CylancePROTECT Desktop audit log
CylancePROTECT Desktop
audit logSelecting this option will send the audit log of user actions performed in the management console to the syslog server. Audit log events will always appear in the audit log screen, even when this option is not enabled.
Field | Value | Description |
---|---|---|
Eco Id | [varies] | This is the administrator user's EcoID, if available. |
Event Name | AuditLog | This is an audit log event. |
AcceptEula | The user accepted the End-User License Agreement (the first user to log in to a newly created tenant). | |
AgentUpdate | The user updated the CylancePROTECT Desktop agent. | |
ApplicationAdd | The administrator user created a custom application (on the Integration page). This includes the name of the application. | |
ApplicationEdit | The administrator user updated the custom application name. | |
ApplicationEdit | The administrator user changed the permissions for a custom application. | |
ApplicationEdit | The administrator user regenerated the credentials for the custom application. | |
ApplicationRemove | The administrator user removed a custom application. | |
CertificateRepositoryAddItem | The administrator user added a certificate. The message includes the name and thumbprint for the certificate. | |
CertificateRepositoryDeleteItem | The administrator user deleted a certificate. The message includes the name and thumbprint for the certificate. | |
CertificateRepositoryEditItem | The administrator user edited a certificate. The message includes the name and thumbprint for the certificate. | |
CertificateSafelistAddItem | The administrator user added a certificate to the safe list. | |
CertificateSafelistDeleteItem | The administrator user removed a certificate from the safe list. | |
CustomAuthenticationDisable | The administrator user disabled custom authentication. | |
CustomAuthenticationSave | The administrator user saved custom authentication settings. | |
DeleteAllQuarantinedFiles | The administrator user issued a command from the management console to delete all quarantined files on a device. | |
DeleteTokenThreatDataReport | The administrator user deleted the threat data report token. | |
DetectionExceptionAdd | The administrator user added a CylanceOPTICS detection exception. | |
DetectionExceptionEdit | The administrator user edited a CylanceOPTICS detection exception. | |
DetectionExceptionRemove | The administrator user removed a CylanceOPTICS detection exception. | |
DetectionRuleAdd | The administrator user added a CylanceOPTICS detection rule. | |
DetectionRuleEdit | The administrator user edited a CylanceOPTICS detection rule. | |
DetectionRuleRemove | The administrator user removed a CylanceOPTICS detection rule. | |
DetectionRuleSetAdd | The administrator user added a CylanceOPTICS detection rule set. | |
DetectionRuleSetEdit | The administrator user edited a CylanceOPTICS detection rule set. | |
DetectionRuleSetRemove | The administrator user removed a CylanceOPTICS detection rule set. | |
DetectionsChangeStatus | The administrator user changed the status of a CylanceOPTICS detection. | |
DetectionsRemove | The administrator user removed a CylanceOPTICS detection. | |
DeviceAdd | The administrator user registered a device. | |
DeviceChangeLockdownProfile | The administrator user changed the customized partial lockdown configuration for a device. | |
DeviceEdit | The administrator user edited a device. | |
DeviceFileDownload | The administrator user download a file that CylanceOPTICS identified as a potential threat. | |
DeviceLock | The administrator user locked a device. | |
DeviceRemove | The administrator user removed a device. | |
DeviceShowUnlockKey | The administrator user revealed the unlock key for a device. | |
DeviceUnlock | The administrator user unlocked a device. | |
DownloadThreatDataReport | The administrator user downloaded the deprecated threat data report. | |
EndUserAssignPolicy | The administrator user assigned a CylancePROTECT Mobile policy to one or more users. The message indicates the assigned users and policy. | |
EndUserAdd | The administrator user added a CylancePROTECT Mobile user. The message includes the CylancePROTECT Mobile user’s email address and name. | |
EndUserImport | The administrator user imported CylancePROTECT Mobile users. The message includes the CylancePROTECT Mobile user email addresses and names. | |
EndUserRemove | The user administrator removed a CylancePROTECT Mobile user. The message includes the CylancePROTECT Mobile user’s email address and name. | |
EndUserSendInvitation | The administrator user sent an activation password and QR code to one or more CylancePROTECT Mobile devices. The message includes the CylancePROTECT Mobile user email addresses, a success count, and a failure count. | |
FocusDataAdd | The administrator user retrieved focus data. | |
GenerateTokenThreatDataReport | The administrator user generated a new token for the threat data report. | |
GhostLoginSettingChange | The administrator user enabled or disabled the enable support login feature. | |
GlobalListAdd | The administrator user added a file to the global list. | |
GlobalListRemove | The administrator user removed a file from the global list. | |
InstallationTokenDelete | The administrator user deleted the installation token. | |
InstallationTokenRegenerate | The administrator user generated a new installation token. | |
InstaQueryAdd | The administrator user added an InstaQuery. | |
InstaQueryRemove | The administrator user removed an InstaQuery. | |
InvitationUrlGenerate | The administrator user generated an invitation URL. | |
JobServiceStop | The administrator user stopped a package deploy job. | |
LockdownConfigurationAdd | The administrator user added a custom partial lockdown configuration. | |
LockdownConfigurationEdit | The administrator user changed a custom partial lockdown configuration. | |
LockdownConfigurationDelete | The administrator user deleted a custom partial lockdown configuration. | |
LoginFailure | The administrator user failed to log in to the management console. | |
LoginSuccess | The administrator user successfully logged in to the management console. | |
MobileAlertsExport | The administrator user exported CylancePROTECT Mobile alert information from the management console. The message indicates any filters that were applied. | |
MobileAlertsIgnore | The administrator user selected and ignored a CylancePROTECT Mobile alert. The message indicates the type and name of the mobile alert. | |
MobileDeviceExport | The administrator user exported CylancePROTECT Mobile device information from the management console. The message indicates any filters that were applied. | |
MobileDeviceRemove | The administrator user removed a CylancePROTECT Mobile device. The message indicates the removed user and device details. | |
MobileExclusionsAdd | The administrator user added an app or developer certificate to the CylancePROTECT Mobile safe or unsafe list. | |
MobileExclusionsRemove | The administrator user removed an app or developer certificate from the CylancePROTECT Mobile safe or unsafe list. | |
MobilePolicyAdd | The administrator user added a CylancePROTECT Mobile policy. The message indicates the policy name and settings. | |
MobilePolicyEdit | The administrator user edited a CylancePROTECT Mobile policy. The message indicates the policy name and changes. | |
MobilePolicyRemove | The administrator user removed a CylancePROTECT Mobile policy. The message indicates the removed policy. | |
NightlyThreatDataReportChange | The administrator user enabled or disabled the threat data report (on the applications page). | |
PackageDeployAdd | The administrator user added a package deploy. | |
PackageDeployRemove | The administrator user removed a package deploy. | |
PackagePlaybookAdd | The administrator user added a CylanceOPTICS package playbook. | |
PackagePlaybookEdit | The administrator user edited a CylanceOPTICS package playbook. | |
PackagePlaybookRemove | The administrator user removed a CylanceOPTICS package playbook. | |
PlaybookResultRemove | The administrator user removed a CylanceOPTICS package playbook result. | |
PolicyAdd | The administrator user added a policy. The message includes the policy name. | |
PolicyEdit | The administrator user edited a policy. The message includes the policy name. | |
PolicyRemove | The administrator user removed a policy. The message includes the policy name. | |
PolicySafeListAdd | The administrator user added a file to the policy safe list. The message includes the SHA256 hash that was added. | |
PolicySafeListRemove | The administrator user removed a file from the policy safe list. The message includes the SHA256 hash that was removed. | |
RemoteResponseConnect | The administrator user opened a CylanceOPTICS remote response session with a device. | |
RemoteResponseDisconnect | The administrator user closed a CylanceOPTICS remote response session. | |
RequestToGenerateThreatDataReport | The administrator user enabled or disabled the Threat Data Report (on the Application page). | |
ScriptControlExclusionListAdd | The administrator user added a script to the Global Safe List. | |
ScriptControlExclusionListRemove | The administrator user removed a script from the Global Safe List. | |
SyslogDisable | The administrator user disabled the syslog feature. | |
SyslogSettingSave | The administrator user saved the syslog settings. | |
ThreatGlobalQuarantine | The administrator user added a file to the Global Quarantine List. | |
ThreatQuarantine | The administrator user quarantined a file for an endpoint. | |
ThreatSafeList | The administrator user added a file to the Global Safe List. | |
ThreatWaive | The administrator user waived a file for an endpoint. | |
UninstallAgentPasswordSave | The user saved a password after enabling the option to require a password to uninstall the CylancePROTECT Desktop agent. | |
UninstallAgentRequirePasswordDisable | The user turned off the option to require users to specify a password to uninstall the CylancePROTECT Desktop agent. | |
UserAdd | The administrator user created a user. | |
UserEdit | The administrator user edited a user. | |
UserRemove | The administrator user removed a user. | |
ZoneAdd | The administrator user added a zone. | |
ZoneAddDevice | The administrator user added a device to a zone. | |
ZoneEdit | The administrator user edited a zone. | |
ZoneRemove | The administrator user removed a zone. | |
ZoneRemoveDevice | The administrator user removed a device from a zone. | |
ZoneRuleAdd | The administrator user added a zone rule. | |
ZoneRuleEdit | The administrator user edited a zone rule. | |
ZoneRuleRemove | The administrator user removed a zone rule. | |
Message | [varies] | The message contains information related to the action. Example: When a file is added to the global quarantine list, the message might include the file hash and the reason given for adding it to the global list. |
User | [varies] | The user who logged in and triggered this audit log event. |
Example message for audit log events that are sent to a syslog server or SIEM solution
BlackBerry Protect Desktop: Event Type: AuditLog, Event Name: ThreatGlobalQuarantine, Message: SHA256: A1E92E2E84A1321F499A5EC500E8B9A9C0CA28701668BF13EA56D3995A96153F, 1CCC95B7B2F781D55D538CA01D6049762FDF6A75B32A06DF3CC2EDC1F1573BFA; Reason: Manually blacklisting these 2 threats., User: (johnsmith@contoso.com)
Example message for audit log events that are sent to syslog serve or SIEM solution with Eco Id
BlackBerry Protect Desktop: Event Type: AuditLog, Event Name: ZoneEdit, Message: Example message, User: (johnsmith@contoso.com, Eco Id: Bn6ZX201mlPgFzl/M9njAPI4=
Example message for API events sent to a syslog server or SIEM solution in audit log
API create/add, update, and delete events are captured in the audit log. In the example below, the term “user” appears twice. The first user is the name of the user being edited. The second user is the name of the management console user who triggered the audit event, and for an API event, this field is empty. The information on the user who performed the API event is not captured because the event was performed using an authentication token, not by a user logged into the management console.
BlackBerry Protect Desktop: Event Type: AuditLog, Event Name: UserEdit, Message: User: Jane Smith, User: (janesmith@contoso.com)
Example message for audit log events that are sent to a syslog server or SIEM solution with LockdownConfigurationAdd
Event Type: AuditLog, Event Name: LockdownConfigurationAdd, Message: Configuration Profile: Test 1; Description: Description 1; Whitelist Definitions: {'WhitelistedAddresses': [{'ip_address': '10.10.10.10', 'direction': 'Inbound'}, {'ip_address': '192.168.0.10:3389', 'direction': 'BiDirectional'}], 'WhitelistedPorts': [{'port': 22, 'direction': 'Outbound'}]}, User: John johndoe@blackberry.com (johndoe@blackberry.com)