Monitor Agent Activity

Viewing agent audit logs requires either a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
The Cortex XDR agent logs entries for events that are monitored by the Cortex XDR agent and reports the logs back to Cortex XDR hourly. Cortex XDR stores the logs for 180 days. To view the Cortex XDR agent logs, select
gear.png
Agent Auditing
.
agents-audit-table.png
To ensure you and your colleagues stay informed about agent activity, you can Configure Notification Forwarding to forward your Agent Audit log to an email distribution list, Syslog server, or Slack channel.
You can customize your view of the logs by adding or removing fields to the
Agent Audits Table
. You can also filter the page result to narrow down your search. The following table describes the default and optional fields that you can view in the Cortex XDR
Agents Audit Table
:
Field
Description
Category
The Cortex XDR agent logs these endpoint events using one of the following categories:
  • Audit
    —Successful changes to the agent indicating correct behavior.
  • Monitoring
    —Unsuccessful changes to the agent that may require administrator intervention.
  • Status
    —Indication of the agent status.
Description
Log message that describes the action.
Domain
Domain to which the endpoint belongs.
Endpoint ID
Unique ID assigned by the Cortex XDR agent.
Endpoint Name
Endpoint hostname.
Reason
If the action or activity failed, this field indicates the identified cause.
Received Time
Date and time when the action was received by the agent and reported back to Cortex XDR.
Result
The result of the action (
Success
,
Fail
, or
N/A
)
Severity
Severity associated with the log:
  • High
  • Medium
  • Low
  • Informational
Type and Sub-Type
Additional classification of agent log (Type and Sub-Type:
  • Installation
    :
    • Install
    • Uninstall
    • Upgrade
  • Policy change
    :
    • Local Configuration Change
    • Content Update
    • Policy Update
    • Process Exception
    • Hash Exception
  • Agent service
    :
    • Service start
    • Service stopped
  • Agent modules
    :
    • Module initialization
    • Local analysis module
    • Local analysis feature extraction
  • Agent status
    :
    • Fully protected
    • OS incompatible
    • Software incompatible
    • Kernel driver initialization
    • Kernel extension initialization
    • Proxy communication
    • Quota exceeded
    • Minimal content
  • Action
    :
    • Scan
    • File retrieval
    • Terminate process
    • Isolate
    • Cancel isolation
    • Payload execution
    • Quarantine
    • Restore
Timestamp
Date and time when the action occurred.
XDR Agent Version
Version of the Cortex XDR agent running on the endpoint.

Recommended For You