Monitor Administrative Activity

View all Cortex XDR administrator-initiated actions taken on alerts, incidents, and live terminal sessions.
From
gear.png
Management Auditing
, you can track the status of all administrative and investigative actions. Cortex XDR stores audit logs for 180 days. Use the page filters to narrow the results or Manage Columns and Rows to add or remove fields as needed.
To ensure you and your colleagues stay informed about administrative activity, you can Configure Notification Forwarding to forward your Management Audit log to an email distribution list, Syslog server, or Slack channel.
management-audit.png
The following table describes the default and optional additional fields that you can view in alphabetical order.
Field
Description
Email
Email address of the administrative user
Description
Descriptive summary of the administrative action
Host Name
Name of any relevant affected hosts
ID
Unique ID for the action
Result
Result of the administrative action: Success, Partial, or Fail.
Subtype
Sub category of action
Timestamp
Time the action took place
Type
Type of activity logged, one of the following:
  • Live Terminal—Remote terminal sessions created and actions taken in the file manager or task manager, a complete history of commands issued, their success, and the response.
  • Response—Remedial actions taken, for example to isolate a host and undo isolate host, or add file hash signature to block list, or undo add hash to block list
  • Result—Whether the action taken was successful or failed, and the result reason when available.
  • Authentication—User sessions started, along with the user name that started the session.
  • Incident Management—Actions taken on incidents and on the assets, alerts, and artifacts in incidents.
  • Public API—Authentication activity using an associated Cortex XDR API key.
User Name
User who performed the action

Recommended For You