CylancePROTECT Mobile alerts
CylancePROTECT Mobile
alertsThis option is visible only if
CylancePROTECT Mobile
is enabled. When this option is turned on, the mobile alerts that are detected by the CylancePROTECT Mobile app on users’ devices are sent to your organization’s syslog server.Field | Value | Description |
|---|---|---|
Alert Id | [varies] | This is the unique ID associated with the mobile alert. |
Alert Name | maliciousApplication: [app name] | This is the name of the malicious app that the CylancePROTECT Mobile app detected. |
sideLoadedApplication for Android : [app name] | This is the name of the sideloaded app that the CylancePROTECT Mobile app detected. | |
sideLoadedApplication for iOS : [signing ID] | This is the signing ID of the sideloaded app that the CylancePROTECT Mobile app detected. | |
jailbrokenOrRooted for Android : Rooted | The CylancePROTECT Mobile app detected that the device is rooted. | |
jailbrokenOrRooted for iOS : Jailbroken | The CylancePROTECT Mobile app detected that the device is jailbroken. | |
deviceEncryption: Encryption disabled | The CylancePROTECT Mobile app detected that encryption is not enabled on the device. | |
deviceScreenlock: Screenlock disabled | The CylancePROTECT Mobile app detected that a screen lock is not enabled on the device. | |
iOsIntegrityFailure: iOS App Integrity Check | The CylancePROTECT Mobile app failed an integrity check. | |
androidSafetyNetFailure: Android SafetyNet | The CylancePROTECT Mobile app failed a SafetyNet attestation check. | |
androidHWFailure: Android Hardware | The CylancePROTECT Mobile app failed hardware certificate attestation. | |
unsupportedSecurityPatch: [patch version] OR Untrusted (attestation certificate verification failed) OR Unknown (attestation info is missing) | The version of the unsupported security patch that the CylancePROTECT Mobile app detected. | |
unsupportedOS: [OS name], [OS version] | The name and version of the supported OS that the CylancePROTECT Mobile app detected. | |
unsupportedModel: [model name] | The name of the unsupported device model that the CylancePROTECT Mobile app detected. | |
unsafeMessage: Malicious SMS OR Feature disabled by user | The CylancePROTECT Mobile app detected a text message with a potentially unsafe URL. | |
compromisedNetwork: [Network_type] | The type of the potentially unsafe network that the CylancePROTECT Mobile app detected. | |
insecureWiFi: [SSID] OR Feature disabled by user | The SSID of the potentially insecure Wi-Fi access point that the CylancePROTECT Mobile app detected. | |
androidKnoxFailure: Android KNOX Attestation OR Feature disabled by user | Using Samsung Knox Enhanced Attestation, CylancePROTECT Mobile has identified a potential security issue with the user's device. | |
developerMode: Developer mode is enabled | The CylancePROTECT Mobile app detected that developer mode is enabled on the user's device. | |
Alert Status | New | The mobile alert is not yet resolved. |
Resolved | The mobile alert is resolved. | |
Alert Type | maliciousApplication | The CylancePROTECT Mobile app detected a malicious app. |
sideLoadedApplication | The CylancePROTECT Mobile app detected a sideloaded app. | |
jailbrokenOrRooted | The CylancePROTECT Mobile app detected that the device is jailbroken or rooted. | |
deviceEncryption | The CylancePROTECT Mobile app detected that encryption is not enabled on the device. | |
deviceScreenlock | The CylancePROTECT Mobile app detected that a screen lock is not enabled on the device. | |
iOsIntegrityFailure | The CylancePROTECT Mobile app failed an integrity check. | |
androidSafetyNetFailure | The CylancePROTECT Mobile app failed a SafetyNet attestation check. | |
androidHWFailure | The CylancePROTECT Mobile app failed hardware certificate attestation. | |
unsupportedSecurityPatch | Based on the administrator configuration of the CylancePROTECT Mobile policy, the CylancePROTECT Mobile app detected an unsupported security patch. | |
unsupportedOS | Based on the administrator configuration of the CylancePROTECT Mobile policy, the CylancePROTECT Mobile app detected that the device has an unsupported OS. | |
unsupportedModel | Based on the administrator configuration of the CylancePROTECT Mobile policy, the CylancePROTECT Mobile app detected that the device is an unsupported model. | |
unsafeMessage | The CylancePROTECT Mobile app detected a text message with a potentially unsafe URL. | |
compromisedNetwork | The CylancePROTECT Mobile app detected a potentially unsafe network. | |
insecureWiFi | The CylancePROTECT Mobile app detected a potentially insecure Wi-Fi access point. | |
androidKnoxFailure | Using Samsung Knox Enhanced Attestation, CylancePROTECT Mobile has identified a potential security issue with the user's device. | |
developerMode | The CylancePROTECT Mobile app detected that developer mode is enabled on the user's device. | |
Application Sha256 | [SHA256 hash] | This is the SHA256 hash of a malicious or sideloaded Android app that the CylancePROTECT Mobile app detected. |
Application Name | [app name] | This is the name of a malicious or sideloaded Android app that the CylancePROTECT Mobile app detected. |
Attestation Rule Failure | [attestation rules] | These are the rules that failed when an attestation check occurred for the CylancePROTECT Mobile app. |
Attestation State | [attestation state] | This is the attestation state of the CylancePROTECT Mobile app. |
Attestation SubType | [attestation sub-type] | This is the sub-type of the attestation check for the CylancePROTECT Mobile app. |
Attestation Type | [attestation type] | This is the type of the attestation check for the CylancePROTECT Mobile app. |
Description | maliciousApplication: [package name], [package version], [SHA256 hash] | These are the details of the malicious app that was detected. |
sideLoadedApplication for Android : [package name], [package version], [installer source], [SHA256 hash] | These are the details of the sideloaded app that was detected. | |
sideLoadedApplication for iOS : empty string | This field is not supported for iOS . | |
jailbrokenOrRooted: [OS name], [OS version] | This is the OS name and version of the jailbroken or rooted device. | |
deviceEncryption: [OS name], [OS version] | This is the OS name and version of the device that does not have encryption enabled. | |
deviceScreenlock: [OS name], [OS version] | This is the OS name and version of the device that does not have a screen lock enabled. | |
iOsIntegrityFailure: [attestation type], [attestation state] | These are the details of the failed iOS integrity check. | |
androidSafetyNetFailure: [attestation type] | These are the details of the failed SafetyNet attestation check. | |
androidHWFailure: [attestation type], [attestation state], [rule failure] | These are the details of the failed hardware certificate attestation. | |
unsupportedOS: [OS name], [OS version] | This is the OS name and version of the device with an unsupported OS. | |
unsafeMessage: [list of URLs] | The list of potentially unsafe URLs that were detected. | |
compromisedNetwork: [SSID] | The SSID of the potentially unsafe network. | |
insecureWiFi: [ Wi-Fi access algorithms] | The Wi-Fi access algorithms of the potentially insecure access point. | |
androidKnoxFailure: Knox, Device Failure | Using Samsung Knox Enhanced Attestation, CylancePROTECT Mobile has identified a potential security issue with the user's device. | |
developerMode: [OS name], [OS version] | The name and version of the device OS on which developer mode has been detected. | |
Detected | [varies] | This is the date and time the alert was detected. |
Device Id | [varies] | This is the unique ID of the user’s device. |
Device Model | [model] | This is the model of the user's mobile device. |
Device Name | [varies] | This is the name of the user’s mobile device. |
Event Type | MobileAlert | This is the defined event type for mobile alerts. |
Event Name | ProtectMobileAlert | This is the defined event name for mobile alerts. |
First Name | [varies] | This is the first name of the device user. |
Installer Source | [package name] | This is the package name of a sideloaded Android app that the CylancePROTECT Mobile app detected. |
Last Name | [varies] | This is the last name of the device user. |
Malicious URLs | [URLs] | This is the list of potentially unsafe URLs detected in a text message. |
Network Type | [network type] | This is the type of a potentially unsafe network. |
Os Name | [OS name] | This is the OS of the device. |
Os Version | [OS version] | This is the device's OS version. |
Package Name | [package name] | This is the package name of a malicious or sideloaded Android app that the CylancePROTECT Mobile app detected. |
Package Version | [package version] | This is the package version of a malicious or sideloaded Android app that the CylancePROTECT Mobile app detected. |
Signing Identity | [signing ID] | This is the signing ID of a sideloaded iOS app that the CylancePROTECT Mobile app detected. |
Signing Identity Sha256 | [signing ID hash] | This is the signing ID hash of a sideloaded iOS app that the CylancePROTECT Mobile app detected. |
Ssid | [SSID] | This is the SSID of a potentially unsafe network. |
Example syslog message
May 31 17:34:04 sysloghost CylancePROTECT Event Type: MobileAlert, Event Name: ProtectMobileAlert, Alert Type: sideLoadedApplication, Alert Name: Protect, Description: com.blackberry.protect, 1.4.397 (Installer Source: com.google.android.packageinstaller), 1234ABCD5678EFGH1234ABCD5678EFGH1234ABCD5678EFGH1234ABCD5678EFGH, Detected: 5/31/2021 2:32:12 PM, Alert Status: New, Device Name: Galaxy S9 SM-G960F, First Name: John, Last Name: Smith, Device Id: 1abc2345-67d8-9123-45ef-g45hi67j8kl9, Alert Id: a1b23456-789c-12d3-e45f-g6h7i8jk9123, Application Sha245: 1234ABCD5678EFGH1234ABCD5678EFGH1234ABCD5678EFGH1234ABCD5678EFGH, Application Name: Protect, Installer Source: com.google.android.packageinstaller, Package Name: com.blackberry.protect, Package Version: 1.4.397