Management Audit Log Messages

List of the Cortex XDR management audit log messages according to log type.
The following table displays the Cortex XDR management audit log messages by log type.
Message
Details
Type-Action Center
Action # {action_id} completed successfully. {action--_description}.
  • Sub Type—Action Completed
  • Status—Success
  • Severity—Low
Action # {action_id} completed with {partial success}. {action--_description}.
  • Sub Type—Action Completed
  • Status—Failed
  • Severity—Low
Action # {action_id} {failed / timeout / expired.} {action--_description}.
  • Sub Type—Action Completed
  • Status—Failed
  • Severity—Low
Type—Agent Configuration
Agent global uninstall password updated
  • Sub Type—Global uninstall password
  • Status—Success
  • Severity—Informational
Agent auto upgrade configuration updated
  • Sub Type—Agent auto upgrade
  • Status—Success
  • Severity—Informational
Agent content bandwidth management{bandwidth_allocation}
  • Sub Type—Content bandwidth management
  • Status—Success
  • Severity—Informational
Agent advanced analysis configuration updated
  • Sub Type—Advanced Analysis
  • Status—Success
  • Severity—Informational
Type—Agent Installation
Distribution creation timeout for distribution id {distribution_id} packages generation - WLM task timed-out
  • Sub Type—Create
  • Status—Fail
  • Severity—Informational
Deleted installation package\'{distribution.dist_name}\
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Edited installation package\'{current_distribution.dist_name}\
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to create {general_desc}
  • Sub Type—Create
  • Status—Fail
  • Severity—Informational
Created {general_desc}
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Type—Alert Exclusions
Auto-resolved {cases_info} incidents because all of the alerts they contain are excluded
  • Sub Type—Auto-Resolve Incidents
  • Status—Success
  • Severity—Informational
Reopened incident ID {cases_info} due to manual user action
  • Sub Type—Unresolve Auto-Resolved Incidents
  • Status—Success
  • Severity—Informational
Failed to Add exclusion policy {name}
  • Sub Type—Add exclusion policy fail
  • Status—Fail
  • Severity—Informational
Add exclusion policy #{res}
  • Sub Type—Add exclusion policy
  • Status—Success
  • Severity—Informational
Failed to Edit exclusion policy {edit_id}
  • Sub Type—Edit exclusion policy fail
  • Status—Fail
  • Severity—Informational
Edit exclusion policy #{edit_id}
  • Sub Type—Edit exclusion policy
  • Status—Success
  • Severity—Informational
Failed to delete exclusion policy
  • Sub Type—Delete exclusion policy fail
  • Status—Fail
  • Severity—Informational
Delete exclusion policy {','.join(map(str, whitelist_ids))}
  • Sub Type—Delete exclusion policy
  • Status—Success
  • Severity—Informational
Type—Alert Notifications
Notification ID {rule_id} Created
  • Sub Type—New Configuration
  • Status—Success
  • Severity—Informational
Notification ID {rule_id} Edited
  • Sub Type—Edit Configuration
  • Status—Success
  • Severity—Informational
Notification ID {rule_id} Enabled
  • Sub Type—Enable Configuration
  • Status—Success
  • Severity—Informational
Notification ID {rule_id} Disabled
  • Sub Type—Disable Configuration
  • Status—Success
  • Severity—Informational
Notification ID {rule_id} Deleted
  • Sub Type—Delete Configuration
  • Status—Success
  • Severity—Informational
Type—Alert Rules
Alert rule ID {rule_id} created
  • Sub Type—New Alert Rule
  • Status—Success
  • Severity—Informational
Alert rule ID {rule_id} edited
  • Sub Type—Edit Alert Rule
  • Status—Success
  • Severity—Informational
Alert rule ID {rule_id} deleted
  • Sub Type—Delete Alert Rule
  • Status—Success
  • Severity—Informational
Alert rule ID {rule_id} was enabled
  • Sub Type—Enable Alert Rule
  • Status—Success
  • Severity—Informational
Alert rule ID {rule_id} was disabled
  • Sub Type—Disable Alert Rule
  • Status—Success
  • Severity—Informational
Type—Api Key
Api Key ID {id} was added.
  • Sub Type—Add New Key
  • Status—Success
  • Severity—Informational
Api Key ID {id} was edited.
  • Sub Type—Edit Key
  • Status—Success
  • Severity—Informational
Deleted Api Keys: {id}.
  • Sub Type—Delete Key
  • Status—Success
  • Severity—Informational
Api Key ID {id} was deleted.
  • Sub Type—Delete Key
  • Status—Success
  • Severity—Informational
Type—Authentication
  • Sub Type—Login
  • Status—Success
  • Severity—Informational
  • Sub Type—Logout
  • Status—Success
  • Severity—Informational
User {user name} has failed to log in into the tenant, as the user is disabled
  • Sub Type—Login
  • Status—Fail
  • Severity—Informational
Type—Broker API
Broker {broker_id} has failed to authenticate
  • Sub Type—Authentication failed
  • Status—Fail
  • Severity—Informational
Type—Broker VMs
Broker VM register request completed
  • Sub Type—Register
  • Status—Success
  • Severity—Low
Broker VM register request failed
  • Sub Type—Register
  • Status—Fail
  • Severity—Low
{app_pretty} activated on broker VM {device_id}
  • Sub Type—Applet Activated
  • Status—Success
  • Severity—Low
{app_pretty} failed to activate on broker VM {device_id}
  • Sub Type—Applet Activated
  • Status—Fail
  • Severity—Low
Setting configuration {app_pretty} on broker VM {device_id}
  • Sub Type—Applet Set Configuration
  • Status—Success
  • Severity—Low
Failed setting configuration {app_pretty} on broker VM {device_id}
  • Sub Type—Applet Set Configuration
  • Status—Fail
  • Severity—Low
Getting {app_pretty}'s configurations of broker VM {device_id}
  • Sub Type—Applet Get Configuration
  • Status—Success
  • Severity—Low
Failed getting {app_pretty} configurations for broker VM {device_id}
  • Sub Type—Applet Get Configuration
  • Status—Fail
  • Severity—Low
{app_pretty} deactivated on broker VM {device_id}
  • Sub Type—Applet Deactivated
  • Status—Success
  • Severity—Low
{app_pretty} failed to deactivate on broker VM {device_id}
  • Sub Type—Applet Deactivated
  • Status—Fail
  • Severity—Low
Broker VM {device_id} retrieve logs request created
  • Sub Type—Broker Log
  • Status—Success
  • Severity—Low
Broker VM {device_id} retrieve logs failed request
  • Sub Type—Broker Log
  • Status—Fail
  • Severity—Low
Broker VM {device_id} was deleted
  • Sub Type—Remove Device
  • Status—Success
  • Severity—Low
Failed to delete Broker VM {device_id}
  • Sub Type—Remove Device
  • Status—Fail
  • Severity—Low
Sent action {action_name} to device: {device_id}
  • Sub Type—Action on device
  • Status—Success
  • Severity—Low
Failed to send action {action_name} to device: {device_id}
  • Sub Type—Action on device
  • Status—Fail
  • Severity—Low
Failed to start Live Shell with Broker device: {device_id}
  • Sub Type—Action on device
  • Status—Fail
  • Severity—Low
Set configuration for device {device_id}
  • Sub Type—Device configuration
  • Status—Success
  • Severity—Low
Failed to set configuration for device {device_id}
  • Sub Type—Device configuration
  • Status—Fail
  • Severity—Low
Broker VM {device_name} has disconnected from the Cortex XDR server.
  • Sub Type—Disconnect
  • Status—Fail
  • Severity—Low
Pathfinder configuration request completed
  • Sub Type—Edit Configuration
  • Status—Success
  • Severity—Low
Pathfinder configuration request failed
  • Sub Type—Edit Configuration
  • Status—Fail
  • Severity—Low
Pathfinder credentials request completed
  • Sub Type—Edit Credentials
  • Status—Success
  • Severity—Low
Pathfinder credentials request failed
  • Sub Type—Edit Credentials
  • Status—Fail
  • Severity—Low
Pathfinder Test request completed
  • Sub Type—Test
  • Status—Success
  • Severity—Low
Pathfinder Test request failed
  • Sub Type—Test
  • Status—Fail
  • Severity—Low
Type—Dashboards
Enabled Dashboard ID {dashboard_id}
  • Sub Type—Enable Dashboard
  • Status—Success
  • Severity—Informational
Disabled Dashboard ID {dashboard_id}
  • Sub Type—Disable Dashboard
  • Status—Success
  • Severity—Informational
Deleted Dashboard ID {dashboard_id}
  • Sub Type—Delete Dashboard
  • Status—Success
  • Severity—Informational
Created Dashboard ID {dashboard_id}
  • Sub Type—Create New Dashboard
  • Status—Success
  • Severity—Informational
Edited Dashboard ID {dashboard_id}
  • Sub Type—Edit Dashboard
  • Status—Success
  • Severity—Informational
Type—Device Control Permanent Exceptions
Device control permanent exceptions were edited
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to edit device control permanent exceptions
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Exception was added to device control permanent exceptions profile
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to add exception to device control permanent exceptions profile
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—Device Control Profile
{platform} {profile_type} profile {profile_name} was created
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Failed to create a profile
  • Sub Type—Create
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was deleted
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Failed to delete a profile
  • Sub Type—Delete
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was edited
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to edit a profile
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
A whitelist entry {vendor} {product} {serial} was added from a violation event to profile {profile_name}
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to add exception to device control exceptions profile
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—Device Control Temporary Exceptions
A temporary exception for {vendor} {product} {serial} on {target} {target_name} with {permission} permissions for {time} {time_units} was created
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Failed to create a temporary exception from violation
  • Sub Type—Create
  • Status—Fail
  • Severity—Informational
Device control temporary exceptions were updated
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to update device control temporary exceptions
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—Disk Encryption Profile
{platform} {profile_type} profile {profile_name} was created
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Failed to create a host disk encryption profile
  • Sub Type—Create
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was deleted
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Failed to delete a host disk encryption profile
  • Sub Type—Delete
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was edited
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to edit a host disk encryption profile
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—EDL Management
Enable EDL
  • Sub Type—Enable
  • Status—Success
  • Severity—Informational
Disable EDL
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
Edit username
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Edit password
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Edit username and password
  • Sub Type—Edit
  • Severity—Informational
  • Status—Success
EDL Authentication
  • Sub Type—Authentication
  • Status—Fail
  • Severity—Informational
Type—Endpoint Administration
Uninstall agent on {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Upgrade {platform} on {scope} to {versions}
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Retrieve endpoint data from {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Change managing server on {scope} using the following distribution IDs {distribution_ids}
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Set agent proxy ({proxy_addresses}) for {host_name}
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Delete {host_name}
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Cancel {action_name} (id={group_action_id}) for {scope}
  • Sub Type—Cancel
  • Status—Success
  • Severity—Informational
Disable agent proxy for {host_name}
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
Could not include {endpoint-id} in auto upgrade
  • Sub Type—Agent auto upgrade
  • Status—Fail
  • Severity—Informational
Could not exclude {endpoint-id} from auto upgrade
  • Sub Type—Agent auto upgrade
  • Status—Fail
  • Severity—Informational
Could not include {endpoint-id} and {x} other endpoints in auto upgrade
  • Sub Type—Agent auto upgrade
  • Status—Fail
  • Severity—Informational
Could not exclude {endpoint-id} and {x} other endpoints from auto upgrade
  • Sub Type—Agent auto upgrade
  • Status—Fail
  • Severity—Informational
{endpoint-id} was excluded from auto upgrade
  • Sub Type—Agent auto upgrade
  • Status—Success
  • Severity—Informational
{endpoint-id} was included in auto upgrade
  • Sub Type—Agent auto upgrade
  • Status—Success
  • Severity—Informational
{endpoint-id} and {x} other endpoints were included in auto upgrade
  • Sub Type—Agent auto upgrade
  • Status—Success
  • Severity—Informational
{endpoint-id} and {x} other endpoints were excluded from auto upgrade
  • Sub Type—Agent auto upgrade
  • Status—Success
  • Severity—Informational
Type—Endpoint Groups
Endpoint group '{group_name}' created
  • Sub Type—Create Group
  • Status—Success
  • Severity—Informational
Endpoint group '{group_name}' failed to create
  • Sub Type—Create Group
  • Status—Fail
  • Severity—Informational
Endpoint group '{group_name}' deleted
  • Sub Type—Delete Group
  • Status—Success
  • Severity—Informational
Endpoint group '{group_name}' failed to delete
  • Sub Type—Delete Group
  • Status—Fail
  • Severity—Informational
Endpoint group edited {modified_fields}
  • Sub Type—Edit Group
  • Status—Success
  • Severity—Informational
Endpoint group '{group_name}' failed to update
  • Sub Type—Edit Group
  • Status—Fail
  • Severity—Informational
Type—Extensions Policy
Device Control policy rules were updated
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to update device control policy rules
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Extensions policy rules were updated
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to update extensions policy rules
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—Extensions Profile
{platform} {profile_type} profile {profile_name} was created
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Failed to create an extensions profile
  • Sub Type—Create
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was deleted
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Failed to delete an extensions profile
  • Sub Type—Delete
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was edited
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to edit an extensions profile
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—Featured Alert Fields
Added {count}new featured {field_type} {plural}
  • Sub Type—Add
  • Status—Success
  • Severity—Informational
Failed to add {count}new featured {field_type}{plural}
  • Sub Type—Add
  • Status—Fail
  • Severity—Informational
Deleted {count}featured {field_type} {plural}
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Failed to delete {count}featured {field_type}{plural}
  • Sub Type—Delete
  • Status—Fail
  • Severity—Informational
Edited {count}featured {field_type} {plural}
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to edit {count}featured {field_type}{plural}
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Imported new featured {field_type} {plural}
  • Sub Type—Import
  • Status—Success
  • Severity—Informational
Failed to import new featured {field_type}{plural}
  • Sub Type—Import
  • Status—Fail
  • Severity—Informational
Replaced all featured {field_type} {plural} with a new list containing {count}values
  • Sub Type—Replace
  • Status—Success
  • Severity—Informational
Failed to replace {count}featured {field_type}{plural}
  • Sub Type—Replace
  • Status—Fail
  • Severity—Informational
Type—Global Exceptions
Global exceptions were edited
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to edit global exceptions
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
{exception_type} was added to global exceptions profile
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to add exception to global exceptions profile
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—Host Firewall Profile
{platform} {profile_type} profile {profile_name} was created
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Failed to create a host firewall profile
  • Sub Type—Create
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was deleted
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Failed to delete a host firewall profile
  • Sub Type—Delete
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was edited
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to edit a host firewall profile
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—Host Insights
Endpoint host insights collection initiated successfully
  • Sub Type—Collect Host Insights from an Endpoint
  • Status—Success
  • Severity—Informational
Failed initiating host insights collection from an endpoint
  • Sub Type—Collect Host Insights from an Endpoint
  • Status—Fail
  • Severity—Informational
Type—Incident Management
Changed incident {incident_id} status to {new_status}
  • Sub Type—Change Incident Status
  • Status—Success
  • Severity—Informational
Changed incident {incident_id} severity to {new_severity}
  • Sub Type—Change Incident Severity
  • Status—Success
  • Severity—Informational
Changed incident {incident_id} name to {new_name}
  • Sub Type—Edit Incident Name
  • Status—Success
  • Severity—Informational
Deleted incident {incident_id} name
  • Sub Type—Deleted Incident Name
  • Status—Success
  • Severity—Informational
Incident {incident_id} assigned to {user_name}
  • Sub Type—Assign Incident
  • Status—Success
  • Severity—Informational
Incident {incident_id} unassigned
  • Sub Type—Unassigned Incident
  • Status—Success
  • Severity—Informational
Added artifact {artifact_type}: {artifact_value} to incident {incident_id}
  • Sub Type—Add Key Artifact
  • Status—Success
  • Severity—Informational
Added asset {asset_type}:{asset_value} to incident {incident_id}
  • Sub Type—Add Key Asset
  • Status—Success
  • Severity—Informational
Deleted artifact {artifact_type}: {artifact_value} from incident {incident_id}
  • Sub Type—Delete Key Artifact
  • Status—Success
  • Severity—Informational
Deleted asset {asset_type}:{asset_value} from incident {incident_id}
  • Sub Type—Delete Key Asset
  • Status—Success
  • Severity—Informational
Moved {count} alerts from incident {src_incident_id} to incident {dst_incident_id}
  • Sub Type—Move Alerts
  • Status—Success
  • Severity—Informational
Merged {src_incident_ids} with incident {dst_incident_id}
  • Sub Type—Merge Incidents
  • Status—Success
  • Severity—Informational
Merged {src_incident_ids} incidents with incident {dst_incident_id}
  • Sub Type—Merge Incidents
  • Status—Success
  • Severity—Informational
Changed assignee of {count} incident{plural} to {user_name}
  • Sub Type—Bulk Change Incident Assignee
  • Status—Success
  • Severity—Informational
Changed status of {count} incident{plural} to {status}
  • Sub Type—Bulk Change Incident status
  • Status—Success
  • Severity—Informational
Changed severity of {count} incident{plural} to {severity}
  • Sub Type—Bulk Change Incident Severity
  • Status—Success
  • Severity—Informational
Changed scoring of {count} incident{plural} to {manual_score}
  • Sub Type—Change Scoring
  • Status—Success
  • Severity—Informational
Changed scoring of {count} incident{plural} to rule-based scoring
  • Sub Type—Change Scoring
  • Status—Success
  • Severity—Informational
Changed scoring of incident #{incident_id} to {manual_score}
  • Sub Type—Change Scoring
  • Severity—InformationalStatus—Success
Changed scoring of incident #{incident_id} to rule-based scoring
  • Sub Type—Change Scoring
  • Status—Success
  • Severity—Informational
Type—Ingest Data
Requested to ingest {num_of_alerts} CEFs
  • Sub Type—CEF
  • Status—Success
  • Severity—Informational
Requested to ingest {num_of_alerts} LEEFs
  • Sub Type—LEEF
  • Status—Success
  • Severity—Informational
Requested to ingest {num_of_alerts} parsed alerts
  • Sub Type—Parsed Alerts
  • Status—Success
  • Severity—Informational
Type—Integrations
Created syslog integration {syslog_name} (ID={syslog_id}
  • Sub Type—Create Syslog Integrations
  • Status—Success
  • Severity—Informational
Edited syslog integration {syslog_name} (ID={syslog_id})
  • Sub Type—Edit Syslog Integrations
  • Status—Success
  • Severity—Informational
Deleted syslog integration {syslog_name} (ID={syslog_id})
  • Sub Type—Delete Syslog Integrations
  • Status—Success
  • Severity—Informational
Type—Licensing
Host Insights Add-on license has expired
  • Sub Type—Expiration
  • Status—Success
  • Severity—Low
{license_name} license has expired
  • Sub Type—Expiration
  • Status—Success
  • Severity—Informational
{license_name} license will expire in less than {time_remaining_in_days} days
  • Sub Type—Expiration
  • Status—Success
  • Severity—Informational
Your agents with data collection license pool reached {usage_percentage}% capacity, {usage} out of {purchased} agents installed
  • Sub Type—Quota
  • Status—Success
  • Severity—Informational
Your agents with data collection license pool reached full capacity
  • Sub Type—Quota
  • Status—Success
  • Severity—Informational
Your installed agents license pool reached {usage_percentage}% capacity, {usage} out of {purchased} agents installed
  • Sub Type—Quota
  • Status—Success
  • Severity—Informational
Your installed agents license pool reached full capacity
  • Sub Type—Quota
  • Status—Success
  • Severity—Informational
Type—Live Terminal
Connection request sent to host: {host}
  • Sub Type—Connect
  • Status—Success
  • Severity—Low
Connection request sent to host: {host}
  • Sub Type—Connect
  • Status—Fail
  • Severity—Low
Connection opened
  • Sub Type—Status
  • Status—Success
  • Severity—Low
Connection opened
  • Sub Type—Status
  • Status—Fail
  • Severity—Low
Connection closed
  • Sub Type—Status
  • Status—Success
  • Severity—Low
Failed to {description}
  • Sub Type—Status
  • Status—Fail
  • Severity—Low
{error_detail} in {path}
  • Sub Type—Delete File
  • Status—Fail
  • Severity—Low
Delete file {path}
  • Sub Type—Delete File
  • Status—Success
  • Severity—Low
Delete file {name} in {path}
  • Sub Type—Delete File
  • Status—Success
  • Severity—Low
{error_detail} in {path}
  • Sub Type—Move File
  • Status—Fail
  • Severity—Low
Move file {path} to {target_path}
  • Sub Type—Move File
  • Status—Success
  • Severity—Low
Move file {name} from {path} to {target_path}
  • Sub Type—Move File
  • Status—Success
  • Severity—Low
{error_detail} in {path}
  • Sub Type—Copy File
  • Status—Fail
  • Severity—Low
Copy file {path} to {target_path}
  • Sub Type—Copy File
  • Status—Success
  • Severity—Low
Copy file {name} from {path} to {target_path}
  • Sub Type—Copy File
  • Status—Success
  • Severity—Low
Type—Managed Threat Hunting
Pairing with {name} was removed
  • Sub Type—Pairing
  • Status—Success
  • Severity—Informational
Registered to MTH service with email : {email}
  • Sub Type—Register
  • Status—Success
  • Severity—Informational
Registered to MTH service with email : {email}
  • Sub Type—Re-register
  • Status—Success
  • Severity—Informational
Registered to MTH service with email : {email}
  • Sub Type—Register
  • Status—Fail
  • Severity—Informational
Registered to MTH service with email : {email}
  • Sub Type—Re-register
  • Status—Fail
  • Severity—Informational
Registered to MTH service with email : {email}
  • Sub Type—Unregistered
  • Status—Success
  • Severity—Informational
Registered to MTH service with email : {email}
  • Sub Type—Unregistered
  • Status—Fail
  • Severity—Informational
Type—MSSP
Synced {len(biocs)} BIOC rules and {len(exceptions)} exceptions
  • Sub Type—Synchronization
  • Status—Success
  • Severity—Informational
Synced {len(inclusions)} starred alerts
  • Sub Type—Synchronization
  • Status—Success
  • Severity—Informational
Synced {len(whitelists)} exclusion alerts
  • Sub Type—Synchronization
  • Status—Success
  • Severity—Informational
Synced {len(profiles)} profiles
  • Sub Type—Synchronization
  • Status—Success
  • Severity—Informational
Synced {len(ab_list)} allow/block items
  • Sub Type—Synchronization
  • Status—Success
  • Severity—Informational
Failed to fetch data from signed_url
  • Sub Type—Synchronization
  • Status—Fail
  • Severity—Informational
Failed to sync {len(biocs)} BIOC rules and {len(exceptions)} exceptions
  • Sub Type—Synchronization
  • Status—Fail
  • Severity—Informational
Failed to sync {len(inclusions)} starred alerts
  • Sub Type—Synchronization
  • Status—Fail
  • Severity—Informational
Failed to sync {len(whitelists)} exclusion alerts
  • Sub Type—Synchronization
  • Status—Fail
  • Severity—Informational
Failed to sync {len(ab_list)} allow/block list items
  • Sub Type—Synchronization
  • Status—Fail
  • Severity—Informational
Failed to sync {len(profiles)} profiles
  • Sub Type—Synchronization
  • Status—Fail
  • Severity—Informational
Type—Permission
{user name} was assigned permissions of role {role name}
  • Sub Type—User Permissions Assigned
  • Status—Success
  • Severity—Informational
{user name} permissions were updated from {role name} to {role name}
  • Sub Type—User Permissions Edited
  • Status—Success
  • Severity—Informational
{user name} permissions were removed
  • Sub Type—User Permissions Revoked
  • Status—Success
  • Severity—Informational
{user name} access has been disabled due to due to last login timeout
  • Sub Type—User Access Disabled
  • Status—Success
  • Severity—Informational
{user name} access has been manualy disabled
  • Sub Type—User Access Disabled
  • Status—Success
  • Severity—Informational
{user name} access has been enabled
  • Sub Type—User Access Enabled
  • Status—Success
  • Severity—Informational
{role name} created with the following permissions: {1,2,3,}
  • Sub Type—Role Created
  • Status—Success
  • Severity—Informational
{role name} edited, the following permissions {1,2} were added and the following permissions removed {1,2,3}
  • Sub Type—Role Edited
  • Status—Success
  • Severity—Informational
{role name} deleted
  • Sub Type—Role Deleted
  • Status—Success
  • Severity—Informational
Type—Policy & Profiles
{platform} {profile_type} profile {profile_name} was created
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Failed to create a profile
  • Sub Type—Create
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was created by {parent_tenant}
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
Failed to create a profile by {parent_tenant} by {parent_tenant}
  • Sub Type—Create
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was deleted
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Failed to delete a profile
  • Sub Type—Delete
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was deleted by {parent_tenant}
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Failed to delete a profile by {parent_tenant}
  • Sub Type—Delete
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was edited
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to edit a profile
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
{exception_type} was added to exceptions profile {profile_name}
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to add exception to exceptions profile
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
{platform} {profile_type} profile {profile_name} was edited by {parent_tenant}
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to edit a profile by {parent_tenant}
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—Prevention Policy Rules
Policy rules were updated
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to update policy rules
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Policy rules reverted to previous state due to profile removal by {parent_tenant}
  • Sub Type—Revert
  • Status—Success
  • Severity—Informational
Type—Public API
Source IP: {source_ip}, API key ID: {key_id}
  • Sub Type—Authentication failed
  • Status—Fail
  • Severity—Informational
Type—Query Center
Query ID {identifier} was executed
  • Sub Type—Run Query
  • Status—Success
  • Severity—Informational
Query ID {identifier} was scheduled
  • Sub Type—Schedule Query
  • Status—Success
  • Severity—Informational
Query ID {identifier} was removed from scheduled queries
  • Sub Type—Remove Scheduling
  • Status—Success
  • Severity—Informational
Query ID {identifier} was renamed
  • Sub Type—Rename Query
  • Status—Success
  • Severity—Informational
Query ID {identifier} was removed
  • Sub Type—Remove Query
  • Status—Success
  • Severity—Informational
Query ID {identifier} was saved
  • Sub Type—Save Query
  • Status—Success
  • Severity—Informational
Query ID {identifier} was enabled
  • Sub Type—Enable Query
  • Status—Success
  • Severity—Informational
Query ID {identifier} was disabled
  • Sub Type—Disable Query
  • Status—Success
  • Severity—Informational
Query ID {identifier} was rescheduled
  • Sub Type—Edit Query
  • Status—Success
  • Severity—Informational
Type—Remediation
Created remediation action to {operations} from {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Canceled {action_name} (id={group_action_id}) on {scope}
  • Sub Type—Cancel
  • Status—Success
  • Severity—Low
Type—Reporting
Downloaded report '{report_names}' ID {report_ids}
  • Sub Type—Download Report
  • Status—Success
  • Severity—Informational
Deleted report(s) '{report_names}' ID(s) {report_ids}
  • Sub Type—Delete Report
  • Status—Success
  • Severity—Informational
Created report template '{template_name}' ID {template_id}
  • Sub Type—Create New Report Template
  • Status—Success
  • Severity—Informational
Disabled report template '{template_name}' ID {template_id}
  • Sub Type—Disable Report Template
  • Status—Success
  • Severity—Informational
Enabled report template '{template_name}' ID {template_id}
  • Sub Type—Enable Report Template
  • Status—Success
  • Severity—Informational
Edited report template '{template_name}' ID {template_id}
  • Sub Type—Edit Report Template
  • Status—Success
  • Severity—Informational
Deleted report template(s) '{template_name}' ID(s) {template_id}
  • Sub Type—Delete Report Template
  • Status—Success
  • Severity—Informational
Emailed report '{template_name}' ID {report_id} to {emails}
  • Sub Type—Email Report
  • Status—Success
  • Severity—Informational
Slack report '{template_name}' ID {report_id} to {channels}
  • Sub Type—Slack Report
  • Status—Success
  • Severity—Informational
Type—Response
Retrieve {count} file(s) from {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Retrieve alert data from {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Quarantine {path}, SHA256: {hash} on {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Restore quarantined file with hash {hash} on {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Malware scan on {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Abort malware scan on {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Isolate {scope} from the network
  • Sub Type—Create
  • Status—Success
  • Severity—Low
UnIsolate {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Kill process {process_name} on {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Initiate Live Terminal on {scope}
  • Sub Type—Create
  • Status—Success
  • Severity—Low
Delete {count} hash(es) from allow list
  • Sub Type—Delete
  • Status—Success
  • Severity—Low
Delete {cout} hash(es) from block list
  • Sub Type—Delete
  • Severity—LowStatus—Success
Delete isolation comment of {scope}
  • Sub Type—Delete
  • Status—Success
  • Severity—Low
Cancel {action_name} (id= {action_id}) for {scope}
  • Sub Type—Cancel
  • Status—Success
  • Severity—Low
Enable {count} hash(es) from allow list
  • Sub Type—Enable
  • Status—Success
  • Severity—Low
Enable and move {count} hash(es) from allow list to block list
  • Sub Type—Enable
  • Status—Success
  • Severity—Low
Enable {count} hash(es) from block list
  • Sub Type—Enable
  • Status—Success
  • Severity—Low
Enable and move {count} hash(es) from block list to allow list
  • Sub Type—Enable
  • Status—Success
  • Severity—Low
{add_on_name} Add-on activated successfully
  • Sub Type—Enable
  • Status—Success
  • Severity—Low
Disable {count} hash(es) from allow list
  • Sub Type—Disable
  • Status—Success
  • Severity—Low
Disable {count} hash(es) from block list
  • Sub Type—Disable
  • Status—Success
  • Severity—Low
{add_on_name} Add-on disabled successfully
  • Sub Type—Disable
  • Status—Success
  • Severity—Low
Move {count} hash(es) to block list
  • Sub Type—Move
  • Status—Success
  • Severity—Low
Move {count} hash(es) to allow list
  • Sub Type—Move
  • Status—Success
  • Severity—Low
Edit comment of {count} hash in allow list
  • Sub Type—Edit
  • Status—Success
  • Severity—Low
Updated incident ID of a hash from allow list: {hash} to: {incident_id}
  • Sub Type—Edit
  • Status—Success
  • Severity—Low
Removed incident ID of a hash from allow list: {hash}
  • Sub Type—Edit
  • Status—Success
  • Severity—Low
Edit comment of {count} hash in block list
  • Sub Type—Edit
  • Status—Success
  • Severity—Low
Updated incident ID of a hash from block list: {hash} to: {incident_id}"
  • Sub Type—Edit
  • Status—Success
  • Severity—Low
Removed incident ID of a hash from block list: {hash}
  • Sub Type—Edit
  • Status—Success
  • Severity—Low
Edit isolation comment of {scope} to {isolate_comment}
  • Sub Type—Edit
  • Status—Success
  • Severity—Low
Disable {capability} on {scope}
  • Sub Type—Disable Capability
  • Status—Success
  • Severity—Low
Removed {ip} from the blocked IP address list of {scope}
  • Sub Type—Unblock
  • Status—Success
  • Severity—Low
Type—Rules
IOC created - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
BIOC created - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Create
  • Status—Success
  • Severity—Informational
IOC deleted - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
BIOC deleted - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
IOC changed - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Change
  • Status—Success
  • Severity—Informational
Changed {count} IOCs
  • Sub Type—Change
  • Status—Success
  • Severity—Informational
BIOC changed - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Change
  • Status—Success
  • Severity—Informational
Changed {count} BIOCs
  • Sub Type—Change
  • Status—Success
  • Severity—Informational
IOC disabled - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
Disabled {count} IOCs
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
IOC Rule #{rule_id} ({rule_name}) has been disabled as it reached {limit} limit of hits in the past 24 hours.
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
BIOC disabled - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
BIOC rule {rule_id} has been automatically disabled because it reached {hits} matches in the last {time} - name: {rule_name} severity: {rule_severity} type: {rule_type}
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
Disabled {count} BIOCs
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
Analytics BIOC rule disabled - name: '{rule_name}' global rule id: '{global_rule_id}'
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
Disabled {count} Analytics BIOC rules
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
BIOC Rule #{rule_id} ({rule_name}) has been disabled as it reached {limit} limit of hits in the past 24 hours.
  • Sub Type—Disable
  • Status—Success
  • Severity—Informational
IOC enabled - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Enable
  • Status—Success
  • Severity—Informational
Enabled {count} IOCs
  • Sub Type—Enable
  • Status—Success
  • Severity—Informational
BIOC enabled - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
  • Sub Type—Enable
  • Status—Success
  • Severity—Informational
Enabled {count} BIOCs
  • Sub Type—Enable
  • Status—Success
  • Severity—Informational
Analytics BIOC rule enabled - name: '{rule_name}' global rule id: '{global_rule_id}'
  • Sub Type—Enable
  • Status—Success
  • Severity—Informational
Enabled {count} Analytics BIOC rules
  • Sub Type—Enable
  • Status—Success
  • Severity—Informational
Imported {count} IOCs
  • Sub Type—Import
  • Status—Success
  • Severity—Informational
Imported {count} BIOCs
  • Sub Type—Import
  • Status—Success
  • Severity—Informational
{count} IOCs expired
  • Sub Type—Expire
  • Status—Success
  • Severity—Informational
Exported {count} BIOCs
  • Sub Type—Export
  • Status—Success
  • Severity—Informational
BIOC content updated - Palo Alto Networks repository provided a BIOC update
  • Sub Type—Content Update
  • Status—Success
  • Severity—Informational
Type—Rules Exceptions
Added new rule exception
  • Sub Type—Add
  • Status—Success
  • Severity—Informational
Edited rule exception ID:{exception_id}
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Deleted {exception_ids_len} rule exceptions
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Deleted rule exception ID: {exception_id}
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Exported {exception_id} rule exception
  • Sub Type—Export
  • Severity—Informationaltatus—Success
Exported {exported_exceptions} rule exceptions
  • Sub Type—Export
  • Severity—Informationaltatus—Success
Imported {exception_id} rule exception
  • Sub Type—Import
  • Status—Success
  • Severity—Informational
Imported {imported_exceptions} rule exceptions
  • Sub Type—Import
  • Status—Success
  • Severity—Informational
Type—SaaS Collection
{vendor} Data Collection for {name} created.
  • Sub Type—Create Configuration
  • Status—Success
  • Severity—Informational
{vendor} Data Collection for {name} deleted.
  • Sub Type—Delete Configuration
  • Status—Success
  • Severity—Informational
{vendor} Data Collection for {name} edited.
  • Sub Type—Edit Configuration
  • Status—Success
  • Severity—Informational
{vendor} Data Collection for {name} disabled.
  • Sub Type—Disable Configuration
  • Status—Success
  • Severity—Informational
{vendor} Data Collection for {name} enabled.
  • Sub Type—Enable Configuration
  • Status—Success
  • Severity—Informational
{vendor} Data Collection for {name} was disconnected with error '{disconnected_error}'
  • Sub Type—Configuration Disconnected
  • Status—Fail
  • Severity—Informational
Collection authentication failed. Collection key ID {key_id}. Source IP: {source_ip}
  • Sub Type—Authentication Failed
  • Status—Fail
  • Severity—Informational
Type—Scoring Rules
Scoring rules were updated
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Failed to update scoring rules
  • Sub Type—Edit
  • Status—Fail
  • Severity—Informational
Type—Script ExecutionRun {script_name} on {scope}
  • Sub Type—Run script
  • Status—Success
  • Severity—Low
Cancel {action_name} (id={group_action_id}) for {scope}
  • Sub Type—Cancel
  • Status—Success
  • Severity—Low
Abort {action_name} (id={group_action_id}) for {scope}
  • Sub Type—Abort
  • Status—Success
  • Severity—Low
Add {outcome} script, name: {name}, description: {description}, compatible for {platform}, script id: {script_id}
  • Sub Type—Add Script
  • Status—Success
  • Severity—Informational
Edit {script_name}, script id - {script_id}: {updated_values}
  • Sub Type—Edit
  • Status—Success
  • Severity—Informational
Delete {script_name}, script id: {script_id}
  • Sub Type—Delete
  • Status—Success
  • Severity—Informational
Type—Starred Incidents
Incident {incident_id} was manually starred
  • Sub Type—Manual Star
  • Status—Success
  • Severity—Informational
Incident {incident_id} was manually unstarred
  • Sub Type—Manual Un-star
  • Status—Success
  • Severity—Informational
{count} incident{plural} were starred
  • Sub Type—Bulk Star
  • Status—Success
  • Severity—Informational
{count} incident{plural} were un-starred
  • Sub Type—"Bulk Un-star
  • Status—Success
  • Severity—Informational
Enabled starring policy {edit_id}
  • Sub Type—Enable Policy
  • Status—Success / Fail
  • Severity—Informational
Disabled starring policy {edit_id}
  • Sub Type—Disable Policy
  • Status—Success / Fail
  • Severity—Informational
Edited starring policy {edit_id}
  • Sub Type—Edit Policy
  • Status—Success / Fail
  • Severity—Informational
Deleted starring policy
  • Sub Type—Delete Policy
  • Status—Success / Fail
  • Severity—Informational
Created starring policy {res}
  • Sub Type—Create Policy
  • Status—Success / Fail
  • Severity—Informational
Type—System
Temporary Devops access granted to user: ({member})
  • Sub Type—Devops Access
  • Status—Success
  • Severity—Informational

Recommended For You