Configure network protection settings
You can specify the detections that you want to enable and display on the Network Events screen, as well as the information that is sent to the SIEM solution or syslog server. You can also configure
CylanceGATEWAY
to display a message to users whenever CylanceGATEWAY
blocks a connection to a potentially malicious destination. For information on the available risk levels, see Destination reputation risk threshold. When you configure network protection settings, CylanceGATEWAY
will generate alerts that are displayed in the Alerts view. For more information, see Managing alerts across Cylance Endpoint Security services.Verify that "Check access attempts against Network Protection" is selected for each ACL rule. For more information on ACLs, see Controlling network access.
- On the menu bar, clickSettings > Network.
- Click theNetwork Protectiontab.
- Do any of the following:TaskStepsSpecify the detections that you want to enable and whether to notify users when they are blocked due to detections.
- Click theProtecttab.
- If you want users to see a message whenCylanceGATEWAYblocks a connection, selectDisplay a blocked notification message on devices.
- In theMessagefield, type the message that you want to display to users.
- To turn on signature detection, selectEnable signature detection.When enabled, alerts are generated for blocked signature detections and display in the Alerts view. When disabled, alerts are not generated. For more information, see Managing alerts across Cylance Endpoint Security services.
- To turn on destination reputation, selectEnable destination reputationand select the minimum risk level of potentially malicious IP addresses and FQDNs to block.When enabled, alerts are generated and displayed in the Alerts view based on the risk level that you have set. For example, if you select the risk level of "Medium and higher", alerts that are medium or high risk will display in the Alerts view. When disabled, alerts thatCylanceGATEWAYconsiders high risk will be generated and displayed in the Alerts view by default.
Specify and control the detections to display in the Network Events screen.If you enable Traffic privacy and the network access attempts match the ACL rule, the network access attempts are not displayed in the Network Events screen.- Click theReporttab.
- To display the signature detections for network events that are allowed, enableDisplay allowed signature detection events. By default, signature detections that are blocked automatically are displayed in the Network Events screen.
- To display destination reputation detections for network events that are allowed, enableDisplay allowed destination reputation eventsand select the minimum risk level of potentially malicious IP addresses to display. If this option is disabled, signature events will be captured as normal allowed traffic.
- To display DNS tunneling detections, enableDisplay DNS tunneling detectionsand select the minimum risk level of potential threats based on analysis of the DNS traffic from the client to the DNS server. By default, the risk level is Medium.
- To display Zero Day detections, enableDisplay Zero Day detectionsand select the minimum risk level of newly identified malicious destinations that have not been identified previously. By default, the risk level is Medium.
Specify and control the detections to display in the Alerts view and to send to the SIEM solution or syslog server, if configured.If you enable Traffic privacy and the network access attempts match the ACL rule, the network access attempts are not sent to the SIEM solution or syslog server, if configured.- Click theSharetab.
- To send allowed or blocked network events and alerts that have signature detections, enableShare signature detection events. When enabled, the blocked signature detections are displayed in the Alerts view and sent to the SIEM solution or syslog server, by default. Optionally, selectAllowed eventsto send allowed events.
- To send network events and alerts that have destination reputation detections and were allowed based on the minimum risk level that you set or blocked, enableShare destination reputation events. When enabled, destination reputation events that are blocked are displayed in the Alerts view and sent to the SIEM solution or syslog server, by default. Optionally, selectAllowed eventsto send allowed events.
- To send network events and alerts that have DNS tunneling detections based on the minimum risk level that you set, selectShare DNS tunneling detections. By default, the risk level is Medium.
- To send network events and alerts that have Zero Day detections based on the minimum risk level that you set, selectShare Zero Day detections. By default, the risk level is Medium.
- To send network events that are blocked by ACL rules, enableShare blocked ACL events. Blocked and allowed ACL events are not displayed in the Alerts view.
- ClickSave.