Monitor Administrative Activity - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-27
Category
Administrator Guide
Abstract

View all Cortex XDR administrator-initiated actions taken on alerts, incidents, and live terminal sessions.

From SettingsManagement Auditing, you can track the status of all administrative and investigative actions. Cortex XDR stores audit logs for 365 days (instead of 180 days, which was the retention period in the past). Use the page filters to narrow the results or manage tables to add or remove fields as needed. For more information, see Manage Tables.

To ensure you and your colleagues stay informed about administrative activity, you can Configure Notification Forwarding to forward your Management Audit log to an email distribution list, Syslog server, or Slack channel.

The following table describes the default and optional fields that you can view in alphabetical order.

Field

Description

Email

Email address of the administrative user

Description

Descriptive summary of the administrative action. Hover over this field to view more detailed information in a popup tooltip. This enables you to know exactly what has changed, and, if necessary, roll back the change.

Host Name

Name of any relevant affected hosts

ID

Unique ID of the action

Result

Result of the administrative action: Success, Partial, or Fail.

Subtype

Subcategory of action

Timestamp

Time and date of the action

Type

Type of activity logged, one of the following:

  • Agent Configuration—Configuration of a particular Cortex XDR agent on a particular endpoint.

  • Agent Installation—Installation of the Cortex XDR agent on a particular endpoint.

  • Alert Exclusions—Suppression of particular alerts from Cortex XDR .

  • Alert Notifications—Modification of the format or timing of alerts.

  • Alert Rules—Modification of alert rules.

  • API Key—Modification of the Cortex XDR API key.

  • Authentication—User sessions started, along with the user name that started the session.

  • Broker API—Operation related to the Broker application programming interface (API).

  • Broker VM—Operation related to the Broker virtual machine (VM).

  • Dashboards—Use of particular dashboards.

  • Device Control Permanent Exceptions—Modification of permanent device control exceptions.

  • Device Control Profile—Modification of a device control profile.

  • Device Control Temporary Exceptions—Modification of temporary device control exceptions.

  • Disk Encryption Profile—Modification of a disk encryption profile.

  • Endpoint Administration—Management of endpoints.

  • Endpoint Groups—Management of endpoint groups.

  • Extensions Policy—Modification of extension policy settings, including host firewall and disk encryption.

  • Extensions Profiles—Modification of extension profile settings.

  • Global Exceptions—Management of global exceptions.

  • Host Firewall Profile—Modification of a host firewall profile.

  • Host Insights— Initiation of Host Insights data collection scan (Host Inventory and Vulnerability Assessment).

  • Incident Management—Actions taken on incidents and on the assets, alerts, and artifacts in incidents.

  • Ingest Data—Import of data for immediate use or storage in a database.

  • Integrations—Integration operations, such as integrating Slack for outbound notifications.

  • Licensing—Any licensing-related operation.

  • Live Terminal—Remote terminal sessions created and actions taken in the file manager or task manager, a complete history of commands issued, their success, and the response.

  • Managed Threat Hunting—Activity relating to managed threat hunting.

  • MSSP—Management of security services providers.

  • Policy & Profiles—Activity related to managing policies and profiles.

  • Prevention Policy Rules—Modification of prevention policy rules.

  • Protection Policy—Modification of the protection policy.

  • Protection Profile—Modification of the protection profile.

  • Public API—Authentication activity using an associated Cortex XDR API key.

  • Query Center—Operations in the Query Center.

  • Remediation—Remediation operations.

  • Reporting—Any reporting activity.

  • Response—Remedial actions taken. For example: Isolate a host, undo host isolation, add a file hash signature to the block list, or undo the addition to the block list.

  • Rules—Modification of rules.

  • Rules Exceptions—Creation, editing, or deletion under Rules exceptions.

  • SaaS Collection—Any collected SaaS data.

  • Script Execution—Any script execution.

  • Starred Incidents—Modification of starred incidents.

  • Vulnerability Assessment—Any vulnerability assessment activity.

User Name

The user who performed the action.