View all Cortex XDR administrator-initiated actions taken
on alerts, incidents, and live terminal sessions.
, you can
track the status of all administrative and investigative actions. Cortex
XDR stores audit logs for 180 days. Use the page filters to
narrow the results or Manage Columns and Rows to add or
remove fields as needed.
you and your colleagues stay informed about administrative activity,
you can Configure Notification Forwarding to forward
your Management Audit log to an email distribution list, Syslog
server, or Slack channel.
following table describes the default and optional additional fields
that you can view in alphabetical order.
Email address of the administrative user
Descriptive summary of the administrative action
Name of any relevant affected hosts
Unique ID for the action
Result of the administrative action: Success, Partial,
Sub category of action
Time the action took place
Type of activity logged, one of the following:
Live Terminal—Remote terminal sessions created and actions
taken in the file manager or task manager, a complete history of
commands issued, their success, and the response.
Response—Remedial actions taken, for example to isolate a
host and undo isolate host, or add file hash signature to block list,
or undo add hash to block list
Result—Whether the action taken was successful or failed,
and the result reason when available.
Authentication—User sessions started, along with the user
name that started the session.
Incident Management—Actions taken on incidents and on the
assets, alerts, and artifacts in incidents.
Public API—Authentication activity using an associated Cortex
XDR API key.