Skip Navigation
  1. BlackBerry Docs
  2. Cylance products
  3. BlackBerry Syslog Guide
  4. BlackBerry Gateway event types
  5. Network threats

Network threats

This option is visible only if Gateway is enabled. When this option is turned on, the events that are detected by Gateway are sent to your organization’s syslog server.
Field
Value
Description
Eco Id
[varies]
The user's EcoID, if available.
Event Name
Blocked Connection
Allowed Connection
This is the defined event name for network alerts:
  • Allowed connections: a detection happened and a syslog event was generated; but the connection was allowed based on the applied risk criteria.
  • Blocked connections: a detection happened and a syslog event was generated; and the connection was blocked based on the applied risk criteria.
Event Type
NetworkThreat
This is the defined event type for network alerts.
GhostUserEmail
[varies]
The email address of the support user.
Message
[varies]
The message contains information related to the event, in JSON string format.
Source
big.blackberry.com
The BlackBerry product generating the event.
Tenant
[tenantId]
The UES tenant ID.
Timestamp
[varies]
The date and time the event occurred.
Message descriptions
Field
Value
Description
action
string
The action performed against this traffic. Unique to the associated event.
alertType
string
The alert type associated with the event. The supported types are:
  • ipReputation - event triggered due to destination risk.
  • signature - event triggered due to inspection of packets.
  • accessControl - event triggered due to user's network access rules.
signature
string
The Packet Inspection Rule details of the identified network threat, if applicable.
category
string
The Packet Inspection Rule category of the identified network threat, if applicable.
policyName
string
The name of the user's policy that triggered the event, if applicable.
appName
string
The name of the application or network service associated with the blocked event, if applicable.
mitre
string
The MITRE information related to the event. Additional details are provided below.
Name
Notes
techniqueId
The MITRE technique ID
techniqueName
The MITRE technique name
tacticId
The MITRE tactic ID
tacticName
The MITRE tactic name
endpointId
string
The Gateway installation ID of the endpoint as it is registered in UES.
venueEndpointId
string
The ID of the BlackBerry Protect Desktop service if it is installed on the same device.
dOsVers
string
The OS version of the device.
dId
string
The UES ID of the device.
dPlat
string
The platform of the device.
dManuf
string
The manufacturer of the device.
dModel
string
The model of the device.
flowId
string
The ID of the Gateway access control engine flow that this event is associated with.
correlationId
string
The correlation ID assigned to the event.
sourceIp
string
The packet source IP address.
sourcePort
string
The packet source port.
dstAddress
string
The destination IP address of the IP packet that triggered the event. Can be IPv4 or IPv6.
destPort
string
The packet destination port.
protocol
string
The protocol used to transit the packet.
endpointIp
string
The public source IP associated with the endpoint. This IP is assigned by the network itself.
Example syslog message - Access control policy (blocked)
Event Type: NetworkThreat, Event Name: blocked connection, Eco Id: Am6XZ102m1PgFzI/N8mjANP4=, User: John Smith (jsmith@example.com), User Name: jsmith, Message: {"endpointId":"6c726244-ad1d-4ff4-922b-cbaf8ab3c6c2", "flowId":3190005035111956, "endpintIp":"99.250.195.118:39867", "dstAddress":"10.10.10.129", "action":"blocked", "dManuf":"Google", "category":"Access Control Blocked", "key":"", "correlationId":"4ddb23a8-defa-4a17-b549-4c36ed193954", "sourcePort": 31637, "destPort":53, "alertType":"accessControl", "policyName":"E2E Auto Block Saas Apps", "dId":"821f57dc-d7d6-4907-90ba-c6d7b0bca943", "venueEndpointId":"", "dOsVers":"11", "appName":"Slack", "protocol":"UDP", "signature":"Access Control Blocked - DNS", "dPlat":"Android", "sourceIp":"10.10.10.137", "dModel":"Pixel 4", "mitreData":""}
Example syslog message - Signature detection (blocked)
Event Type: NetworkThreat, Event Name: blocked connection, Eco Id: Am6XZ102mlPgFzI/N8mjANP4=, User: John Smith (jsmith@example.com), User Name: jsmith, Message: {"endpointId":"7c726244-ad1d-4ff4-922b-cbaf8ab3c6c1", "flowId":1975772272249751, "endpointIp":"99.250.195.118:49713", "dstAddress":"10.10.10.1", "action":"blocked", "dManuf":"Google", "category":"A Network Trojan was detected", "key":"", "correlationId":"6df43c40-5bad-40d1-b081-7882cb28d330", "sourcePort":28945, "destPort":53, "alertType":"signature", "policyName":"E2E Auto Block Saas Apps", "dId":"812f57dc-d7d6-4907-90ba-c6d7b0bca943", "venueEndpointId":"", "dOsVers":"11", "appName":"", "protocol":"UDP", "signature":"ET MOBILE_MALWARE Android/TrojanDropper.Agent.BKY DNS Lookup 1 (tp/emerging-threats/emerging-mobile_malware/2025014)", "dPlat":"Android", "sourceIp":"10.10.10.9", "dModel":"Pixel 4", "mitreData":""}
Example syslog message - Signature detection (allowed)
Event Type: NetworkThreat, Event Name: allowed connection, Eco Id: Am6XZ102mlPgFzI/N8mjANP4=, User: John Smith (jsmith@example.com), User Name: jsmith, Message: {"policyName":"E2E Auto FQDN Block", "flowId":788929250499854, "sourceIp":"10.10.10.22", "dId":"5e2ae619-8116-4f0e-b233-91eeec15c9c4", "sourcePort":41236, "destPort":80, "endpointId":"f9963a84-9311-42c7-b251-c4dd97ed2bd6", "dOsVers":"0", "mitreData":"", "appName":"", "endpointIp":"", "correlationId":"883d6505-2cd5-4872-98b0-570cf2bdf24b", "dManuf":"generic", "venueEndpointId":"", "dModel":"Generic Device", "action":"allowed", "alertType":"signature", "dstAddress":"69.16.231.150", "signature":"ET POLICY curl User-Agent Outbound (tp/emerging-threats/emerging-policy/2013028)", "key":"", "category":"Attempted Information Leak", "dPlat":"Windows", "protocol":"TCP"}
Example syslog message - IP reputation (blocked)
Event Type: NetworkThreat, Event Name: blocked connection, Eco Id: Am6XZ102mlPgFzI/N8mjANP4=, User: John Smith (jsmith@example.com), User Name: jsmith, Message: {"sourceIp":"10.10.10.18", "protocol":"TCP", "dModel":"Nexus 6", "policyName":"IP Reputation Policy", "appName":"", "mitreData":"", "key":"", "dstAddress":"195.110.46.232", "alertType":"ipReputation", "dPlat":"Android", "venueEndpointId":"", "destPort":80, "category":"Access Control Blocked", "endpointId":"e017bd79-69e5-4a4f-af26-f295b0d28e78", "signature":"Access Control Blocked", "flowId":801786180096101, "sourcePort":39240, "action":"blocked", "dId":"fe9fd95d-76c4-410f-997f-7c76e8741b0f", "dManuf":"motorola", "correlationId":"d773b803-9333-4851-85ed-ae5165e83f93", "dOsVers":"7.1.1", "endpointIp":"173.33.81.137:41890"}
Example syslog message - IP reputation (allowed)
Event Type: NetworkThreat, Event Name: allowed connection, Eco Id: Am6XZ102mlPgFzI/N8mjANP4=, User: John Smith (jsmith@example.com), User Name: jsmith, Message: {"dPlat":"Windows", "destPort":443, "dId":"a58a0ce5-d94f-472e-ab57-574fc807119e", "policyName":"allow_all", "flowId":1139639166113122, "dstAddress":"odc.officeapps.live.com", "endpointIp":"172.29.139.30:35068", "dOsVers":"Windows 10 Enterprise 2009", "category":"Access Control Allowed", "mitreData":"", "protocol":"TCP", "dManuf":"VMware, Inc.", "dModel":"VMware Virtual Platform", "appName":"", "endpointId":"96551433-b13d-423b-8157-d8854f82a8cb", "key":"", "signature":"Access Control Allowed - TLS", "venueEndpointId":"c303f4e7-8377-4a6d-9849-19b8cf811e9f", "correlationId":"210cc54b-8624-4d18-9ca8-3af1335500bd", "action":"allowed", "alertType":"ipReputation", "sourceIp":"10.10.10.133", "sourcePort":58111}