service associated with the blocked event, if applicable.
mitre
string
This is the MITRE information related to the event. Additional details are provided below.
  • techniqueId: The MITRE technique ID
  • techniqueName: The MITRE technique name
  • tacticId: The MITRE tactic ID
  • tacticName: The MITRE tactic name
  • mid: The MITRE mitigation technique ID
  • aptGid: The MITRE associated APT group ID
dnsTunnellingNameServer
string
A DNS query to this DNS server generated a DNS tunneling alert.
dnsTunnellingScore
string
This is the confidence level of a DNS tunneling alert. The following levels are supported:
  • High
  • Medium
  • Low
endpointId
string
This is the
CylanceGATEWAY
installation ID of the endpoint as it is registered in UES.
venueEndpointId
string
This is the ID of the CylancePROTECT Desktop service if it is installed on the same device.
dOsVers
string
This is the OS version of the device.
dId
string
This is the UES ID of the device.
dPlat
string
This is the platform of the device.
dManuf
string
This is the manufacturer of the device.
dModel
string
This is the model of the device.
dHostName
string
This is the hostname of the device.
flowId
string
This is the ID of the
CylanceGATEWAY
access control engine flow that this event is associated with.
correlationId
string
This is the correlation ID assigned to the event.
sourceIp
string
This is the packet source IP address.
sourcePort
string
This is the packet source port.
dstAddress
string
This is the destination IP address of the IP packet that triggered the event. Can be IPv4 or IPv6.
destPort
string
This is the packet destination port.
protocol
string
This is the protocol used to transit the packet.
endpointIp
string
This is the public source IP associated with the endpoint. This IP is assigned by the network itself.
category
string
This is the network traffic category description associated with the destination.
subCategory
string
This is the network traffic subCategory description associated with the destination.
Example syslog message - Access control policy (allowed)
{ "name": "allowed connection", "userEcoId": "AoSnPnL+sQR+ffz9JyOjs28=", "timestamp": "2022-03-29T13:07:08.573861+0000", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "message": "{\"ipRepRisk\":\"\",\"flowId\":1576259515367845,\"correlationId\":\"d73a487b-64e5-403b-b3e5-fe8165f44fe3\",\"dId\":\"8ad63be4-2f18-4bce-823d-2ef886fa06ee\",\"endpointId\":\"d10ac1c6-66a5-444f-b3f4-d86298fcb71a\",\"dManuf\":\"VMware,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"184.145.41.119:60313\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"sam003cnc.rim.net\",\"policyName\":\"allowpublic\",\"dOsVers\":\"Windows10Enterprise21H2\",\"tenantId\":\"L00000000\",\"sourcePort\":65209,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"allowed\",\"signature\":\"AccessControlAllowed-DNS\",\"sourceIp\":\"10.10.0.2\",\"alertType\":\"accessControl\",\"dModel\":\"VMware7,1\",\"destPort\":53,\"category\":\"\",\"venueEndpointId\":\"8f995d7f-bd07-4b15-a9d9-3c444dcd3d44\",\"threatDetails\":\"\",\"subCategory\":\"\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - Access control policy (blocked)
{ "name": "blocked connection", "userEcoId": "AkFgfsBTmGVatwDR8RiYV6U=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:30:30.199348+0000", "message": "{\"ipRepRisk\":\"\",\"flowId\":2138936830200500,\"correlationId\":\"684c4696-9ba2-48a4-87fe-4203339d4460\",\"dId\":\"d1a365f6-b96a-4a8b-870a-6255d0ce8904\",\"endpointId\":\"0598fe72-67cc-44d0-a738-8a7af0afd6b8\",\"dManuf\":\"VMware,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"208.65.74.38:53047\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"go.microsoft.com\",\"policyName\":\"[ACL_AUTO]BlockOffice365\",\"dOsVers\":\"Windows10Enterprise1909\",\"tenantId\":\"L00000000\",\"sourcePort\":63162,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"blocked\",\"signature\":\"AccessControlBlocked-DNS\",\"sourceIp\":\"10.48.0.5\",\"alertType\":\"accessControl\",\"dModel\":\"VMwareVirtualPlatform\",\"destPort\":53,\"category\":\"Computer and Information Technnology\",\"venueEndpointId\":\"aba3204a-ee4a-403e-a6d7-59da1effe188\",\"threatDetails\":\"\",\"subCategory\":\"Information Technology\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - Signature detection (blocked)
{ "name": "blocked connection", "userEcoId": "AkFgfsBTmGVatwDR8RiYV6U=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:55:26.966461+0000", "message": "{\"ipRepRisk\":\"\",\"flowId\":1929920197345085,\"correlationId\":\"46a19072-df9f-41c9-850b-4495bcc1cff1\",\"dId\":\"a71c03d3-5f31-4c1a-bdf2-1e4caaf6f773\",\"endpointId\":\"e5d72a88-8388-4fdf-9359-1bf1e12981b1\",\"dManuf\":\"VMware,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"172.29.135.161:34341\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"www.tiktok.com\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"Windows10Pro20H2\",\"tenantId\":\"L00000000\",\"sourcePort\":54189,\"mitreData\":{\"mitre\":{\"techniqueName\":\"Encrypted_Channel\",\"tacticId\":\"TA555\",\"tacticName\":\"Command_And_Control\",\"techniqueId\":\"T555\"}},\"dnsTunnellingScore\":\"\",\"action\":\"blocked\",\"signature\":\"Test3rdpartyDNSQueryfor.toTLD(tp/internal-sources-reject/internal-sources-reject/555)\",\"sourceIp\":\"10.48.0.7\",\"alertType\":\"signature\",\"dModel\":\"VMwareVirtualPlatform\",\"destPort\":53,\"category\":\"Security Risk\",\"venueEndpointId\":\"3c5c5130-a89b-4f41-924a-52faa3fa8bc0\",\"threatDetails\":\"PotentiallyBadTraffic\",\"subCategory\":\"Potentially Harmful\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - Signature detection (allowed)
{ "name": "allowed connection", "userEcoId": "ArJfeKlfhWkZvA54lE6CGz8=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T14:04:48.847396+0000", "message": "{\"ipRepRisk\":\"\",\"flowId\":1845277166201374,\"correlationId\":\"cc1c64f0-1102-4118-b9bb-8cd9674cb54f\",\"dId\":\"f265243e-8fe9-492f-9033-1311acc5a7c8\",\"endpointId\":\"ce480862-358f-4b92-8917-d5db3d02be71\",\"dManuf\":\"BlackBerry\",\"dPlat\":\"Windows\",\"endpointIp\":\"192.0.2.0:53406\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"www.tiktok.com\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"5.6.7\",\"tenantId\":\"L00000000\",\"sourcePort\":41808,\"mitreData\":{\"mitre\":{\"techniqueName\":\"Encrypted_Channel\",\"tacticId\":\"TA555\",\"tacticName\":\"Command_And_Control\",\"techniqueId\":\"T555\"}},\"dnsTunnellingScore\":\"\",\"action\":\"allowed\",\"signature\":\"Test3rdpartyDNSQueryfor.toTLD(tp/internal-sources-reject/internal-sources-reject/555)\",\"sourceIp\":\"192.0.2.20\",\"alertType\":\"signature\",\"dModel\":\"TestTool\",\"destPort\":53,\"category\":\"Security Risk\",\"venueEndpointId\":\"venue_9876\",\"threatDetails\":\"PotentiallyBadTraffic\",\"subCategory\":\"Potentially Harmful\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":test.example.com\"}" }
Example syslog message - IP reputation (blocked)
{ "name": "blocked connection", "userEcoId": "AkFgfsBTmGVatwDR8RiYV6U=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:39:49.806287+0000", "message": "{\"ipRepRisk\":\"high\",\"flowId\":176248481729935,\"correlationId\":\"8afbcc93-2840-4de1-9495-f09ddeac5d1b\",\"dId\":\"e2c3cde5-9b09-4fcd-9a26-6a9a5fe3e209\",\"endpointId\":\"a81ad01b-e900-4205-8520-4595fcfd6ec1\",\"dManuf\":\"VMware,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"192.0.2.0:38294\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"192.0.2.24\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"Windows10Enterprise1909\",\"tenantId\":\"L00000000\",\"sourcePort\":53845,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"blocked\",\"signature\":\"AccessControlBlocked\",\"sourceIp\":\"192.0.2.20\",\"alertType\":\"ipReputation\",\"dModel\":\"VMwareVirtualPlatform\",\"destPort\":443,\"category\":\"Security Risk\",\"venueEndpointId\":\"aba3204a-ee4a-403e-a6d7-59da1effe188\",\"threatDetails\":\"\",\"subCategory\":\"Potentially Harmful\",\"appName\":\"\",\"protocol\":\"TCP\",\"dHostName\":test.example.com\"}" }
Example syslog message - IP reputation (allowed)
{ "name": "allowed connection", "userEcoId": "AvaMzjb9wimmDicB9+g8eQU=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:45:03.924052+0000", "message": "{\"ipRepRisk\":\"medium\",\"flowId\":668552686147988,\"correlationId\":\"b515fbdf-d5f2-4204-a8ee-c8b094a53908\",\"dId\":\"709f5d7c-8bad-45ea-b5d8-b569e9292491\",\"endpointId\":\"09be30f0-a764-458e-ade2-0c87487e6de1\",\"dManuf\":\"BlackBerry\",\"dPlat\":\"Windows\",\"endpointIp\":\"172.29.135.161:54393\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"178.175.31.230\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"5.6.7\",\"tenantId\":\"L00000000\",\"sourcePort\":41988,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"allowed\",\"signature\":\"AccessControlAllowed-ConnectionAttempt\",\"sourceIp\":\"10.48.0.6\",\"alertType\":\"ipReputation\",\"dModel\":\"TestTool\",\"destPort\":443,\"category\":\"Security Risk\",\"venueEndpointId\":\"venue_9876\",\"threatDetails\":\"\",\"subCategory\":\"Malware\",\"appName\":\"\",\"protocol\":\"TCP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - DNS Tunneling
{ "name": "dnsTunneling connection", "userEcoId": "Aiq2A2vxJQKuPDyqrU/BQBk=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-02-22T13:47:33.945670+0000", "message": "{\"ipRepRisk\":\"\",\"flowId\":884470825841375,\"correlationId\":\"d8ab0341-6177-4fc5-88f5-0ce3f3fd3901\",\"dId\":\"16be1f36-2f04-4de7-9a19-3dd4fbcdf14f\",\"endpointId\":\"bab0fb44-bf67-4491-8f7d-07cf11d6e32e\",\"dManuf\":\"VMware, Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"172.29.133.168:43960\",\"dnsTunnellingNameServer\":\"192.12.94.30\",\"key\":\"\",\"dstAddress\":\"056c03240f000000001dcd70c88c2eea129b70a7513c4f1763799e670db8.2954ad5e62dcbe3e5b 83d26e3f9c2430e59d3c9810f58e84ad26ced48770.917a4f5206269bc8358c8072b3 .reallyevilsite.com\",\"policyName\":\"\",\"dOsVers\":\"Windows 10 Enterprise 2009\",\"tenantId\":\"L00000000\",\"sourcePort\":53966,\"mitreData\":\"\",\"dnsTunnellingScore\":\"low\",\"action\":\"allowed\",\"signature\":\"\",\"sourceIp\":\"10.10.10.2\",\"alertType\":\"dnsTunneling\",\"dModel\":\"VMware Virtual Platform\",\"destPort\":53,\"category\":\"Security Risk\",\"venueEndpointId\":\"7340ccd2-f167-4a7e-873b-6ec4c9f4cfd8\",\"threatDetails\":\"\",\"subCategory\":\"DNS Tunneling\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - zeroDay
{ "userEcoId":"Aj4aHPPwY4kzTYJPZpfETW4=", "tenantId":"V00000000", "type":"NetworkThreat", "name":"allowed connection", "source":"big.blackberry.com", "timestamp":"2021-06-28T18:38:28.453738+0000 "message":"{\"sourcePort\":42828,\"alertType\":\"zeroDay\",\"dModel\":\"TestTool\",\"dOsVers\":\"5.6.7\",\"action\":\"allowed\",\"appName\":\"\",\"flowId\":3367092445552440,\"protocol\":\"TLS\",\"tenantId\":\"V00000000\",\"threatDetails\":\"\",\"dnsTunnellingScore\":\"\",\"destPort\":443,\"dstAddress\":\"13.234.212.19\",\"venueEndpointId\":\"venue_9876\",\"sourceIp\":\"10.10.12.2\",\"endpointId\":\"1f3a651f-12aa-402c-a6e3-ca62b3cea0c7\",\"key\":\"\",\"endpointIp\":\"172.29.132.27:58313\",\"mitreData\":\"\",\"ipRepRisk\":\"High\",\"correlationId\":\"5e4ac53c-2565-4532-95dd-59b5b5ba4875\",\"category\":\"Security Risk\",\"policyName\":\"\",\"subCategory\":\"Unauthorized Marketplace\",\"dnsTunnellingNameServer\":\"\",\"dId\":\"venue_9876\",\"signature\":\"\",\"dPlat\":\"Windows\",\"dManuf\":\"BlackBerry\,"\"dHostName\":\"test.rim.net\"}" " }