You can monitor the activity of any Cortex XDR Broker VM that you manage.
Note
Viewing agent audit logs requires either a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
The Cortex XDR agent logs entries for events that are monitored by the Cortex XDR agent, and hourly reports the logs back to Cortex XDR. Cortex XDR stores the logs for 365 days. To view the XDR agent logs, select → .
To ensure you and your colleagues stay informed about agent activity, you can Configure notification forwarding to forward your Agent Audit log to an email distribution list, Syslog server, or Slack channel.
You can customize your view of the logs by adding or removing filters to the Agent Audits Table. You can also filter the page result to narrow down your search. The following table describes the default and optional fields that you can view in the Cortex XDR Agents Audit Table:
Field | Description |
---|---|
Category | The XDR agent logs these endpoint events using one of the following categories:
|
Description | Log message that describes the action. |
Domain | Domain to which the endpoint belongs. |
Endpoint ID | A unique ID assigned by the XDR agent. |
Endpoint Name | Endpoint hostname. |
Received Time | Date and time when the action was received by the agent and reported back to Cortex XDR. |
Result | The result of the action (Success, Fail, or N/A) |
Severity | Severity associated with the log:
|
Type and Sub-Type | Additional classification of agent log (Type and Sub-Type):
|
Timestamp | Date and time when the action occurred. |
XDR Agent Version | The version of the XDR agent running on the endpoint. |