CylanceAVERT events
CylanceAVERT
eventsThis option is visible only if
CylanceAVERT
is enabled. When this option is turned on, the events that are detected by the agent on users’ devices are sent to your organization’s syslog server.Field | Value | Description |
|---|---|---|
Tenant | String | This is the Cylance Endpoint Security tenant associated with the endpoint. |
Event Type | AvertEvent | This is the defined event type for data exfiltration alerts. |
Event name | Data Exfiltration Event | This is the defined event name for data exfiltration alerts. |
Eco ID | [varies] | This is the user's EcoID, if available. |
Timestamp | [varies] | This is the date and time the event occurred. |
Source | com.blackberry.dlp | This is the BlackBerry product generating the event. |
Username | [varies] | This is the username associated with the event, if available. |
User Email | [varies] | This is the email of the user associated with the event, if available. |
User Title | [varies] | This is the title of the user associated with the event, if available. |
User Department | [varies] | This is the department of the user associated with the event, if available. |
Container ID | Device ID | This is the Device ID for the Desktop client |
Client Version | [varies] | This is the CylanceAVERT capability version. |
Device Name | [varies] | This is the name of the device associated with the data exfiltration event. |
Client Type | [varies] | This is the type of client associated with the data exfiltration event:
|
Device OS | [varies] | This is the operating system of the device:
|
Version of OS | [varies] | This is the version of the operating system on the device. |
Policy Names | [varies] | This is a list of the policy names that triggered the event. This list can contain 1 or more policy names. |
Activity Type | Browser upload | The file was exfiltrated through a browser upload. |
Email send | The file was exfiltrated through the content of an email message. | |
File transfer | The file was exfiltrated in the attachment of an email message. | |
Copy to | The file was exfiltrated by copying the file to a USB device. | |
Locations | [varies] | This is the location that exfiltrated file was sent to:
|
Email Subject | [varies] | This is the subject of the email that the file was sent to. |
File Info | [varies] | This is the SHA256 hash and the file type of the file that was exfiltrated. |
Data Types | [varies] | These are the data type names that were involved in the event. For more information on data types, see Specifying sensitive data types. |
Example Syslog Message:
Sep 02 15:04:59 sysloghost CylancePROTECT Event Type: InfoProtectEvent, Event Name: InfoProtectEvent, Eco Id: Am6XZ102mlPgFzI/N8mjANP4=, User: John Smith (jsmith@example.com), User Name: jsmith, Message: {"common": { "id": "a15e547f-a13f-4f0f-888a-888650702cdf", "tenantId": "L1234564", "occurred": "2021-08-10T16:17:09Z", "traceId": "ab59fe31", "spanId": "d89e3ab", "source": "com.blackberry.dlp", "type": "ALERT", "category": "Exfiltration", "subcategory": "Email", "message": "Email Exfiltration Detected" }, "user": { "id": "a15e547f-a13f-4f0f-888a-888650702cdf", "ecoId": "Am6XZ102mlPgFzI/N8mjANP4=", "displayName": "JSmith", "email":jsmith@example.com, "title": "Engineer", "department": "Engineering" }, "device": { "id" : "a15e547f-a13f-4f0f-888a-888650702cdf", "osFamily": "Windows", "osVersion": "10.7.0" }, "endpoint": { "id" : "a15e547f-a13f-4f0f-888a-888650702cdf", "version": "10.7.0", "name": "jsmith Desktop", "type": "DESKTOP" }, "files": [ { "sha256": "asfafsdfdsfsf", "type": "doc"}, { "sha256": "hdfbbhjhgjghn", "type": "pdf"} ], "profiles" : [ {"id": "a15e547f-a13f-4f0f-888a-888650702cdf", "type": "PROFILE", "displayName": "HIPAA"}, {"id": "b15d547f-a13f-4f0f-888a-888650702cdf", "type": "PROFILE", "displayName": "Finance"} ], "locations" : ["blackberry.com", "example.com"], "dataEntityNames": ["Credit card numbers", "Age", "SSN"], "emailSubject": "Architecture Change"}