Audit Admin Activity

From ResponseAuditing, you can track the status of all administrative and investigative actions. Cortex XDR – Investigation and Response stores audit logs within the app for one year. Use the page filters to narrow the results or Manage Columns and Rows to add or remove fields as needed.
audit-table.png
The following table describes the default and optional additional fields that you can add in alphabetical order.
FieldDescription
EmailEmail address of the administrative user
DescriptionDescriptive summary of the administrative action
Host NameName of any relevant affected hosts
IDUnique ID for the action
ResultResult of the administrative action: Success, Partial, or Fail.
SubtypeSub category of action
TimestampTime the action took place
Type
Type of activity logged, one of the following:
  • Remote Terminal—Remote terminal sessions created and actions taken in the file manager or task manager, a complete history of commands issued, their success, and the response.
  • Response—Remedial actions taken, for example to isolate a host and undo isolate host, or blacklist a file hash signature, or undo a hash blacklist
  • Result—Whether the action taken was successful or failed, and the result reason when available.
  • Authentication—User sessions started, along with the user name that started the session.
  • Incident Management—Actions taken on incidents and on the assets, alerts, and artifacts in incidents.
User NameUser who performed the action

Related Documentation