Audit Admin Activity

See all user actions taken on alerts, incidents, and in live terminals.
From
Response
Auditing
, you can track the status of all administrative and investigative actions. Cortex XDR stores audit logs within the app for one year. Use the page filters to narrow the results or Manage Columns and Rows to add or remove fields as needed.
audit-table.png
The following table describes the default and optional additional fields that you can add in alphabetical order.
Field
Description
Email
Email address of the administrative user
Description
Descriptive summary of the administrative action
Host Name
Name of any relevant affected hosts
ID
Unique ID for the action
Result
Result of the administrative action: Success, Partial, or Fail.
Subtype
Sub category of action
Timestamp
Time the action took place
Type
Type of activity logged, one of the following:
  • Live Terminal—Remote terminal sessions created and actions taken in the file manager or task manager, a complete history of commands issued, their success, and the response.
  • Response—Remedial actions taken, for example to isolate a host and undo isolate host, or blacklist a file hash signature, or undo a hash blacklist
  • Result—Whether the action taken was successful or failed, and the result reason when available.
  • Authentication—User sessions started, along with the user name that started the session.
  • Incident Management—Actions taken on incidents and on the assets, alerts, and artifacts in incidents.
  • Public API—Authentication activity using an associated Cortex XDR API key.
User Name
User who performed the action

Related Documentation