Type-Action Center |
Action # {action_id} completed successfully. {action--_description}.
| |
Action # {action_id} completed with {partial success}. {action--_description}.
| |
Action # {action_id} {failed / timeout / expired.} {action--_description}.
| |
Action # completed successfully. Action description: Set Endpoint token with (x) days
| |
Type—Agent Configuration |
Agent global uninstall password updated
| |
Agent auto upgrade configuration updated
| |
Agent content bandwidth management{bandwidth_allocation}
| |
Agent advanced analysis configuration updated
| |
Type—Agent Installation |
Distribution creation timeout for distribution id {distribution_id} packages generation - WLM task timed-out
| Sub Type—Create Status—Fail Severity—Informational
|
Deleted installation package\'{distribution.dist_name}\
| Sub Type—Delete Status—Success Severity—Informational
|
Edited installation package\'{current_distribution.dist_name}\
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to create {general_desc}
| Sub Type—Create Status—Fail Severity—Informational
|
Created {general_desc}
| Sub Type—Create Status—Success Severity—Informational
|
Type—Alert Exclusions |
Auto-resolved {cases_info} incidents because all of the alerts they contain are excluded
| |
Reopened incident ID {cases_info} due to manual user action
| |
Failed to Add exclusion policy {name}
| |
Add exclusion policy #{res}
| |
Failed to Edit exclusion policy {edit_id}
| |
Edit exclusion policy #{edit_id}
| |
Failed to delete exclusion policy
| |
Delete exclusion policy {','.join(map(str, whitelist_ids))}
| |
Type—Alert Notifications |
Notification ID {rule_id} Created
| |
Notification ID {rule_id} Edited
| |
Notification ID {rule_id} Enabled
| |
Notification ID {rule_id} Disabled
| |
Notification ID {rule_id} Deleted
| |
Type—Alert Rules |
Alert rule ID {rule_id} created
| Sub Type—New Alert Rule Status—Success Severity—Informational
|
Alert rule ID {rule_id} edited
| Sub Type—Edit Alert Rule Status—Success Severity—Informational
|
Alert rule ID {rule_id} deleted
| |
Alert rule ID {rule_id} was enabled
| |
Alert rule ID {rule_id} was disabled
| |
Type—Api Key |
Api Key ID {id} was added
| Sub Type—Add New Key Status—Success Severity—Informational
|
Api Key ID {id} was edited
| Sub Type—Edit Key Status—Success Severity—Informational
|
Deleted Api Keys: {id}
| Sub Type—Delete Key Status—Success Severity—Informational
|
Api Key ID {id} was deleted
| Sub Type—Delete Key Status—Success Severity—Informational
|
Type—Authentication |
| Sub Type—Login Status—Success Severity—Informational
|
| Sub Type—Logout Status—Success Severity—Informational
|
User {user name} has failed to log in into the tenant, as the user is disabled
| Sub Type—Login Status—Fail Severity—Informational
|
Type—Broker API |
Broker {broker_id} has failed to authenticate
| |
Type—Broker VMs |
Broker VM register request completed
| Sub Type—Register Status—Success Severity—Low
|
Broker VM register request failed
| Sub Type—Register Status—Fail Severity—Low
|
{app_pretty} activated on broker VM {device_id}
| |
{app_pretty} failed to activate on broker VM {device_id}
| |
Setting configuration {app_pretty} on broker VM {device_id}
| |
Failed setting configuration {app_pretty} on broker VM {device_id}
| |
Getting {app_pretty}'s configurations of broker VM {device_id}
| |
Failed getting {app_pretty} configurations for broker VM {device_id}
| |
{app_pretty} deactivated on broker VM {device_id}
| |
{app_pretty} failed to deactivate on broker VM {device_id}
| |
Broker VM {device_id} retrieve logs request created
| Sub Type—Broker Log Status—Success Severity—Low
|
Broker VM {device_id} retrieve logs failed request
| Sub Type—Broker Log Status—Fail Severity—Low
|
Broker VM {device_id} was deleted
| Sub Type—Remove Device Status—Success Severity—Low
|
Failed to delete Broker VM {device_id}
| Sub Type—Remove Device Status—Fail Severity—Low
|
Sent action {action_name} to device: {device_id}
| |
Failed to send action {action_name} to device: {device_id}
| |
Failed to start Live Shell with Broker device: {device_id}
| |
Set configuration for device {device_id}
| |
Failed to set configuration for device {device_id}
| |
Broker VM {device_name} has disconnected from the Cortex XDR server.
| Sub Type—Disconnect Status—Fail Severity—Low
|
Pathfinder configuration request completed
| |
Pathfinder configuration request failed
| |
Pathfinder credentials request completed
| |
Pathfinder credentials request failed
| |
Pathfinder Test request completed
| Sub Type—Test Status—Success Severity—Low
|
Pathfinder Test request failed
| Sub Type—Test Status—Fail Severity—Low
|
Type—Dashboards |
Enabled Dashboard ID {dashboard_id}
| |
Disabled Dashboard ID {dashboard_id}
| |
Deleted Dashboard ID {dashboard_id}
| |
Created Dashboard ID {dashboard_id}
| |
Edited Dashboard ID {dashboard_id}
| Sub Type—Edit Dashboard Status—Success Severity—Informational
|
Type—Device Control Permanent Exceptions |
Device control permanent exceptions were edited
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to edit device control permanent exceptions
| Sub Type—Edit Status—Fail Severity—Informational
|
Exception was added to device control permanent exceptions profile
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to add exception to device control permanent exceptions profile
| Sub Type—Edit Status—Fail Severity—Informational
|
Type—Device Control Profile |
{platform} {profile_type} profile {profile_name} was created
| Sub Type—Create Status—Success Severity—Informational
|
Failed to create a profile
| Sub Type—Create Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was deleted
| Sub Type—Delete Status—Success Severity—Informational
|
Failed to delete a profile
| Sub Type—Delete Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was edited
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to edit a profile
| Sub Type—Edit Status—Fail Severity—Informational
|
A whitelist entry {vendor} {product} {serial} was added from a violation event to profile {profile_name}
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to add exception to device control exceptions profile
| Sub Type—Edit Status—Fail Severity—Informational
|
Type—Device Control Temporary Exceptions |
A temporary exception for {vendor} {product} {serial} on {target} {target_name} with {permission} permissions for {time} {time_units} was created
| Sub Type—Create Status—Success Severity—Informational
|
Failed to create a temporary exception from violation
| Sub Type—Create Status—Fail Severity—Informational
|
Device control temporary exceptions were updated
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to update device control temporary exceptions
| Sub Type—Edit Status—Fail Severity—Informational
|
Type—Disk Encryption Profile |
{platform} {profile_type} profile {profile_name} was created
| Sub Type—Create Status—Success Severity—Informational
|
Failed to create a host disk encryption profile
| Sub Type—Create Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was deleted
| Sub Type—Delete Status—Success Severity—Informational
|
Failed to delete a host disk encryption profile
| Sub Type—Delete Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was edited
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to edit a host disk encryption profile
| Sub Type—Edit Status—Fail Severity—Informational
|
Type—EDL Management |
Enable EDL
| Sub Type—Enable Status—Success Severity—Informational
|
Disable EDL
| Sub Type—Disable Status—Success Severity—Informational
|
Edit username
| Sub Type—Edit Status—Success Severity—Informational
|
Edit password
| Sub Type—Edit Status—Success Severity—Informational
|
Edit username and password
| Sub Type—Edit Severity—Informational Status—Success
|
EDL Authentication
| Sub Type—Authentication Status—Fail Severity—Informational
|
Type—Endpoint Administration |
Uninstall agent on {scope}
| Sub Type—Create Status—Success Severity—Informational
|
Upgrade {platform} on {scope} to {versions}
| Sub Type—Create Status—Success Severity—Informational
|
Retrieve endpoint data from {scope}
| Sub Type—Create Status—Success Severity—Informational
|
Change managing server on {scope} using the following distribution IDs {distribution_ids}
| Sub Type—Create Status—Success Severity—Informational
|
Set agent proxy ({proxy_addresses}) for {host_name}
| Sub Type—Create Status—Success Severity—Informational
|
Delete {host_name}
| Sub Type—Delete Status—Success Severity—Informational
|
Cancel {action_name} (id={group_action_id}) for {scope}
| Sub Type—Cancel Status—Success Severity—Informational
|
Disable agent proxy for {host_name}
| Sub Type—Disable Status—Success Severity—Informational
|
Could not include {endpoint-id} in auto upgrade
| |
Could not exclude {endpoint-id} from auto upgrade
| |
Could not include {endpoint-id} and {x} other endpoints in auto upgrade
| |
Could not exclude {endpoint-id} and {x} other endpoints from auto upgrade
| |
{endpoint-id} was excluded from auto upgrade
| |
{endpoint-id} was included in auto upgrade
| |
{endpoint-id} and {x} other endpoints were included in auto upgrade
| |
{endpoint-id} and {x} other endpoints were excluded from auto upgrade
| |
(tag_name) to (endpoint_name) and 5 other endpoints
| Sub Type—Assign Status—Success Severity—Informational
|
(tag_name) from (endpoint_name) and 5 other endpoints
| Sub Type—Remove Status—Success Severity—Informational
|
Endpoint token was viewed for hash (hash_id) and agent id (agent-id)
| Sub Type—View Token Status—Success Severity—Informational
|
Set endpoint token with (x) days expiration on (agent-id)
| Sub Type—Set Token Status—Success Severity—Low
|
Type—Endpoint Groups |
Endpoint group '{group_name}' created
| Sub Type—Create Group Status—Success Severity—Informational
|
Endpoint group '{group_name}' failed to create
| Sub Type—Create Group Status—Fail Severity—Informational
|
Endpoint group '{group_name}' deleted
| Sub Type—Delete Group Status—Success Severity—Informational
|
Endpoint group '{group_name}' failed to delete
| Sub Type—Delete Group Status—Fail Severity—Informational
|
Endpoint group edited {modified_fields}
| Sub Type—Edit Group Status—Success Severity—Informational
|
Endpoint group '{group_name}' failed to update
| Sub Type—Edit Group Status—Fail Severity—Informational
|
Type-Event Forwarding |
{operation} Endpoint Event Forwarding
| |
{operation} GB Event Forwarding
| |
Generated New Service Account JSON Web Token
| |
Type—Extensions Policy |
Device Control policy rules were updated
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to update device control policy rules
| Sub Type—Edit Status—Fail Severity—Informational
|
Extensions policy rules were updated
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to update extensions policy rules
| Sub Type—Edit Status—Fail Severity—Informational
|
Type—Extensions Profile |
{platform} {profile_type} profile {profile_name} was created
| Sub Type—Create Status—Success Severity—Informational
|
Failed to create an extensions profile
| Sub Type—Create Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was deleted
| Sub Type—Delete Status—Success Severity—Informational
|
Failed to delete an extensions profile
| Sub Type—Delete Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was edited
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to edit an extensions profile
| Sub Type—Edit Status—Fail Severity—Informational
|
Type—Featured Alert Fields |
Added {count}new featured {field_type} {plural}
| Sub Type—Add Status—Success Severity—Informational
|
Failed to add {count}new featured {field_type}{plural}
| Sub Type—Add Status—Fail Severity—Informational
|
Deleted {count}featured {field_type} {plural}
| Sub Type—Delete Status—Success Severity—Informational
|
Failed to delete {count}featured {field_type}{plural}
| Sub Type—Delete Status—Fail Severity—Informational
|
Edited {count}featured {field_type} {plural}
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to edit {count}featured {field_type}{plural}
| Sub Type—Edit Status—Fail Severity—Informational
|
Imported new featured {field_type} {plural}
| Sub Type—Import Status—Success Severity—Informational
|
Failed to import new featured {field_type}{plural}
| Sub Type—Import Status—Fail Severity—Informational
|
Replaced all featured {field_type} {plural} with a new list containing {count}values
| Sub Type—Replace Status—Success Severity—Informational
|
Failed to replace {count}featured {field_type}{plural}
| Sub Type—Replace Status—Fail Severity—Informational
|
Type—Global Exceptions |
Global exceptions were edited
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to edit global exceptions
| Sub Type—Edit Status—Fail Severity—Informational
|
{exception_type} was added to global exceptions profile
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to add exception to global exceptions profile
| Sub Type—Edit Status—Fail Severity—Informational
|
Type—Host Firewall Profile |
{platform} {profile_type} profile {profile_name} was created
| Sub Type—Create Status—Success Severity—Informational
|
Failed to create a host firewall profile
| Sub Type—Create Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was deleted
| Sub Type—Delete Status—Success Severity—Informational
|
Failed to delete a host firewall profile
| Sub Type—Delete Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was edited
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to edit a host firewall profile
| Sub Type—Edit Status—Fail Severity—Informational
|
Type—Host Insights |
Endpoint host insights collection initiated successfully
| |
Failed initiating host insights collection from an endpoint
| |
Type—Incident Management |
Changed incident {incident_id} status to {new_status}
| |
Changed incident {incident_id} severity to {new_severity}
| |
Changed incident {incident_id} name to {new_name}
| |
Deleted incident {incident_id} name
| |
Incident {incident_id} assigned to {user_name}
| Sub Type—Assign Incident Status—Success Severity—Informational
|
Incident {incident_id} unassigned
| |
Added artifact {artifact_type}: {artifact_value} to incident {incident_id}
| |
Added asset {asset_type}:{asset_value} to incident {incident_id}
| Sub Type—Add Key Asset Status—Success Severity—Informational
|
Deleted artifact {artifact_type}: {artifact_value} from incident {incident_id}
| |
Deleted asset {asset_type}:{asset_value} from incident {incident_id}
| |
Moved {count} alerts from incident {src_incident_id} to incident {dst_incident_id}
| Sub Type—Move Alerts Status—Success Severity—Informational
|
Merged {src_incident_ids} with incident {dst_incident_id}
| Sub Type—Merge Incidents Status—Success Severity—Informational
|
Merged {src_incident_ids} incidents with incident {dst_incident_id}
| Sub Type—Merge Incidents Status—Success Severity—Informational
|
Changed assignee of {count} incident{plural} to {user_name}
| |
Changed status of {count} incident{plural} to {status}
| |
Changed severity of {count} incident{plural} to {severity}
| |
Changed scoring of {count} incident{plural} to {manual_score}
| Sub Type—Change Scoring Status—Success Severity—Informational
|
Changed scoring of {count} incident{plural} to rule-based scoring
| Sub Type—Change Scoring Status—Success Severity—Informational
|
Changed scoring of incident #{incident_id} to {manual_score}
| |
Changed scoring of incident #{incident_id} to rule-based scoring
| Sub Type—Change Scoring Status—Success Severity—Informational
|
Type—Ingest Data |
Requested to ingest {num_of_alerts} CEFs
| Sub Type—CEF Status—Success Severity—Informational
|
Requested to ingest {num_of_alerts} LEEFs
| Sub Type—LEEF Status—Success Severity—Informational
|
Requested to ingest {num_of_alerts} parsed alerts
| Sub Type—Parsed Alerts Status—Success Severity—Informational
|
Type—Integrations |
Created syslog integration {syslog_name} (ID={syslog_id}
| |
Edited syslog integration {syslog_name} (ID={syslog_id})
| |
Deleted syslog integration {syslog_name} (ID={syslog_id})
| |
Type—Licensing |
Host Insights Add-on license has expired
| Sub Type—Expiration Status—Success Severity—Low
|
{license_name} license has expired
| Sub Type—Expiration Status—Success Severity—Informational
|
{license_name} license will expire in less than {time_remaining_in_days} days
| Sub Type—Expiration Status—Success Severity—Informational
|
Your agents with data collection license pool reached {usage_percentage}% capacity, {usage} out of {purchased} agents installed
| Sub Type—Quota Status—Success Severity—Informational
|
Your agents with data collection license pool reached full capacity
| Sub Type—Quota Status—Success Severity—Informational
|
Your installed agents license pool reached {usage_percentage}% capacity, {usage} out of {purchased} agents installed
| Sub Type—Quota Status—Success Severity—Informational
|
Your installed agents license pool reached full capacity
| Sub Type—Quota Status—Success Severity—Informational
|
Type—Live Terminal |
Connection request sent to host: {host}
| Sub Type—Connect Status—Success Severity—Low
|
Connection request sent to host: {host}
| Sub Type—Connect Status—Fail Severity—Low
|
Connection opened
| Sub Type—Status Status—Success Severity—Low
|
Connection opened
| Sub Type—Status Status—Fail Severity—Low
|
Connection closed
| Sub Type—Status Status—Success Severity—Low
|
Failed to {description}
| Sub Type—Status Status—Fail Severity—Low
|
{error_detail} in {path}
| Sub Type—Delete File Status—Fail Severity—Low
|
Delete file {path}
| Sub Type—Delete File Status—Success Severity—Low
|
Delete file {name} in {path}
| Sub Type—Delete File Status—Success Severity—Low
|
{error_detail} in {path}
| Sub Type—Move File Status—Fail Severity—Low
|
Move file {path} to {target_path}
| Sub Type—Move File Status—Success Severity—Low
|
Move file {name} from {path} to {target_path}
| Sub Type—Move File Status—Success Severity—Low
|
{error_detail} in {path}
| Sub Type—Copy File Status—Fail Severity—Low
|
Copy file {path} to {target_path}
| Sub Type—Copy File Status—Success Severity—Low
|
Copy file {name} from {path} to {target_path}
| Sub Type—Copy File Status—Success Severity—Low
|
Type—Managed Threat Hunting |
Pairing with {name} was removed
| Sub Type—Pairing Status—Success Severity—Informational
|
Registered to MTH service with email : {email}
| Sub Type—Register Status—Success Severity—Informational
|
Registered to MTH service with email : {email}
| Sub Type—Re-register Status—Success Severity—Informational
|
Registered to MTH service with email : {email}
| Sub Type—Register Status—Fail Severity—Informational
|
Registered to MTH service with email : {email}
| Sub Type—Re-register Status—Fail Severity—Informational
|
Registered to MTH service with email : {email}
| Sub Type—Unregistered Status—Success Severity—Informational
|
Registered to MTH service with email : {email}
| Sub Type—Unregistered Status—Fail Severity—Informational
|
Type—MSSP |
Synced {len(biocs)} BIOC rules and {len(exceptions)} exceptions
| Sub Type—Synchronization Status—Success Severity—Informational
|
Synced {len(inclusions)} starred alerts
| Sub Type—Synchronization Status—Success Severity—Informational
|
Synced {len(whitelists)} exclusion alerts
| Sub Type—Synchronization Status—Success Severity—Informational
|
Synced {len(profiles)} profiles
| Sub Type—Synchronization Status—Success Severity—Informational
|
Synced {len(ab_list)} allow/block items
| Sub Type—Synchronization Status—Success Severity—Informational
|
Failed to fetch data from signed_url
| Sub Type—Synchronization Status—Fail Severity—Informational
|
Failed to sync {len(biocs)} BIOC rules and {len(exceptions)} exceptions
| Sub Type—Synchronization Status—Fail Severity—Informational
|
Failed to sync {len(inclusions)} starred alerts
| Sub Type—Synchronization Status—Fail Severity—Informational
|
Failed to sync {len(whitelists)} exclusion alerts
| Sub Type—Synchronization Status—Fail Severity—Informational
|
Failed to sync {len(ab_list)} allow/block list items
| Sub Type—Synchronization Status—Fail Severity—Informational
|
Failed to sync {len(profiles)} profiles
| Sub Type—Synchronization Status—Fail Severity—Informational
|
Type—Permission |
{user name} was assigned permissions of role {role name}
| |
{user name} permissions were updated from {role name} to {role name}
| |
{user name} permissions were removed
| |
{user name} access has been disabled due to due to last login timeout
| |
{user name} access has been manually disabled
| |
{user name} access has been enabled
| |
{role name} created with the following permissions: {1,2,3,}
| Sub Type—Role Created Status—Success Severity—Informational
|
{role name} edited, the following permissions {1,2} were added and the following permissions removed {1,2,3}
| Sub Type—Role Edited Status—Success Severity—Informational
|
{role name} deleted
| Sub Type—Role Deleted Status—Success Severity—Informational
|
Type—Policy & Profiles |
{platform} {profile_type} profile {profile_name} was created
| Sub Type—Create Status—Success Severity—Informational
|
Failed to create a profile
| Sub Type—Create Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was created by {parent_tenant}
| Sub Type—Create Status—Success Severity—Informational
|
Failed to create a profile by {parent_tenant} by {parent_tenant}
| Sub Type—Create Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was deleted
| Sub Type—Delete Status—Success Severity—Informational
|
Failed to delete a profile
| Sub Type—Delete Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was deleted by {parent_tenant}
| Sub Type—Delete Status—Success Severity—Informational
|
Failed to delete a profile by {parent_tenant}
| Sub Type—Delete Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was edited
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to edit a profile
| Sub Type—Edit Status—Fail Severity—Informational
|
{exception_type} was added to exceptions profile {profile_name}
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to add exception to exceptions profile
| Sub Type—Edit Status—Fail Severity—Informational
|
{platform} {profile_type} profile {profile_name} was edited by {parent_tenant}
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to edit a profile by {parent_tenant}
| Sub Type—Edit Status—Fail Severity—Informational
|
<X> profiles were exported
Policy rule <name> was exported
<x> policy rules were exported
| Sub Type—Import / Export Status—Success Severity—Informational
|
<X> profiles were imported
Policy rule <name> was imported
<x> policy rules were imported
| Sub Type—Import / Export Status—Success Severity—Informational
|
Type—Prevention Policy Rules |
Policy rules were updated
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to update policy rules
| Sub Type—Edit Status—Fail Severity—Informational
|
Policy rules reverted to previous state due to profile removal by {parent_tenant}
| Sub Type—Revert Status—Success Severity—Informational
|
Type—Public API |
Source IP: {source_ip}, API key ID: {key_id}
| |
Type—Query Center |
Query ID {identifier} was executed
| Sub Type—Run Query Status—Success Severity—Informational
|
Query ID {identifier} was scheduled
| Sub Type—Schedule Query Status—Success Severity—Informational
|
Query ID {identifier} was removed from scheduled queries
| |
Query ID {identifier} was renamed
| Sub Type—Rename Query Status—Success Severity—Informational
|
Query ID {identifier} was removed
| Sub Type—Remove Query Status—Success Severity—Informational
|
Query ID {identifier} was saved
| Sub Type—Save Query Status—Success Severity—Informational
|
Query ID {identifier} was enabled
| Sub Type—Enable Query Status—Success Severity—Informational
|
Query ID {identifier} was disabled
| Sub Type—Disable Query Status—Success Severity—Informational
|
Query ID {identifier} was rescheduled
| Sub Type—Edit Query Status—Success Severity—Informational
|
Type—Remediation |
Created remediation action to {operations} from {scope}
| Sub Type—Create Status—Success Severity—Low
|
Canceled {action_name} (id={group_action_id}) on {scope}
| Sub Type—Cancel Status—Success Severity—Low
|
Type—Reporting |
Downloaded report '{report_names}' ID {report_ids}
| Sub Type—Download Report Status—Success Severity—Informational
|
Deleted report(s) '{report_names}' ID(s) {report_ids}
| Sub Type—Delete Report Status—Success Severity—Informational
|
Created report template '{template_name}' ID {template_id}
| |
Disabled report template '{template_name}' ID {template_id}
| |
Enabled report template '{template_name}' ID {template_id}
| |
Edited report template '{template_name}' ID {template_id}
| |
Deleted report template(s) '{template_name}' ID(s) {template_id}
| |
Emailed report '{template_name}' ID {report_id} to {emails}
| Sub Type—Email Report Status—Success Severity—Informational
|
Failed to upload report {upload_report_name} to bucket {bucket_name}
| Sub Type—Run Report Status—Fail Severity—Informational
|
Scheduled report failed to start due to timeout
| Sub Type—Run Report Status—Fail Severity—Informational
|
Slack report '{template_name}' ID {report_id} to {channels}
| Sub Type—Slack Report Status—Success Severity—Informational
|
Type—Response |
Retrieve {count} file(s) from {scope}
| Sub Type—Create Status—Success Severity—Low
|
Retrieve alert data from {scope}
| Sub Type—Create Status—Success Severity—Low
|
Quarantine {path}, SHA256: {hash} on {scope}
| Sub Type—Create Status—Success Severity—Low
|
Restore quarantined file with hash {hash} on {scope}
| Sub Type—Create Status—Success Severity—Low
|
Malware scan on {scope}
| Sub Type—Create Status—Success Severity—Low
|
Abort malware scan on {scope}
| Sub Type—Create Status—Success Severity—Low
|
Isolate {scope} from the network
| Sub Type—Create Status—Success Severity—Low
|
UnIsolate {scope}
| Sub Type—Create Status—Success Severity—Low
|
Kill process {process_name} on {scope}
| Sub Type—Create Status—Success Severity—Low
|
Initiate Live Terminal on {scope}
| Sub Type—Create Status—Success Severity—Low
|
Delete {count} hash(es) from allow list
| Sub Type—Delete Status—Success Severity—Low
|
Delete {cout} hash(es) from block list
| |
Delete isolation comment of {scope}
| Sub Type—Delete Status—Success Severity—Low
|
Cancel {action_name} (id= {action_id}) for {scope}
| Sub Type—Cancel Status—Success Severity—Low
|
Enable {count} hash(es) from allow list
| Sub Type—Enable Status—Success Severity—Low
|
Enable and move {count} hash(es) from allow list to block list
| Sub Type—Enable Status—Success Severity—Low
|
Enable {count} hash(es) from block list
| Sub Type—Enable Status—Success Severity—Low
|
Enable and move {count} hash(es) from block list to allow list
| Sub Type—Enable Status—Success Severity—Low
|
{add_on_name} Add-on activated successfully
| Sub Type—Enable Status—Success Severity—Low
|
Disable {count} hash(es) from allow list
| Sub Type—Disable Status—Success Severity—Low
|
Disable {count} hash(es) from block list
| Sub Type—Disable Status—Success Severity—Low
|
{add_on_name} Add-on disabled successfully
| Sub Type—Disable Status—Success Severity—Low
|
Move {count} hash(es) to block list
| Sub Type—Move Status—Success Severity—Low
|
Move {count} hash(es) to allow list
| Sub Type—Move Status—Success Severity—Low
|
Edit comment of {count} hash in allow list
| Sub Type—Edit Status—Success Severity—Low
|
Updated incident ID of a hash from allow list: {hash} to: {incident_id}
| Sub Type—Edit Status—Success Severity—Low
|
Removed incident ID of a hash from allow list: {hash}
| Sub Type—Edit Status—Success Severity—Low
|
Edit comment of {count} hash in block list
| Sub Type—Edit Status—Success Severity—Low
|
Updated incident ID of a hash from block list: {hash} to: {incident_id}"
| Sub Type—Edit Status—Success Severity—Low
|
Removed incident ID of a hash from block list: {hash}
| Sub Type—Edit Status—Success Severity—Low
|
Edit isolation comment of {scope} to {isolate_comment}
| Sub Type—Edit Status—Success Severity—Low
|
Disable {capability} on {scope}
| |
Removed {ip} from the blocked IP address list of {scope}
| Sub Type—Unblock Status—Success Severity—Low
|
Type—Rules |
IOC created - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Create Status—Success Severity—Informational
|
BIOC created - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Create Status—Success Severity—Informational
|
IOC deleted - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Delete Status—Success Severity—Informational
|
BIOC deleted - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Delete Status—Success Severity—Informational
|
IOC changed - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Change Status—Success Severity—Informational
|
Changed {count} IOCs
| Sub Type—Change Status—Success Severity—Informational
|
BIOC changed - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Change Status—Success Severity—Informational
|
Changed {count} BIOCs
| Sub Type—Change Status—Success Severity—Informational
|
IOC disabled - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Disable Status—Success Severity—Informational
|
Disabled {count} IOCs
| Sub Type—Disable Status—Success Severity—Informational
|
IOC Rule #{rule_id} ({rule_name}) has been disabled as it reached {limit} limit of hits in the past 24 hours.
| Sub Type—Disable Status—Success Severity—Informational
|
BIOC disabled - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Disable Status—Success Severity—Informational
|
BIOC rule {rule_id} has been automatically disabled because it reached {hits} matches in the last {time} - name: {rule_name} severity: {rule_severity} type: {rule_type}
| Sub Type—Disable Status—Success Severity—Informational
|
Disabled {count} BIOCs
| Sub Type—Disable Status—Success Severity—Informational
|
Analytics BIOC rule disabled - name: '{rule_name}' global rule id: '{global_rule_id}'
| Sub Type—Disable Status—Success Severity—Informational
|
Disabled {count} Analytics BIOC rules
| Sub Type—Disable Status—Success Severity—Informational
|
BIOC Rule #{rule_id} ({rule_name}) has been disabled as it reached {limit} limit of hits in the past 24 hours.
| Sub Type—Disable Status—Success Severity—Informational
|
IOC enabled - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Enable Status—Success Severity—Informational
|
Enabled {count} IOCs
| Sub Type—Enable Status—Success Severity—Informational
|
BIOC enabled - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}
| Sub Type—Enable Status—Success Severity—Informational
|
Enabled {count} BIOCs
| Sub Type—Enable Status—Success Severity—Informational
|
Analytics BIOC rule enabled - name: '{rule_name}' global rule id: '{global_rule_id}'
| Sub Type—Enable Status—Success Severity—Informational
|
Enabled {count} Analytics BIOC rules
| Sub Type—Enable Status—Success Severity—Informational
|
Imported {count} IOCs
| Sub Type—Import Status—Success Severity—Informational
|
Imported {count} BIOCs
| Sub Type—Import Status—Success Severity—Informational
|
{count} IOCs expired
| Sub Type—Expire Status—Success Severity—Informational
|
Exported {count} BIOCs
| Sub Type—Export Status—Success Severity—Informational
|
BIOC content updated - Palo Alto Networks repository provided a BIOC update
| Sub Type—Content Update Status—Success Severity—Informational
|
Type—Rules Exceptions |
Added new rule exception
| Sub Type—Add Status—Success Severity—Informational
|
Edited rule exception ID:{exception_id}
| Sub Type—Edit Status—Success Severity—Informational
|
Deleted {exception_ids_len} rule exceptions
| Sub Type—Delete Status—Success Severity—Informational
|
Deleted rule exception ID: {exception_id}
| Sub Type—Delete Status—Success Severity—Informational
|
Exported {exception_id} rule exception
| |
Exported {exported_exceptions} rule exceptions
| |
Imported {exception_id} rule exception
| Sub Type—Import Status—Success Severity—Informational
|
Imported {imported_exceptions} rule exceptions
| Sub Type—Import Status—Success Severity—Informational
|
Type—SaaS Collection |
{vendor} Data Collection for {name} created.
| |
{vendor} Data Collection for {name} deleted.
| |
{vendor} Data Collection for {name} edited.
| |
{vendor} Data Collection for {name} disabled.
| |
{vendor} Data Collection for {name} enabled.
| |
{vendor} Data Collection for {name} was disconnected with error '{disconnected_error}'
| |
Collection authentication failed. Collection key ID {key_id}. Source IP: {source_ip}
| |
Okta API call exceeded rate limit due to too many requests. HTTP Status: 429 Too Many Requests. The collection of data from {okta_domain} is suspended for several minutes.
| Sub Type—Data Collection Status—Fail Severity—Informational
|
Type—Scoring Rules |
Scoring rules were updated
| Sub Type—Edit Status—Success Severity—Informational
|
Failed to update scoring rules
| Sub Type—Edit Status—Fail Severity—Informational
|
Type—Script ExecutionRun {script_name} on {scope}
| Sub Type—Run script Status—Success Severity—Low
|
Cancel {action_name} (id={group_action_id}) for {scope}
| Sub Type—Cancel Status—Success Severity—Low
|
Abort {action_name} (id={group_action_id}) for {scope}
| Sub Type—Abort Status—Success Severity—Low
|
Add {outcome} script, name: {name}, description: {description}, compatible for {platform}, script id: {script_id}
| Sub Type—Add Script Status—Success Severity—Informational
|
Edit {script_name}, script id - {script_id}: {updated_values}
| Sub Type—Edit Status—Success Severity—Informational
|
Delete {script_name}, script id: {script_id}
| Sub Type—Delete Status—Success Severity—Informational
|
Type—Security Settings |
Changed user login expiration from {old_user_login_expiration} hours to {old_user_login_expiration} hours
| |
Changed dashboard expiration from {previous_dashboard_expiration} to {new_dashboard_expiration}
| |
{action} session’s approved domains {domain_list}
| NoteAction is Enabled, Disabled, or Changed. domain_list is in one of the following formats. |
{action} session’s approved CIDRs {CIDR_list}
| NoteAction is Enabled, Disabled, or Changed. CIDR_list is in one of the following formats. for CIDRX, CIDRY from: CIDRX to: CIDRY (empty)
|
{action} user expiration {expiration_change}
| NoteAction is Enabled, Disabled or Changed. expiration_change is in one of the following formats. for x days from x days to y days (empty)
|
Added domain(s) {domains_list} to the Allowed Domains list
| |
Deleted domain(s) {domains_list} from the Allowed Domains list
| |
Type—Starred Incidents |
Incident {incident_id} was manually starred
| Sub Type—Manual Star Status—Success Severity—Informational
|
Incident {incident_id} was manually unstarred
| Sub Type—Manual Un-star Status—Success Severity—Informational
|
{count} incident{plural} were starred
| Sub Type—Bulk Star Status—Success Severity—Informational
|
{count} incident{plural} were un-starred
| Sub Type—"Bulk Un-star Status—Success Severity—Informational
|
Enabled starring policy {edit_id}
| Sub Type—Enable Policy Status—Success / Fail Severity—Informational
|
Disabled starring policy {edit_id}
| Sub Type—Disable Policy Status—Success / Fail Severity—Informational
|
Edited starring policy {edit_id}
| Sub Type—Edit Policy Status—Success / Fail Severity—Informational
|
Deleted starring policy
| Sub Type—Delete Policy Status—Success / Fail Severity—Informational
|
Created starring policy {res}
| Sub Type—Create Policy Status—Success / Fail Severity—Informational
|
Type—System |
Temporary Devops access granted to user: ({member})
| Sub Type—Devops Access Status—Success Severity—Informational
|