1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex® XDR™ Prevent Administrator’s Guide
    5. Monitoring
    6. Monitor Administrative Activity

    Monitor Administrative Activity

    View all Cortex XDR administrator-initiated actions taken on alerts, incidents, and live terminal sessions.
    From
    Settings
    Management Auditing
    , you can track the status of all administrative and investigative actions. 
    XDR
     stores audit logs for 365 days (instead of 180 days, which was the retention period in the past). Use the page filters to narrow the results or Manage Columns and Rows to add or remove fields as needed.
    To ensure you and your colleagues stay informed about administrative activity, you can Configure Notification Forwarding to forward your Management Audit log to an email distribution list, Syslog server, or Slack channel.
    The following table describes the default
    and optional additional fields
     that you can view in alphabetical order.
    Field
    Description
    Email
    Email address of the administrative user
    Description
    Descriptive summary of the administrative action. Hover over this field to view more detailed information in a popup tooltip. This enables you to know exactly what has changed, and, if necessary, roll back the change.
    Host Name
    Name of any relevant affected hosts
    ID
    Unique ID of the action
    Result
    Result of the administrative action: Success, Partial, or Fail.
    Subtype
    Sub category of action
    Timestamp
    Time and date of the action
    Type
    Type of activity logged, one of the following:
    • Agent Configuration—Configuration of a particular Cortex XDR agent on a particular endpoint.
    • Agent Installation—Installation of the Cortex XDR agent on a particular endpoint.
    • Alert Exclusions—Suppression of particular alerts from
      Cortex
      XDR
      .
    • Alert Notifications—Modification of the format or timing of alerts.
    • Alert Rules—Modification of alert rules.
    • API Key—Modification of the
      Cortex
      XDR
       API key.
    • Authentication—User sessions started, along with the user name that started the session.
    • Broker API—Operation related to the Broker application programming interface (API).
    • Broker VM—Operation related to the Broker virtual machine (VM).
    • Dashboards—Use of particular dashboards.
    • Device Control Permanent Exceptions—Modification of permanent device control exceptions.
    • Device Control Profile—Modification of a device control profile.
    • Device Control Temporary Exceptions—Modification of temporary device control exceptions.
    • Disk Encryption Profile—Modification of a disk encryption profile.
    • Endpoint Administration—Management of endpoints.
    • Endpoint Groups—Management of endpoint groups.
    • Extensions Policy—Modification of extension policy settings, including host firewall and disk encryption.
    • Extensions Profiles—Modification of extension profile settings.
    • Global Exceptions—Management of global exceptions.
    • Host Firewall Profile—Modification of a host firewall profile.
    • Host Insights— Initiation of Host Insights data collection scan (Host Inventory and Vulnerability Assessment).
    • Incident Management—Actions taken on incidents and on the assets, alerts, and artifacts in incidents.
    • Ingest Data—Import of data for immediate use or storage in a database.
    • Integrations—Integration operations, such as integrating Slack for outbound notifications.
    • Licensing—Any licensing-related operation.
    • Live Terminal—Remote terminal sessions created and actions taken in the file manager or task manager, a complete history of commands issued, their success, and the response.
    • Managed Threat Hunting—Activity relating to managed threat hunting.
    • MSSP—Management of security services providers.
    • Policy & Profiles—Activity related to managing policies and profiles.
    • Prevention Policy Rules—Modification of prevention policy rules.
    • Protection Policy—Modification of the protection policy.
    • Protection Profile—Modification of the protection profile.
    • Public API—Authentication activity using an associated
      Cortex
      XDR
       API key.
    • Query Center—Operations in the Query Center.
    • Remediation—Remediation operations.
    • Reporting—Any reporting activity.
    • Response—Remedial actions taken. For example: Isolate a host, undo host isolation, add a file hash signature to block list, or undo the addition to the block list.
    • Rules—Modification to rules.
    • Rules Exceptions—Creation, editing, or deletion under Rules exceptions.
    • SaaS Collection—Any collected SaaS data.
    • Script Execution—Any script execution.
    • Starred Incidents—Modification of starred incidents.
    • Vulnerability Assessment—Any vulnerability assessment activity.
    User Name
    The user who performed the action.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo