Skip Navigation

CylanceGATEWAY
network events

This option is visible only if
CylanceGATEWAY
is enabled. When this option is turned on, the events it detects are sent to your organization’s syslog server.
Field
Value
Description
Tenant
string
This is the Tenant Service ID that is associated with the endpoint.
User Eco Id
[varies]
This is the user's EcoID, if available.
Event Name
Blocked Connection
Allowed Connection
dnsTunneling connection
This is the defined event name for network alerts:
  • Allowed connections: A detection happened and a syslog event was generated, but the connection was allowed based on the applied risk criteria.
  • Blocked connections: A detection happened and a syslog event was generated, and the connection was blocked based on the applied risk criteria.
Event Type
NetworkThreat
This is the defined event type for network alerts.
Message
[varies]
This is the message contains information related to the event, in JSON string format.
Source
big.blackberry.com
This is the BlackBerry product generating the event.
Timestamp
[varies]
This is the date and time the event occurred.
Message descriptions
Field
Value
Description
tenantId
string
This is the Tenant Service ID that is associated with the endpoint.
action
string
This is the action performed against this traffic. This is unique to the associated event.
alertType
string
This is the alert type associated with the event. The alert types determine when a syslog event is generated. The supported types are:
  • ipReputation - event triggered due to destination risk
  • signature - event triggered due to inspection of packets
  • dnsTunnelling - event triggered by analysis of DNS traffic between the client and DNS servers
  • accessControl - event triggered due to user's network access rules
  • zeroDay - event triggered due to newly identified malicious destinations that have not been identified previously. After they are identified, these destinations are assigned a risk score. They are subsequently blocked or alerted upon based on the risk level that you set for your network protection. When they are blocked or alerted upon, they will display as ipReputation alerts in your organization's syslog server. For more information, see Configure network protection settings.
ipRepRisk
string
This is the destination risk associated with the event. The supported risk levels are:
  • High
  • Medium
  • Low
ipRepContext
string
This identifies whether the IP reputation alert was triggered by identifying a malicious IP address or FQDN. The following values are supported:
  • IP
  • FQDN
signature
string
These are the Packet Inspection Rule details of the identified network threat, if applicable.
threatDetails
string
This is the Packet Inspection Rule category of the identified network threat, if applicable.
This threat detail only applies to the signature alertType.
policyName
string
This is the name of the user's policy that triggered the event, if applicable.
appName
string
This is the name of the application or network service associated with the blocked event, if applicable.
mitre
string
This is the MITRE information related to the event. Additional details are provided below.
  • techniqueId: The MITRE technique ID
  • techniqueName: The MITRE technique name
  • tacticId: The MITRE tactic ID
  • tacticName: The MITRE tactic name
  • mid: The MITRE mitigation technique ID
  • aptGid: The MITRE associated APT group ID
protocolContent
string
This is the protocolcontent for the http metatadata. This field is only available with an HTTP request.
http
string
This is the http metadata request information related to the event. Additional details are provided below.
  • length: The response length in bytes
  • hostname: The hostname header
  • url: The url of the HTTP request
  • httpUserAgent: The user agent header
  • httpContentType: The content type header from the response
  • httpMethod: The request method
  • status: The non-200 response status code
  • protocol: The non-200 response status code
dnsTunnellingNameServer
string
A DNS query to this DNS server generated a DNS tunneling alert.
dnsTunnellingScore
string
This is the confidence level of a DNS tunneling alert. The following levels are supported:
  • High
  • Medium
  • Low
endpointId
string
This is the
CylanceGATEWAY
installation ID of the endpoint as it is registered in UES.
venueEndpointId
string
This is the ID of the CylancePROTECT Desktop service if it is installed on the same device.
dOsVers
string
This is the OS version of the device.
dId
string
This is the UES ID of the device.
dPlat
string
This is the platform of the device.
dManuf
string
This is the manufacturer of the device.
dModel
string
This is the model of the device.
dHostName
string
This is the hostname of the device.
flowId
int
This is the ID of the
CylanceGATEWAY
access control engine flow that this event is associated with.
correlationId
string
This is the correlation ID assigned to the event.
sourceIp
string
This is the packet source IP address.
sourcePort
string
This is the packet source port.
dstAddress
string
This is the destination address, either the FQDN or the IP address (IPv4 or IPv6) of the IP packet that triggered the event.
Use the
ipRepContext
field determine whether the field value is an IP address or FQDN.
estPort
string
This is the packet destination port.
protocol
string
This is the protocol used to transit the packet.
endpointIp
string
This is the public source IP associated with the endpoint. This IP is assigned by the network itself.
egressIp
string
This is the egress public IP address of the flow as it left the
BlackBerry Infrastructure
.
natIp
Int
For private destinations, this is the NAT IP address of this flow as it left the
CylanceGATEWAY Connector
for your private network.
For public destinations, this is the NAT IP address of this flow as it left the
CylanceGATEWAY
cloud services for a public Internet destination.
natPort
String
This is the NAT port of this flow as it left the
CylanceGATEWAY Connector
for your private network.
category
string
This is the network traffic category description associated with the destination.
subCategory
string
This is the network traffic subCategory description associated with the destination.
processName
string
This is the name of the process that the DNS request originated from.
Example syslog message - Access control policy (blocked)
{ "name": "blocked connection", "userEcoId": "AkFgfsBTmGVatwDR8RiYV6U=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:30:30.199348+0000", "message": "{\"ipRepRisk\":\"\",\"ipRepContext\":\"\",\"flowid\":2138936830200500,\"correlationId\":\"684c4696-9ba2-48a4-87fe-4203339d4460\",\"dId\":\"d1a365f6-b96a-4a8b-870a-6255d0ce8904\",\"endpointId\":\"0598fe72-67cc-44d0-a738-8a7af0afd6b8\",\"dManuf\":\"Example,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"208.65.74.38:53047\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"go.microsoft.com\",\"policyName\":\"[ACL_AUTO]BlockOffice365\",\"dOsVers\":\"Windows10Enterprise1909\",\"tenantId\":\"L00000000\",\"sourcePort\":63162,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"blocked\",\"signature\":\"AccessControlBlocked-DNS\",\"sourceIp\":\"10.48.0.5\",\"alertType\":\"accessControl\",\"dModel\":\"ExampleVirtualPlatform\",\"destPort\":53,\"category\":\"Computer and Information Technnology\",\"venueEndpointId\":\"aba3204a-ee4a-403e-a6d7-59da1effe188\",\"threatDetails\":\"\",\"subCategory\":\"Information Technology\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - Signature detection (blocked)
{ "name": "blocked connection", "userEcoId": "AkFgfsBTmGVatwDR8RiYV6U=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:55:26.966461+0000", "message": "{\"ipRepRisk\":\"\",\"ipRepContext\":\"\",\"flowId\":1929920197345085,\"correlationId\":\"46a19072-df9f-41c9-850b-4495bcc1cff1\",\"dId\":\"a71c03d3-5f31-4c1a-bdf2-1e4caaf6f773\",\"endpointId\":\"e5d72a88-8388-4fdf-9359-1bf1e12981b1\",\"dManuf\":\"Example,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"172.29.135.161:34341\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"www.tiktok.com\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"Windows10Pro20H2\",\"tenantId\":\"L00000000\",\"sourcePort\":54189,\"mitreData\":{\"mitre\":{\"techniqueName\":\"Encrypted_Channel\",\"tacticId\":\"TA555\",\"tacticName\":\"Command_And_Control\",\"techniqueId\":\"T555\"}},\"dnsTunnellingScore\":\"\",\"action\":\"blocked\",\"signature\":\"Test3rdpartyDNSQueryfor.toTLD(tp/internal-sources-reject/internal-sources-reject/555)\",\"sourceIp\":\"10.48.0.7\",\"alertType\":\"signature\",\"dModel\":\"ExampleVirtualPlatform\",\"destPort\":53,\"category\":\"Security Risk\",\"venueEndpointId\":\"3c5c5130-a89b-4f41-924a-52faa3fa8bc0\",\"threatDetails\":\"PotentiallyBadTraffic\",\"subCategory\":\"Potentially Harmful\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"}" }
Example syslog message - Signature detection (allowed)
{ "name": "allowed connection", "userEcoId": "ArJfeKlfhWkZvA54lE6CGz8=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T14:04:48.847396+0000", "message": "{\"ipRepRisk\":\"\",\"ipRepContext\":\"\",\"flowId\":1845277166201374,\"correlationId\":\"cc1c64f0-1102-4118-b9bb-8cd9674cb54f\",\"dId\":\"f265243e-8fe9-492f-9033-1311acc5a7c8\",\"endpointId\":\"ce480862-358f-4b92-8917-d5db3d02be71\",\"dManuf\":\"BlackBerry\",\"dPlat\":\"Windows\",\"endpointIp\":\"192.0.2.0:53406\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"www.tiktok.com\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"5.6.7\",\"tenantId\":\"L00000000\",\"sourcePort\":41808,\"mitreData\":{\"mitre\":{\"techniqueName\":\"Encrypted_Channel\",\"tacticId\":\"TA555\",\"tacticName\":\"Command_And_Control\",\"techniqueId\":\"T555\"}},\"dnsTunnellingScore\":\"\",\"action\":\"allowed\",\"signature\":\"Test3rdpartyDNSQueryfor.toTLD(tp/internal-sources-reject/internal-sources-reject/555)\",\"sourceIp\":\"192.0.2.20\",\"alertType\":\"signature\",\"dModel\":\"TestTool\",\"destPort\":53,\"category\":\"Security Risk\",\"venueEndpointId\":\"venue_9876\",\"threatDetails\":\"PotentiallyBadTraffic\",\"subCategory\":\"Potentially Harmful\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.example.com\"
,\"egressIp\":\"35.170.136.211\"
}" }
Example syslog message - IP reputation (blocked)
{ "name": "blocked connection", "userEcoId": "AkFgfsBTmGVatwDR8RiYV6U=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:39:49.806287+0000", "message": "{\"ipRepRisk\":\"high\",\"ipRepContext\":\"fqdn\",\"flowId\":176248481729935,\"correlationId\":\"8afbcc93-2840-4de1-9495-f09ddeac5d1b\",\"dId\":\"e2c3cde5-9b09-4fcd-9a26-6a9a5fe3e209\",\"endpointId\":\"a81ad01b-e900-4205-8520-4595fcfd6ec1\",\"dManuf\":\"Example,Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"192.0.2.0:38294\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"192.0.2.24\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"Windows10Enterprise1909\",\"tenantId\":\"L00000000\",\"sourcePort\":53845,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"blocked\",\"signature\":\"AccessControlBlocked\",\"sourceIp\":\"192.0.2.20\",\"alertType\":\"ipReputation\",\"dModel\":\"ExampleVirtualPlatform\",\"destPort\":443,\"category\":\"Security Risk\",\"venueEndpointId\":\"aba3204a-ee4a-403e-a6d7-59da1effe188\",\"threatDetails\":\"\",\"subCategory\":\"Potentially Harmful\",\"appName\":\"\",\"protocol\":\"TCP\",\"dHostName\":test.example.com\"}" }
Example syslog message - IP reputation (allowed)
{ "name": "allowed connection", "userEcoId": "AvaMzjb9wimmDicB9+g8eQU=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-03-29T13:45:03.924052+0000", "message": "{\"ipRepRisk\":\"medium\",\"ipRepContext\":\"fqdn\",\"flowId\":668552686147988,\"correlationId\":\"b515fbdf-d5f2-4204-a8ee-c8b094a53908\",\"dId\":\"709f5d7c-8bad-45ea-b5d8-b569e9292491\",\"endpointId\":\"09be30f0-a764-458e-ade2-0c87487e6de1\",\"dManuf\":\"BlackBerry\",\"dPlat\":\"Windows\",\"endpointIp\":\"172.29.135.161:54393\",\"dnsTunnellingNameServer\":\"\",\"key\":\"\",\"dstAddress\":\"178.175.31.230\",\"policyName\":\"AllowPublic\",\"dOsVers\":\"5.6.7\",\"tenantId\":\"L00000000\",\"sourcePort\":41988,\"mitreData\":\"\",\"dnsTunnellingScore\":\"\",\"action\":\"allowed\",\"signature\":\"AccessControlAllowed-ConnectionAttempt\",\"sourceIp\":\"10.48.0.6\",\"alertType\":\"ipReputation\",\"dModel\":\"TestTool\",\"destPort\":443,\"category\":\"Security Risk\",\"venueEndpointId\":\"venue_9876\",\"threatDetails\":\"\",\"subCategory\":\"Malware\",\"appName\":\"\",\"protocol\":\"TCP\",\"dHostName\":\"test.rim.net\"
,\"egressIp\":\"35.170.136.211\"
}" }
Example syslog message - DNS Tunneling
{ "name": "dnsTunneling connection", "userEcoId": "Aiq2A2vxJQKuPDyqrU/BQBk=", "tenantId": "L00000000", "type": "NetworkThreat", "source": "big.blackberry.com", "timestamp": "2022-02-22T13:47:33.945670+0000", "message": "{\"ipRepRisk\":\"\",\"ipRepContext\":\"\",\"flowId\":884470825841375,\"correlationId\":\"d8ab0341-6177-4fc5-88f5-0ce3f3fd3901\",\"dId\":\"16be1f36-2f04-4de7-9a19-3dd4fbcdf14f\",\"endpointId\":\"bab0fb44-bf67-4491-8f7d-07cf11d6e32e\",\"dManuf\":\"Example, Inc.\",\"dPlat\":\"Windows\",\"endpointIp\":\"172.29.133.168:43960\",\"dnsTunnellingNameServer\":\"192.12.94.30\",\"key\":\"\",\"dstAddress\":\"056c03240f000000001dcd70c88c2eea129b70a7513c4f1763799e670db8.2954ad5e62dcbe3e5b 83d26e3f9c2430e59d3c9810f58e84ad26ced48770.917a4f5206269bc8358c8072b3 .reallyevilsite.com\",\"policyName\":\"\",\"dOsVers\":\"Windows 10 Enterprise 2009\",\"tenantId\":\"L00000000\",\"sourcePort\":53966,\"mitreData\":\"\",\"dnsTunnellingScore\":\"low\",\"action\":\"allowed\",\"signature\":\"\",\"sourceIp\":\"10.10.10.2\",\"alertType\":\"dnsTunneling\",\"dModel\":\"Example Virtual Platform\",\"destPort\":53,\"category\":\"Security Risk\",\"venueEndpointId\":\"7340ccd2-f167-4a7e-873b-6ec4c9f4cfd8\",\"threatDetails\":\"\",\"subCategory\":\"DNS Tunneling\",\"appName\":\"\",\"protocol\":\"UDP\",\"dHostName\":\"test.rim.net\"
,\"egressIp\":\"35.170.136.211\"
}" }
Example syslog message - zeroDay
{ "userEcoId":"Aj4aHPPwY4kzTYJPZpfETW4=", "tenantId":"V00000000", "type":"NetworkThreat", "name":"allowed connection", "source":"big.blackberry.com", "timestamp":"2021-06-28T18:38:28.453738+0000 "message":"{\"sourcePort\":42828,\"alertType\":\"zeroDay\",\"dModel\":\"TestTool\",\"dOsVers\":\"5.6.7\",\"action\":\"allowed\",\"appName\":\"\",\"flowId\":3367092445552440,\"protocol\":\"TLS\",\"tenantId\":\"V00000000\",\"threatDetails\":\"\",\"dnsTunnellingScore\":\"\",\"destPort\":443,\"dstAddress\":\"13.234.212.19\",\"venueEndpointId\":\"venue_9876\",\"sourceIp\":\"10.10.12.2\",\"endpointId\":\"1f3a651f-12aa-402c-a6e3-ca62b3cea0c7\",\"key\":\"\",\"endpointIp\":\"172.29.132.27:58313\",\"mitreData\":\"\",\"ipRepRisk\":\"High\",\"correlationId\":\"5e4ac53c-2565-4532-95dd-59b5b5ba4875\",\"category\":\"Security Risk\",\"policyName\":\"\",\"subCategory\":\"Unauthorized Marketplace\",\"dnsTunnellingNameServer\":\"\",\"dId\":\"venue_9876\",\"signature\":\"\",\"dPlat\":\"Windows\",\"dManuf\":\"BlackBerry\,"\"dHostName\":\"test.rim.net\"
,\"egressIp\":\"35.170.136.211\"
}" " }
Alert with http
} "message": "{\"dPlat\":\"Windows\",\"dnsTunnellingScore\":\"\",\"venueEndpointId\":\"\",\"appName\":\"\",\"dId\":\"c5c5f9be-4a89-47d1-b4d9-817f8e0ed8c8\",\"endpointIp\":\"99.250.195.118:42523\",\"mitreData\":\"\",\"dstAddress\":\"10.0.34.163\",\"dModel\":\"NexusOne\",\"ipRepContext\":\"\",\"category\":\"\",\"dOsVers\":\"1.0.3.4567\",\"key\":\"\",\"sourceIp\":\"10.10.10.176\",\"sourcePort\":59705,\"tenantId\":\"L93379554\",\"correlationId\":\"f3ac0686-b3a0-4926-abff-7a98301d4221\",\"action\":\"blocked\",\"policyName\":\" Allowinternettraffic with space \",\"http\":{\"hostname\":\"10.0.34.163\",\"length\":0,\"httpMethod\":\"GET\",\"url\":\"/hello_3.txt\",\"protocol\":\"HTTP/1.1\"},\"signature\":\"AccessControlAllowed\",\"endpointId\":\"9ccbfaa1-450e-45b3-a2ca-e7a249d891b5\",\"alertType\":\"accessControl\",\"dnsTunnellingNameServer\":\"\",\"threatDetails\":\"\",\"dHostName\":\"test.rim.net\",\"ipRepRisk\":\"\",\"destPort\":8001,\"dManuf\":\"Samsung\",\"flowId\":887043762211702,\"subCategory\":\"\",\"protocol\":\"TCP\"}" "source": "big.blackberry.com", "type": "NetworkThreat" "name": "blocked connection", "timestamp": "2021-08-12T12:51:55.119715+0000", "tenantId": "L93379554", "userEcoId": "An76hRPlf1of9q5mc+8W3I4=", }