Monitor Administrative Activity

View all Cortex XDR administrator-initiated actions taken on alerts, incidents, and live terminal sessions.
From
Settings ( )
Management Auditing
, you can track the status of all administrative and investigative actions. Cortex XDR stores audit logs for 365 days (instead of 180 days, which was the retention period in the past). Use the page filters to narrow the results or Manage Columns and Rows to add or remove fields as needed.
To ensure you and your colleagues stay informed about administrative activity, you can Configure Notification Forwarding to forward your Management Audit log to an email distribution list, Syslog server, or Slack channel.
The following table describes the default
and optional additional fields
that you can view in alphabetical order.
Field
Description
Email
Email address of the administrative user
Description
Descriptive summary of the administrative action. Hover over this field to view more detailed information in a popup tooltip. This enables you to know exactly what has changed, and, if necessary, roll back the change.
Host Name
Name of any relevant affected hosts
ID
Unique ID of the action
Result
Result of the administrative action: Success, Partial, or Fail.
Subtype
Sub category of action
Timestamp
Time and date of the action
Type
Type of activity logged, one of the following:
  • Agent Configuration—Configuration of a particular Cortex XDR agent on a particular endpoint.
  • Agent Installation—Installation of the Cortex XDR agent on a particular endpoint.
  • Alert Exclusions—Suppression of particular alerts from Cortex XDR.
  • Alert Notifications—Modification of the format or timing of alerts.
  • Alert Rules—Modification of alert rules.
  • API Key—Modification of the Cortex XDR API key.
  • Authentication—User sessions started, along with the user name that started the session.
  • Broker API—Operation related to the Broker application programming interface (API).
  • Broker VM—Operation related to the Broker virtual machine (VM).
  • Dashboards—Use of particular dashboards.
  • Device Control Permanent Exceptions—Modification of permanent device control exceptions.
  • Device Control Profile—Modification of a device control profile.
  • Device Control Temporary Exceptions—Modification of temporary device control exceptions.
  • Disk Encryption Profile—Modification of a disk encryption profile.
  • Endpoint Administration—Management of endpoints.
  • Endpoint Groups—Management of endpoint groups.
  • Extensions Policy—Modification of extension policy settings, including host firewall and disk encryption.
  • Extensions Profiles—Modification of extension profile settings.
  • Global Exceptions—Management of global exceptions.
  • Host Firewall Profile—Modification of a host firewall profile.
  • Host Insights— Initiation of Host Insights data collection scan (Host Inventory and Vulnerability Assessment).
  • Incident Management—Actions taken on incidents and on the assets, alerts, and artifacts in incidents.
  • Ingest Data—Import of data for immediate use or storage in a database.
  • Integrations—Integration operations, such as integrating Slack for outbound notifications.
  • Licensing—Any licensing-related operation.
  • Live Terminal—Remote terminal sessions created and actions taken in the file manager or task manager, a complete history of commands issued, their success, and the response.
  • Managed Threat Hunting—Activity relating to managed threat hunting.
  • MSSP—Management of security services providers.
  • Policy & Profiles—Activity related to managing policies and profiles.
  • Prevention Policy Rules—Modification of prevention policy rules.
  • Protection Policy—Modification of the protection policy.
  • Protection Profile—Modification of the protection profile.
  • Public API—Authentication activity using an associated Cortex XDR API key.
  • Query Center—Operations in the Query Center.
  • Remediation—Remediation operations.
  • Reporting—Any reporting activity.
  • Response—Remedial actions taken. For example: Isolate a host, undo host isolation, add a file hash signature to block list, or undo the addition to the block list.
  • Rules—Modification to rules.
  • Rules Exceptions—Creation, editing, or deletion under Rules exceptions.
  • SaaS Collection—Any collected SaaS data.
  • Script Execution—Any script execution.
  • Starred Incidents—Modification of starred incidents.
  • Vulnerability Assessment—Any vulnerability assessment activity.
User Name
The user who performed the action.

Recommended For You