Monitor agent activity - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

You can monitor the activity of any Cortex XDR Broker VM that you manage.

Note

Viewing agent audit logs requires either a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.

The Cortex XDR agent logs entries for events that are monitored by the Cortex XDR agent, and hourly reports the logs back to Cortex XDR. Cortex XDR stores the logs for 365 days. To view the XDR agent logs, select SettingsAgent Auditing.

To ensure you and your colleagues stay informed about agent activity, you can Configure notification forwarding to forward your Agent Audit log to an email distribution list, Syslog server, or Slack channel.

You can customize your view of the logs by adding or removing filters to the Agent Audits Table. You can also filter the page result to narrow down your search. The following table describes the default and optional fields that you can view in the Cortex XDR Agents Audit Table:

Field

Description

Category

The XDR agent logs these endpoint events using one of the following categories:

  • Audit: Successful changes to the agent indicating correct behavior.

  • Monitoring: Unsuccessful changes to the agent that may require administrator intervention.

  • Status: Indication of the agent status.

Description

Log message that describes the action.

Domain

Domain to which the endpoint belongs.

Endpoint ID

A unique ID assigned by the XDR agent.

Endpoint Name

Endpoint hostname.

Received Time

Date and time when the action was received by the agent and reported back to Cortex XDR.

Result

The result of the action (Success, Fail, or N/A)

Severity

Severity associated with the log:

  • Critical

  • High

  • Medium

  • Low

  • Informational

Type and Sub-Type

Additional classification of agent log (Type and Sub-Type):

  • Installation:

    • Install

    • Uninstall

    • Upgrade

  • Policy change:

    • Local Configuration Change

    • Content Update

    • Policy Update

    • Process Exception

    • Hash Exception

  • Agent service:

    • Service start (reported only when the agent fails to start and the RESULT is Fail)

    • Service stopped

    • Anti-Tampering (reported when anti-tamper protection is disabled locally on an agent)

  • Agent modules:

    • Module initialization

    • Local analysis module

    • Local analysis feature extraction

  • Agent status:

    • Fully protected

    • OS incompatible

    • Software incompatible

    • Kernel driver initialization

    • Kernel extension initialization

    • Proxy communication

    • Quota exceeded (reported when old prevention data is being deleted from the endpoint)

    • Minimal content

  • Action:

    • Endpoint Token

    • Scan

    • File retrieval

    • Terminate process

    • Isolate

    • Cancel isolation

    • Payload execution

    • Quarantine

    • Restore

    • Block IP address

    • Unblock IP address

    • Tagging

Timestamp

Date and time when the action occurred.

XDR Agent Version

The version of the XDR agent running on the endpoint.