Skip Navigation

Audit log

Selecting this option will send the audit log of user actions performed in the
Cylance
console (website) to the syslog server. Audit log events will always appear in the Audit Log screen, even when this option is unchecked.
Field
Value
Description
Eco Id
[varies]
The user's EcoID, if available.
Event Name
AuditLog
This is an Audit Log event.
AcceptEula
The user accepted the End-User License Agreement (the first user to log in to a newly created tenant).
AgentUpdate
The user updated the Agent.
ApplicationAdd
The user created a Custom Application (on the Integration page). This includes the name of the application.
ApplicationEdit
The user updated the Custom Application name.
ApplicationEdit
The user changed the permissions for a Custom Application.
ApplicationEdit
The user regenerated the credentials for the Custom Application.
ApplicationRemove
The user removed a Custom Application.
CertificateRepositoryAddItem
The user added a certificate. Includes the name and thumbprint for the certificate.
CertificateRepositoryDeleteItem
The user deleted a certificate. Includes the name and thumbprint for the certificate.
CertificateRepositoryEditItem
The user edited a certificate. Includes the name and thumbprint for the certificate.
CertificateSafelistAddItem
The user added a certificate to the Safe List.
CertificateSafelistDeleteItem
The user removed a certificate from the Safe List.
CustomAuthenticationDisable
The user disabled Custom Authentication.
CustomAuthenticationSave
The user saved Custom Authentication settings.
DeleteAllQuarantinedFiles
The user issued a command from the Console to delete all quarantined files on a device.
DeleteTokenThreatDataReport
The user deleted the Threat Data Report Token.
DetectionExceptionAdd
The user added an
Optics
detection exception.
DetectionExceptionEdit
The user edited an
Optics
detection exception.
DetectionExceptionRemove
The user removed an
Optics
detection exception.
DetectionRuleAdd
The user added an
Optics
detection rule.
DetectionRuleEdit
The user edited an
Optics
detection rule.
DetectionRuleRemove
The user removed an
Optics
detection rule.
DetectionRuleSetAdd
The user added an
Optics
detection rule set.
DetectionRuleSetEdit
The user edited an
Optics
detection rule set.
DetectionRuleSetRemove
The user removed an
Optics
detection rule set.
DetectionsChangeStatus
The user changed the status of an
Optics
detection.
DetectionsRemove
The user removed an
Optics
detection.
DeviceAdd
The user registered a device.
DeviceEdit
The user edited a device.
DeviceFileDownload
The user download a file that
Optics
identified as a potential threat.
DeviceLock
The user locked a device.
DeviceRemove
The user removed a device.
DeviceShowUnlockKey
The user revealed the unlock key for a device.
DownloadThreatDataReport
The user downloaded the deprecated Threat Data Report.
EndUserAssignPolicy
The user assigned a
Protect Mobile
policy to one or more users. The message indicates the assigned users and policy.
EndUserAdd
The user added a
Protect Mobile
user. The message includes the
Protect Mobile
user’s email address and name.
EndUserImport
The user imported
Protect Mobile
users. The message includes the
Protect Mobile
user email addresses and names.
EndUserRemove
The user removed a
Protect Mobile
user. The message includes the
Protect Mobile
user’s email address and name.
EndUserSendInvitation
The user sent an activation password and QR code to one or more
Protect Mobile
devices. The message includes the
Protect Mobile
user email addresses, a success count, and a failure count.
FocusDataAdd
The user retrieved focus data.
GenerateTokenThreatDataReport
The user generated a new token for the Threat Data Report.
GhostLoginSettingChange
The user enabled or disabled the Enable Support Login feature.
GlobalListAdd
The user added a file to the Global List.
GlobalListRemove
The user removed a file from the Global List.
InstallationTokenDelete
The user deleted the Installation Token.
InstallationTokenRegenerate
The user generated a new Installation Token.
InstaQueryAdd
The user added an InstaQuery.
InstaQueryRemove
The user removed an InstaQuery.
InvitationUrlGenerate
The user generated an Invitation URL.
JobServiceStop
The user stopped a package deploy job.
LoginFailure
The user failed to log in to the
Cylance
Console.
LoginSuccess
The user successfully logged in to the
Cylance
Console.
MobileAlertsExport
The user exported
Protect Mobile
alert information from the console. The message indicates any filters that were applied.
MobileAlertsIgnore
The user selected and ignored a
Protect Mobile
alert. The message indicates the type and name of the mobile alert.
MobileDeviceExport
The user exported
Protect Mobile
device information from the console. The message indicates any filters that were applied.
MobileDeviceRemove
The user removed a
Protect Mobile
device. The message indicates the removed user and device details.
MobileExclusionsAdd
The user added an app or developer certificate to the
Protect Mobile
safe or unsafe list.
MobileExclusionsRemove
The user removed an app or developer certificate from the
Protect Mobile
safe or unsafe list.
MobilePolicyAdd
The user added a
Protect Mobile
policy. The message indicates the policy name and settings.
MobilePolicyEdit
The user edited a
Protect Mobile
policy. The message indicates the policy name and changes.
MobilePolicyRemove
The user removed a
Protect Mobile
policy. The message indicates the removed policy.
NightlyThreatDataReportChange
The user enabled or disabled the Threat Data Report (on the Applications page).
PackageDeployAdd
The user added a package deploy.
PackageDeployRemove
The user removed a package deploy.
PackagePlaybookAdd
The user added an
Optics
package playbook.
PackagePlaybookEdit
The user edited an
Optics
package playbook.
PackagePlaybookRemove
The user removed an
Optics
package playbook.
PlaybookResultRemove
The user removed an
Optics
package playbook result.
PolicyAdd
The user added a policy. Includes the policy name.
PolicyEdit
The user edited a policy. Includes the policy name.
PolicyRemove
The user removed a policy. Includes the policy name.
PolicySafeListAdd
The user added a file to the Policy Safe List. Includes the SHA256 hash that was added.
PolicySafeListRemove
The user removed a file from the Policy Safelist. Includes the SHA256 hash that was removed.
RemoteResponseConnect
The user opened an
Optics
remote response session with a device.
RemoteResponseDisconnect
The user closed an
Optics
remote response session.
RequestToGenerateThreatDataReport
The user enabled or disabled the Threat Data Report (on the Application page).
ScriptControlExclusionListAdd
The user added a script to the Global Safe List.
ScriptControlExclusionListRemove
The user removed a script from the Global Safe List.
SyslogDisable
The user disabled the syslog feature.
SyslogSettingSave
The user saved the syslog settings.
ThreatGlobalQuarantine
The user added a file to the Global Quarantine List.
ThreatQuarantine
The user quarantined a file for an endpoint.
ThreatSafeList
The user added a file to the Global Safe List.
ThreatWaive
The user waived a file for an endpoint.
UninstallAgentPasswordSave
The user saved a password, after checking Require Password to Uninstall Agent.
UninstallAgentRequirePasswordDisable
The user disabled Require Password to Uninstall Agent.
UserAdd
The user created a user.
UserEdit
The user edited a user.
UserRemove
The user removed a user.
ZoneAdd
The user added a zone.
ZoneAddDevice
The user added a device to a zone.
ZoneEdit
The user edited a zone.
ZoneRemove
The user removed a zone.
ZoneRemoveDevice
The user removed a device from a zone.
ZoneRuleAdd
The user added a zone rule.
ZoneRuleEdit
The user edited a zone rule.
ZoneRuleRemove
The user removed a zone rule.
Message
[varies]
The message contains information related to the action. Example: When a file is added to the Global Quarantine List, the message might include the file hash and the reason given for adding it to the Global List.
User
[varies]
The user who logged in and triggered this audit log event.
Example message for audit log events being forwarded to syslog
BlackBerry Protect Desktop
: Event Type: AuditLog, Event Name: ThreatGlobalQuarantine, Message: SHA256: A1E92E2E84A1321F499A5EC500E8B9A9C0CA28701668BF13EA56D3995A96153F, 1CCC95B7B2F781D55D538CA01D6049762FDF6A75B32A06DF3CC2EDC1F1573BFA; Reason: Manually blacklisting these 2 threats., User: (johnsmith@contoso.com)
Example message for audit log events being forwarded to syslog with Eco Id
BlackBerry Protect Desktop
: Event Type: AuditLog, Event Name: ZoneEdit, Message: Example message, User: (johnsmith@contoso.com, Eco Id: Bn6ZX201mlPgFzl/M9njAPI4=
Example message for API events in audit log
API create/add, update, and delete events are captured in the audit log. In the example below, the term “user” appears twice. The first user is the name of the user being edited. The second user is the name of the console user who triggered the audit event, and for an API event, this field is empty. The information on the user who performed the API event is not captured because the event was performed using an authentication token, not by a user logged in to the
Cylance
console.
BlackBerry Protect Desktop
: Event Type: AuditLog, Event Name: UserEdit, Message: User: Jane Smith, User: (janesmith@contoso.com)