Skip Navigation

CylancePROTECT Desktop
audit log

Selecting this option will send the audit log of user actions performed in the management console to the syslog server. Audit log events will always appear in the audit log screen, even when this option is not enabled.
Field
Value
Description
Eco Id
[varies]
This is the administrator user's EcoID, if available.
Event Name
AuditLog
This is an audit log event.
AcceptEula
The user accepted the End-User License Agreement (the first user to log in to a newly created tenant).
AgentUpdate
The user updated the
CylancePROTECT Desktop
agent.
ApplicationAdd
The administrator user created a custom application (on the Integration page). This includes the name of the application.
ApplicationEdit
The administrator user updated the custom application name.
ApplicationEdit
The administrator user changed the permissions for a custom application.
ApplicationEdit
The administrator user regenerated the credentials for the custom application.
ApplicationRemove
The administrator user removed a custom application.
CertificateRepositoryAddItem
The administrator user added a certificate. The message includes the name and thumbprint for the certificate.
CertificateRepositoryDeleteItem
The administrator user deleted a certificate. The message includes the name and thumbprint for the certificate.
CertificateRepositoryEditItem
The administrator user edited a certificate. The message includes the name and thumbprint for the certificate.
CertificateSafelistAddItem
The administrator user added a certificate to the safe list.
CertificateSafelistDeleteItem
The administrator user removed a certificate from the safe list.
CustomAuthenticationDisable
The administrator user disabled custom authentication.
CustomAuthenticationSave
The administrator user saved custom authentication settings.
DeleteAllQuarantinedFiles
The administrator user issued a command from the management console to delete all quarantined files on a device.
DeleteTokenThreatDataReport
The administrator user deleted the threat data report token.
DetectionExceptionAdd
The administrator user added a
CylanceOPTICS
detection exception.
DetectionExceptionEdit
The administrator user edited a
CylanceOPTICS
detection exception.
DetectionExceptionRemove
The administrator user removed a
CylanceOPTICS
detection exception.
DetectionRuleAdd
The administrator user added a
CylanceOPTICS
detection rule.
DetectionRuleEdit
The administrator user edited a
CylanceOPTICS
detection rule.
DetectionRuleRemove
The administrator user removed a
CylanceOPTICS
detection rule.
DetectionRuleSetAdd
The administrator user added a
CylanceOPTICS
detection rule set.
DetectionRuleSetEdit
The administrator user edited a
CylanceOPTICS
detection rule set.
DetectionRuleSetRemove
The administrator user removed a
CylanceOPTICS
detection rule set.
DetectionsChangeStatus
The administrator user changed the status of a
CylanceOPTICS
detection.
DetectionsRemove
The administrator user removed a
CylanceOPTICS
detection.
DeviceAdd
The administrator user registered a device.
DeviceChangeLockdownProfile
The administrator user changed the customized partial lockdown configuration for a device.
DeviceEdit
The administrator user edited a device.
DeviceFileDownload
The administrator user download a file that
CylanceOPTICS
identified as a potential threat.
DeviceLock
The administrator user locked a device.
DeviceRemove
The administrator user removed a device.
DeviceShowUnlockKey
The administrator user revealed the unlock key for a device.
DeviceUnlock
The administrator user unlocked a device.
DownloadThreatDataReport
The administrator user downloaded the deprecated threat data report.
EndUserAssignPolicy
The administrator user assigned a
CylancePROTECT Mobile
policy to one or more users. The message indicates the assigned users and policy.
EndUserAdd
The administrator user added a
CylancePROTECT Mobile
user. The message includes the
CylancePROTECT Mobile
user’s email address and name.
EndUserImport
The administrator user imported
CylancePROTECT Mobile
users. The message includes the
CylancePROTECT Mobile
user email addresses and names.
EndUserRemove
The user administrator removed a
CylancePROTECT Mobile
user. The message includes the
CylancePROTECT Mobile
user’s email address and name.
EndUserSendInvitation
The administrator user sent an activation password and QR code to one or more
CylancePROTECT Mobile
devices. The message includes the
CylancePROTECT Mobile
user email addresses, a success count, and a failure count.
FocusDataAdd
The administrator user retrieved focus data.
GenerateTokenThreatDataReport
The administrator user generated a new token for the threat data report.
GhostLoginSettingChange
The administrator user enabled or disabled the enable support login feature.
GlobalListAdd
The administrator user added a file to the global list.
GlobalListRemove
The administrator user removed a file from the global list.
InstallationTokenDelete
The administrator user deleted the installation token.
InstallationTokenRegenerate
The administrator user generated a new installation token.
InstaQueryAdd
The administrator user added an InstaQuery.
InstaQueryRemove
The administrator user removed an InstaQuery.
InvitationUrlGenerate
The administrator user generated an invitation URL.
JobServiceStop
The administrator user stopped a package deploy job.
LockdownConfigurationAdd
The administrator user added a custom partial lockdown configuration.
LockdownConfigurationEdit
The administrator user changed a custom partial lockdown configuration.
LockdownConfigurationDelete
The administrator user deleted a custom partial lockdown configuration.
LoginFailure
The administrator user failed to log in to the management console.
LoginSuccess
The administrator user successfully logged in to the management console.
MobileAlertsExport
The administrator user exported
CylancePROTECT Mobile
alert information from the management console. The message indicates any filters that were applied.
MobileAlertsIgnore
The administrator user selected and ignored a
CylancePROTECT Mobile
alert. The message indicates the type and name of the mobile alert.
MobileDeviceExport
The administrator user exported
CylancePROTECT Mobile
device information from the management console. The message indicates any filters that were applied.
MobileDeviceRemove
The administrator user removed a
CylancePROTECT Mobile
device. The message indicates the removed user and device details.
MobileExclusionsAdd
The administrator user added an app or developer certificate to the
CylancePROTECT Mobile
safe or unsafe list.
MobileExclusionsRemove
The administrator user removed an app or developer certificate from the
CylancePROTECT Mobile
safe or unsafe list.
MobilePolicyAdd
The administrator user added a
CylancePROTECT Mobile
policy. The message indicates the policy name and settings.
MobilePolicyEdit
The administrator user edited a
CylancePROTECT Mobile
policy. The message indicates the policy name and changes.
MobilePolicyRemove
The administrator user removed a
CylancePROTECT Mobile
policy. The message indicates the removed policy.
NightlyThreatDataReportChange
The administrator user enabled or disabled the threat data report (on the applications page).
PackageDeployAdd
The administrator user added a package deploy.
PackageDeployRemove
The administrator user removed a package deploy.
PackagePlaybookAdd
The administrator user added a
CylanceOPTICS
package playbook.
PackagePlaybookEdit
The administrator user edited a
CylanceOPTICS
package playbook.
PackagePlaybookRemove
The administrator user removed a
CylanceOPTICS
package playbook.
PlaybookResultRemove
The administrator user removed a
CylanceOPTICS
package playbook result.
PolicyAdd
The administrator user added a policy. The message includes the policy name.
PolicyEdit
The administrator user edited a policy. The message includes the policy name.
PolicyRemove
The administrator user removed a policy. The message includes the policy name.
PolicySafeListAdd
The administrator user added a file to the policy safe list. The message includes the SHA256 hash that was added.
PolicySafeListRemove
The administrator user removed a file from the policy safe list. The message includes the SHA256 hash that was removed.
RemoteResponseConnect
The administrator user opened a
CylanceOPTICS
remote response session with a device.
RemoteResponseDisconnect
The administrator user closed a
CylanceOPTICS
remote response session.
RequestToGenerateThreatDataReport
The administrator user enabled or disabled the Threat Data Report (on the Application page).
ScriptControlExclusionListAdd
The administrator user added a script to the Global Safe List.
ScriptControlExclusionListRemove
The administrator user removed a script from the Global Safe List.
SyslogDisable
The administrator user disabled the syslog feature.
SyslogSettingSave
The administrator user saved the syslog settings.
ThreatGlobalQuarantine
The administrator user added a file to the Global Quarantine List.
ThreatQuarantine
The administrator user quarantined a file for an endpoint.
ThreatSafeList
The administrator user added a file to the Global Safe List.
ThreatWaive
The administrator user waived a file for an endpoint.
UninstallAgentPasswordSave
The user saved a password after enabling the option to require a password to uninstall the
CylancePROTECT Desktop
agent.
UninstallAgentRequirePasswordDisable
The user turned off the option to require users to specify a password to uninstall the
CylancePROTECT Desktop
agent.
UserAdd
The administrator user created a user.
UserEdit
The administrator user edited a user.
UserRemove
The administrator user removed a user.
ZoneAdd
The administrator user added a zone.
ZoneAddDevice
The administrator user added a device to a zone.
ZoneEdit
The administrator user edited a zone.
ZoneRemove
The administrator user removed a zone.
ZoneRemoveDevice
The administrator user removed a device from a zone.
ZoneRuleAdd
The administrator user added a zone rule.
ZoneRuleEdit
The administrator user edited a zone rule.
ZoneRuleRemove
The administrator user removed a zone rule.
Message
[varies]
The message contains information related to the action. Example: When a file is added to the global quarantine list, the message might include the file hash and the reason given for adding it to the global list.
User
[varies]
The user who logged in and triggered this audit log event.
Example message for audit log events that are sent to a syslog server or SIEM solution
BlackBerry Protect Desktop: Event Type: AuditLog, Event Name: ThreatGlobalQuarantine, Message: SHA256: A1E92E2E84A1321F499A5EC500E8B9A9C0CA28701668BF13EA56D3995A96153F, 1CCC95B7B2F781D55D538CA01D6049762FDF6A75B32A06DF3CC2EDC1F1573BFA; Reason: Manually blacklisting these 2 threats., User: (johnsmith@contoso.com)
Example message for audit log events that are sent to syslog serve or SIEM solution with Eco Id
BlackBerry Protect Desktop: Event Type: AuditLog, Event Name: ZoneEdit, Message: Example message, User: (johnsmith@contoso.com, Eco Id: Bn6ZX201mlPgFzl/M9njAPI4=
Example message for API events sent to a syslog server or SIEM solution in audit log
API create/add, update, and delete events are captured in the audit log. In the example below, the term “user” appears twice. The first user is the name of the user being edited. The second user is the name of the management console user who triggered the audit event, and for an API event, this field is empty. The information on the user who performed the API event is not captured because the event was performed using an authentication token, not by a user logged into the management console.
BlackBerry Protect Desktop: Event Type: AuditLog, Event Name: UserEdit, Message: User: Jane Smith, User: (janesmith@contoso.com)
Example message for audit log events that are sent to a syslog server or SIEM solution with LockdownConfigurationAdd
Event Type: AuditLog, Event Name: LockdownConfigurationAdd, Message: Configuration Profile: Test 1; Description: Description 1; Whitelist Definitions: {'WhitelistedAddresses': [{'ip_address': '10.10.10.10', 'direction': 'Inbound'}, {'ip_address': '192.168.0.10:3389', 'direction': 'BiDirectional'}], 'WhitelistedPorts': [{'port': 22, 'direction': 'Outbound'}]}, User: John johndoe@blackberry.com (johndoe@blackberry.com)