Cylance Endpoint Security requirements
Logging in to the management console
- Custom authentication
- Enhanced authentication sign in
  - Sign in to the Cylance Endpoint Security management console using enhanced authentication
Installing the BlackBerry Connectivity Node
Linking to your company directory
Setting up administrators
Adding users and devices
Enrolling CylancePROTECT Mobile and CylanceGATEWAY users
- Create an enrollment policy
- Supported enrollment email variables
Setting up zones to manage CylancePROTECT Desktop and CylanceOPTICS
- Add and configure a zone
Setting up CylancePROTECT Desktop
Setting up CylancePROTECT Mobile
Setting up CylanceOPTICS
- Install the CylanceOPTICS agent on devices
  - Configuration requirements for macOS 11.x and later
  - OS commands for the CylanceOPTICS agent
- Enable and configure CylanceOPTICS
  - CylanceOPTICS sensors
  - Data structures that CylanceOPTICS uses to identify threats
Setting up CylanceGATEWAY
Setting up CylanceAVERT
Managing updates for the CylancePROTECT Desktop and CylanceOPTICS agents
- Manage updates for the CylancePROTECT Desktop and CylanceOPTICS agents
Appendix: Best practices for deploying CylancePROTECT Desktop on Windows virtual machines

Configure network protection settings

You can specify the detections that you want to enable and display on the Network Events screen, as well as the information that is sent to the SIEM solution or syslog server. You can also configure

CylanceGATEWAY

to display a message to users whenever

CylanceGATEWAY

blocks a connection to a potentially malicious destination.

For more information on the available risk levels, see Destination reputation risk threshold.

When you configure network protection settings,

CylanceGATEWAY

might generate alerts that are displayed in the Alerts view. For more information, see Managing alerts across Cylance Endpoint Security services.

Verify that "Check access attempts against Network Protection" is selected for each ACL rule.

For more information on ACLs, see Controlling network access.

On the menu bar, click

Settings > Network

Click the

Network Protection

tab.

Do any of the following:

Task	Steps
Specify the detections that you want to enable and whether to notify users when they are blocked due to detections.	Click the Protect tab. If you want users to see a message when CylanceGATEWAY blocks a connection, select Display a blocked notification message on devices . In the Message field, type the message that you want to display to users. To turn on signature detection, select Enable signature detection . When enabled, alerts are generated for blocked signature detections and display in the Alerts view. When disabled, alerts are not generated. For more information, see Managing alerts across Cylance Endpoint Security services. To turn on destination reputation, select Enable destination reputation and select the minimum risk level of potentially malicious IP addresses and FQDNs to block. When enabled, alerts are generated and displayed in the Alerts view based on the risk level that you have set. For example, if you select the risk level of "Medium and higher", alerts that are medium or high risk will display in the Alerts view. When disabled, alerts that CylanceGATEWAY considers high risk will be generated and displayed in the Alerts view by default.
Specify and control the detections to display in the Network Events screen. If you enable Traffic privacy and the network access attempts match the ACL rule, the network access attempts are not displayed in the Network Events screen.	Click the Report tab. To display the signature detections for network events that are allowed, enable Display allowed signature detection events . By default, signature detections that are blocked automatically are displayed in the Network Events screen. To display destination reputation detections for network events that are allowed, enable Display allowed destination reputation events and select the minimum risk level of potentially malicious IP addresses to display. If this option is disabled, signature events will be captured as normal allowed traffic. To display DNS tunneling detections, enable Display DNS tunneling detections and select the minimum risk level of potential threats based on analysis of the DNS traffic from the client to the DNS server. By default, the risk level is Medium. To display Zero Day detections, enable Display Zero Day detections and select the minimum risk level of newly identified malicious destinations that have not been identified previously. By default, the risk level is Medium.
Specify and control the detections to send to the SIEM solution or syslog server, if configured. If you enable Traffic privacy and the network access attempts match the ACL rule, the network access attempts are not sent to the SIEM solution or syslog server, if configured.	Click the Share tab. To send allowed or blocked network events that have signature detections, enable Share signature detection events . When enabled, the blocked signature detections are sent to the SIEM solution or syslog server, by default. Optionally, select Allowed events to send allowed events. To send network events that have destination reputation detections and were allowed based on the minimum risk level that you set or blocked, enable Share destination reputation events . When enabled, destination reputation events that are blocked are sent to the SIEM solution or syslog server, by default. Optionally, select Allowed events to send allowed events. To send network events that have DNS tunneling detections based on the minimum risk level that you set, select Share DNS tunneling detections . By default, the risk level is Medium. To send network events that have Zero Day detections based on the minimum risk level that you set, select Share Zero Day detections . By default, the risk level is Medium. To send network events that are blocked by ACL rules, enable Share blocked ACL events .

Click

Save

Section:

Configuring network protection