CylanceGATEWAY network events
CylanceGATEWAY
network eventsThis option is visible only if
CylanceGATEWAY
is enabled. When this option is turned on, the events it detects are sent to your organization’s syslog server. Field | Value | Description |
---|---|---|
Tenant | string | This is the Cylance Endpoint Security tenant associated with the endpoint. |
User Eco Id | [varies] | This is the user's EcoID, if available. |
Event Name | Blocked Connection Allowed Connection | This is the defined event name for network alerts:
|
Event Type | NetworkThreat | This is the defined event type for network alerts. |
Message | [varies] | This is the message contains information related to the event, in JSON string format. |
Source | big.blackberry.com | This is the BlackBerry product generating the event. |
Timestamp | [varies] | This is the date and time the event occurred. |
Message descriptions
Field | Value | Description |
---|---|---|
tenantId | string | This is the Cylance Endpoint Security tenant associated with the endpoint. |
action | string | This is the action performed against this traffic. This is unique to the associated event. |
alertType | string | This is the alert type associated with the event. The alert types determine when a syslog event is generated. The supported types are:
|
ipRepRisk | string | This is the destination risk associated with the event. The supported risk levels are:
|
signature | string | These are the Packet Inspection Rule details of the identified network threat, if applicable. |
threatDetails | string | This is the Packet Inspection Rule category of the identified network threat, if applicable. This threat detail only applies to the signature alertType. |
policyName | string | This is the name of the user's policy that triggered the event, if applicable. |
appName | string | This is the name of the application or network service associated with the blocked event, if applicable. |
mitre | string | This is the MITRE information related to the event. Additional details are provided below.
|
dnsTunnellingNameServer | string | A DNS query to this DNS server generated a DNS tunneling alert. |
dnsTunnellingScore | string | This is the confidence level of a DNS tunneling alert. The following levels are supported:
|
endpointId | string | This is the CylanceGATEWAY installation ID of the endpoint as it is registered in UES. |
venueEndpointId | string | This is the ID of the CylancePROTECT Desktop service if it is installed on the same device. |
dOsVers | string | This is the OS version of the device. |
dId | string | This is the UES ID of the device. |
dPlat | string | This is the platform of the device. |
dManuf | string | This is the manufacturer of the device. |
dModel | string | This is the model of the device. |
dHostName | string | This is the hostname of the device. |
flowId | string | This is the ID of the CylanceGATEWAY access control engine flow that this event is associated with. |
correlationId | string | This is the correlation ID assigned to the event. |
sourceIp | string | This is the packet source IP address. |
sourcePort | string | This is the packet source port. |
dstAddress | string | This is the destination IP address of the IP packet that triggered the event. Can be IPv4 or IPv6. |
destPort | string | This is the packet destination port. |
protocol | string | This is the protocol used to transit the packet. |
endpointIp | string | This is the public source IP associated with the endpoint. This IP is assigned by the network itself. |
category | string | This is the network traffic category description associated with the destination. |
subCategory | string | This is the network traffic subCategory description associated with the destination. |
Example syslog message - Access control policy (allowed)
{ "name": "allowed connection", "userEcoId": "AoSnPnL+sQR+ffz9JyOjs28=", "timestamp": "2022-03-29T13:07:08.573861+0000", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "message": "{\"ipRepRisk\":\"\",\"flowId\":1576259515367845,\"correlationId\":\"d73a487b-64e5-403b-b3e5-fe8165f44fe3\",\"dId\":\"8ad63be4-2f18-4bce-823d-2ef886fa06ee\",\"endpointId\":\"d10ac1c6-66a5-444f-b3f4-d86298fcb71a\",\"dManuf\":\"VMware,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"184.145.41.119:60313\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"sam003cnc.rim.net\",\"policyName\":\"allowpublic\",\"dOsVers\":\"Windows10Enterprise21H2\",\"tenantId\":\"L00000000\",\"sourcePort\":65209,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"allowed\",\"signature\":\"AccessControlAllowed-DNS\",\"sourceIp\":\"10.10.0.2\",\"alertType\":\"accessControl\",\"dModel\":\"VMware7,1\",\"destPort\":53,\"category\":\"\",\"venueEndpointId\":\"8f995d7f-bd07-4b15-a9d9-3c444dcd3d44\",\"threatDetails\":\"\",\"subCategory\":\"\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - Access control policy (blocked)
{ "name": "blocked connection", "userEcoId": "AkFgfsBTmGVatwDR8RiYV6U=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:30:30.199348+0000", "message": "{\"ipRepRisk\":\"\",\"flowId\":2138936830200500,\"correlationId\":\"684c4696-9ba2-48a4-87fe-4203339d4460\",\"dId\":\"d1a365f6-b96a-4a8b-870a-6255d0ce8904\",\"endpointId\":\"0598fe72-67cc-44d0-a738-8a7af0afd6b8\",\"dManuf\":\"VMware,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"208.65.74.38:53047\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"go.microsoft.com\",\"policyName\":\"[ACL_AUTO]BlockOffice365\",\"dOsVers\":\"Windows10Enterprise1909\",\"tenantId\":\"L00000000\",\"sourcePort\":63162,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"blocked\",\"signature\":\"AccessControlBlocked-DNS\",\"sourceIp\":\"10.48.0.5\",\"alertType\":\"accessControl\",\"dModel\":\"VMwareVirtualPlatform\",\"destPort\":53,\"category\":\"Computer and Information Technnology\",\"venueEndpointId\":\"aba3204a-ee4a-403e-a6d7-59da1effe188\",\"threatDetails\":\"\",\"subCategory\":\"Information Technology\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - Signature detection (blocked)
{ "name": "blocked connection", "userEcoId": "AkFgfsBTmGVatwDR8RiYV6U=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:55:26.966461+0000", "message": "{\"ipRepRisk\":\"\",\"flowId\":1929920197345085,\"correlationId\":\"46a19072-df9f-41c9-850b-4495bcc1cff1\",\"dId\":\"a71c03d3-5f31-4c1a-bdf2-1e4caaf6f773\",\"endpointId\":\"e5d72a88-8388-4fdf-9359-1bf1e12981b1\",\"dManuf\":\"VMware,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"172.29.135.161:34341\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"www.tiktok.com\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"Windows10Pro20H2\",\"tenantId\":\"L00000000\",\"sourcePort\":54189,\"mitreData\":{\"mitre\":{\"techniqueName\":\"Encrypted_Channel\",\"tacticId\":\"TA555\",\"tacticName\":\"Command_And_Control\",\"techniqueId\":\"T555\"}},\"dnsTunnellingScore\":\"\",\"action\":\"blocked\",\"signature\":\"Test3rdpartyDNSQueryfor.toTLD(tp/internal-sources-reject/internal-sources-reject/555)\",\"sourceIp\":\"10.48.0.7\",\"alertType\":\"signature\",\"dModel\":\"VMwareVirtualPlatform\",\"destPort\":53,\"category\":\"Security Risk\",\"venueEndpointId\":\"3c5c5130-a89b-4f41-924a-52faa3fa8bc0\",\"threatDetails\":\"PotentiallyBadTraffic\",\"subCategory\":\"Potentially Harmful\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - Signature detection (allowed)
{ "name": "allowed connection", "userEcoId": "ArJfeKlfhWkZvA54lE6CGz8=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T14:04:48.847396+0000", "message": "{\"ipRepRisk\":\"\",\"flowId\":1845277166201374,\"correlationId\":\"cc1c64f0-1102-4118-b9bb-8cd9674cb54f\",\"dId\":\"f265243e-8fe9-492f-9033-1311acc5a7c8\",\"endpointId\":\"ce480862-358f-4b92-8917-d5db3d02be71\",\"dManuf\":\"BlackBerry\",\"dPlat\":\"Windows\",\"endpointIp\":\"192.0.2.0:53406\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"www.tiktok.com\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"5.6.7\",\"tenantId\":\"L00000000\",\"sourcePort\":41808,\"mitreData\":{\"mitre\":{\"techniqueName\":\"Encrypted_Channel\",\"tacticId\":\"TA555\",\"tacticName\":\"Command_And_Control\",\"techniqueId\":\"T555\"}},\"dnsTunnellingScore\":\"\",\"action\":\"allowed\",\"signature\":\"Test3rdpartyDNSQueryfor.toTLD(tp/internal-sources-reject/internal-sources-reject/555)\",\"sourceIp\":\"192.0.2.20\",\"alertType\":\"signature\",\"dModel\":\"TestTool\",\"destPort\":53,\"category\":\"Security Risk\",\"venueEndpointId\":\"venue_9876\",\"threatDetails\":\"PotentiallyBadTraffic\",\"subCategory\":\"Potentially Harmful\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":test.example.com\"}" }
Example syslog message - IP reputation (blocked)
{ "name": "blocked connection", "userEcoId": "AkFgfsBTmGVatwDR8RiYV6U=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:39:49.806287+0000", "message": "{\"ipRepRisk\":\"high\",\"flowId\":176248481729935,\"correlationId\":\"8afbcc93-2840-4de1-9495-f09ddeac5d1b\",\"dId\":\"e2c3cde5-9b09-4fcd-9a26-6a9a5fe3e209\",\"endpointId\":\"a81ad01b-e900-4205-8520-4595fcfd6ec1\",\"dManuf\":\"VMware,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"192.0.2.0:38294\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"192.0.2.24\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"Windows10Enterprise1909\",\"tenantId\":\"L00000000\",\"sourcePort\":53845,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"blocked\",\"signature\":\"AccessControlBlocked\",\"sourceIp\":\"192.0.2.20\",\"alertType\":\"ipReputation\",\"dModel\":\"VMwareVirtualPlatform\",\"destPort\":443,\"category\":\"Security Risk\",\"venueEndpointId\":\"aba3204a-ee4a-403e-a6d7-59da1effe188\",\"threatDetails\":\"\",\"subCategory\":\"Potentially Harmful\",\"appName\":\"\",\"protocol\":\"TCP\",\"dHostName\":test.example.com\"}" }
Example syslog message - IP reputation (allowed)
{ "name": "allowed connection", "userEcoId": "AvaMzjb9wimmDicB9+g8eQU=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:45:03.924052+0000", "message": "{\"ipRepRisk\":\"medium\",\"flowId\":668552686147988,\"correlationId\":\"b515fbdf-d5f2-4204-a8ee-c8b094a53908\",\"dId\":\"709f5d7c-8bad-45ea-b5d8-b569e9292491\",\"endpointId\":\"09be30f0-a764-458e-ade2-0c87487e6de1\",\"dManuf\":\"BlackBerry\",\"dPlat\":\"Windows\",\"endpointIp\":\"172.29.135.161:54393\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"178.175.31.230\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"5.6.7\",\"tenantId\":\"L00000000\",\"sourcePort\":41988,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"allowed\",\"signature\":\"AccessControlAllowed-ConnectionAttempt\",\"sourceIp\":\"10.48.0.6\",\"alertType\":\"ipReputation\",\"dModel\":\"TestTool\",\"destPort\":443,\"category\":\"Security Risk\",\"venueEndpointId\":\"venue_9876\",\"threatDetails\":\"\",\"subCategory\":\"Malware\",\"appName\":\"\",\"protocol\":\"TCP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - DNS Tunneling
{ "name": "dnsTunneling connection", "userEcoId": "Aiq2A2vxJQKuPDyqrU/BQBk=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-02-22T13:47:33.945670+0000", "message": "{\"ipRepRisk\":\"\",\"flowId\":884470825841375,\"correlationId\":\"d8ab0341-6177-4fc5-88f5-0ce3f3fd3901\",\"dId\":\"16be1f36-2f04-4de7-9a19-3dd4fbcdf14f\",\"endpointId\":\"bab0fb44-bf67-4491-8f7d-07cf11d6e32e\",\"dManuf\":\"VMware, Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"172.29.133.168:43960\",\"dnsTunnellingNameServer\":\"192.12.94.30\",\"key\":\"\",\"dstAddress\":\"056c03240f000000001dcd70c88c2eea129b70a7513c4f1763799e670db8.2954ad5e62dcbe3e5b 83d26e3f9c2430e59d3c9810f58e84ad26ced48770.917a4f5206269bc8358c8072b3 .reallyevilsite.com\",\"policyName\":\"\",\"dOsVers\":\"Windows 10 Enterprise 2009\",\"tenantId\":\"L00000000\",\"sourcePort\":53966,\"mitreData\":\"\",\"dnsTunnellingScore\":\"low\",\"action\":\"allowed\",\"signature\":\"\",\"sourceIp\":\"10.10.10.2\",\"alertType\":\"dnsTunneling\",\"dModel\":\"VMware Virtual Platform\",\"destPort\":53,\"category\":\"Security Risk\",\"venueEndpointId\":\"7340ccd2-f167-4a7e-873b-6ec4c9f4cfd8\",\"threatDetails\":\"\",\"subCategory\":\"DNS Tunneling\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - zeroDay
{ "userEcoId":"Aj4aHPPwY4kzTYJPZpfETW4=", "tenantId":"V00000000", "type":"NetworkThreat", "name":"allowed connection", "source":"big.blackberry.com", "timestamp":"2021-06-28T18:38:28.453738+0000 "message":"{\"sourcePort\":42828,\"alertType\":\"zeroDay\",\"dModel\":\"TestTool\",\"dOsVers\":\"5.6.7\",\"action\":\"allowed\",\"appName\":\"\",\"flowId\":3367092445552440,\"protocol\":\"TLS\",\"tenantId\":\"V00000000\",\"threatDetails\":\"\",\"dnsTunnellingScore\":\"\",\"destPort\":443,\"dstAddress\":\"13.234.212.19\",\"venueEndpointId\":\"venue_9876\",\"sourceIp\":\"10.10.12.2\",\"endpointId\":\"1f3a651f-12aa-402c-a6e3-ca62b3cea0c7\",\"key\":\"\",\"endpointIp\":\"172.29.132.27:58313\",\"mitreData\":\"\",\"ipRepRisk\":\"High\",\"correlationId\":\"5e4ac53c-2565-4532-95dd-59b5b5ba4875\",\"category\":\"Security Risk\",\"policyName\":\"\",\"subCategory\":\"Unauthorized Marketplace\",\"dnsTunnellingNameServer\":\"\",\"dId\":\"venue_9876\",\"signature\":\"\",\"dPlat\":\"Windows\",\"dManuf\":\"BlackBerry\,"\"dHostName\":\"test.rim.net\"}" " }