Management Audit Log Messages - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-05-22
Category
Administrator Guide
Abstract

List of the Cortex XDR management audit log messages according to log type.

The following table displays the Cortex XDR management audit log messages by log type.

Message

Details

Type-Action Center

Action # {action_id} completed successfully. {action--_description}.

  • Sub Type—Action Completed

  • Status—Success

  • Severity—Low

Action # {action_id} completed with {partial success}. {action--_description}.

  • Sub Type—Action Completed

  • Status—Failed

  • Severity—Low

Action # {action_id} {failed / timeout / expired.} {action--_description}.

  • Sub Type—Action Completed

  • Status—Failed

  • Severity—Low

Action # completed successfully. Action description: Set Endpoint token with (x) days

  • Sub Type—Action Completed

  • Status—Success

  • Severity—Low

Type—Agent Configuration

Agent global uninstall password updated

  • Sub Type—Global uninstall password

  • Status—Success

  • Severity—Informational

Agent auto upgrade configuration updated

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

Agent content bandwidth management{bandwidth_allocation}

  • Sub Type—Content bandwidth management

  • Status—Success

  • Severity—Informational

Agent advanced analysis configuration updated

  • Sub Type—Advanced Analysis

  • Status—Success

  • Severity—Informational

Type—Agent Installation

Distribution creation timeout for distribution id {distribution_id} packages generation - WLM task timed-out

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

Deleted installation package\'{distribution.dist_name}\

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Edited installation package\'{current_distribution.dist_name}\

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to create {general_desc}

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

Created {general_desc}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Type—Alert Exclusions

Auto-resolved {cases_info} incidents because all of the alerts they contain are excluded

  • Sub Type—Auto-Resolve Incidents

  • Status—Success

  • Severity—Informational

Reopened incident ID {cases_info} due to manual user action

  • Sub Type—Unresolve Auto-Resolved Incidents

  • Status—Success

  • Severity—Informational

Failed to Add exclusion policy {name}

  • Sub Type—Add exclusion policy fail

  • Status—Fail

  • Severity—Informational

Add exclusion policy #{res}

  • Sub Type—Add exclusion policy

  • Status—Success

  • Severity—Informational

Failed to Edit exclusion policy {edit_id}

  • Sub Type—Edit exclusion policy fail

  • Status—Fail

  • Severity—Informational

Edit exclusion policy #{edit_id}

  • Sub Type—Edit exclusion policy

  • Status—Success

  • Severity—Informational

Failed to delete exclusion policy

  • Sub Type—Delete exclusion policy fail

  • Status—Fail

  • Severity—Informational

Delete exclusion policy {','.join(map(str, whitelist_ids))}

  • Sub Type—Delete exclusion policy

  • Status—Success

  • Severity—Informational

Type—Alert Notifications

Notification ID {rule_id} Created

  • Sub Type—New Configuration

  • Status—Success

  • Severity—Informational

Notification ID {rule_id} Edited

  • Sub Type—Edit Configuration

  • Status—Success

  • Severity—Informational

Notification ID {rule_id} Enabled

  • Sub Type—Enable Configuration

  • Status—Success

  • Severity—Informational

Notification ID {rule_id} Disabled

  • Sub Type—Disable Configuration

  • Status—Success

  • Severity—Informational

Notification ID {rule_id} Deleted

  • Sub Type—Delete Configuration

  • Status—Success

  • Severity—Informational

Type—Alert Rules

Alert rule ID {rule_id} created

  • Sub Type—New Alert Rule

  • Status—Success

  • Severity—Informational

Alert rule ID {rule_id} edited

  • Sub Type—Edit Alert Rule

  • Status—Success

  • Severity—Informational

Alert rule ID {rule_id} deleted

  • Sub Type—Delete Alert Rule

  • Status—Success

  • Severity—Informational

Alert rule ID {rule_id} was enabled

  • Sub Type—Enable Alert Rule

  • Status—Success

  • Severity—Informational

Alert rule ID {rule_id} was disabled

  • Sub Type—Disable Alert Rule

  • Status—Success

  • Severity—Informational

Type—Api Key

Api Key ID {id} was added

  • Sub Type—Add New Key

  • Status—Success

  • Severity—Informational

Api Key ID {id} was edited

  • Sub Type—Edit Key

  • Status—Success

  • Severity—Informational

Deleted Api Keys: {id}

  • Sub Type—Delete Key

  • Status—Success

  • Severity—Informational

Api Key ID {id} was deleted

  • Sub Type—Delete Key

  • Status—Success

  • Severity—Informational

Type—Authentication

  • Sub Type—Login

  • Status—Success

  • Severity—Informational

  • Sub Type—Logout

  • Status—Success

  • Severity—Informational

User {user name} has failed to log in into the tenant, as the user is disabled

  • Sub Type—Login

  • Status—Fail

  • Severity—Informational

Type—Broker API

Broker {broker_id} has failed to authenticate

  • Sub Type—Authentication failed

  • Status—Fail

  • Severity—Informational

Type—Broker VMs

Broker VM register request completed

  • Sub Type—Register

  • Status—Success

  • Severity—Low

Broker VM register request failed

  • Sub Type—Register

  • Status—Fail

  • Severity—Low

{app_pretty} activated on broker VM {device_id}

  • Sub Type—Applet Activated

  • Status—Success

  • Severity—Low

{app_pretty} failed to activate on broker VM {device_id}

  • Sub Type—Applet Activated

  • Status—Fail

  • Severity—Low

Setting configuration {app_pretty} on broker VM {device_id}

  • Sub Type—Applet Set Configuration

  • Status—Success

  • Severity—Low

Failed setting configuration {app_pretty} on broker VM {device_id}

  • Sub Type—Applet Set Configuration

  • Status—Fail

  • Severity—Low

Getting {app_pretty}'s configurations of broker VM {device_id}

  • Sub Type—Applet Get Configuration

  • Status—Success

  • Severity—Low

Failed getting {app_pretty} configurations for broker VM {device_id}

  • Sub Type—Applet Get Configuration

  • Status—Fail

  • Severity—Low

{app_pretty} deactivated on broker VM {device_id}

  • Sub Type—Applet Deactivated

  • Status—Success

  • Severity—Low

{app_pretty} failed to deactivate on broker VM {device_id}

  • Sub Type—Applet Deactivated

  • Status—Fail

  • Severity—Low

Broker VM {device_id} retrieve logs request created

  • Sub Type—Broker Log

  • Status—Success

  • Severity—Low

Broker VM {device_id} retrieve logs failed request

  • Sub Type—Broker Log

  • Status—Fail

  • Severity—Low

Broker VM {device_id} was deleted

  • Sub Type—Remove Device

  • Status—Success

  • Severity—Low

Failed to delete Broker VM {device_id}

  • Sub Type—Remove Device

  • Status—Fail

  • Severity—Low

Sent action {action_name} to device: {device_id}

  • Sub Type—Action on device

  • Status—Success

  • Severity—Low

Failed to send action {action_name} to device: {device_id}

  • Sub Type—Action on device

  • Status—Fail

  • Severity—Low

Failed to start Live Shell with Broker device: {device_id}

  • Sub Type—Action on device

  • Status—Fail

  • Severity—Low

Set configuration for device {device_id}

  • Sub Type—Device configuration

  • Status—Success

  • Severity—Low

Failed to set configuration for device {device_id}

  • Sub Type—Device configuration

  • Status—Fail

  • Severity—Low

Broker VM {device_name} has disconnected from the Cortex XDR server.

  • Sub Type—Disconnect

  • Status—Fail

  • Severity—Low

Pathfinder configuration request completed

  • Sub Type—Edit Configuration

  • Status—Success

  • Severity—Low

Pathfinder configuration request failed

  • Sub Type—Edit Configuration

  • Status—Fail

  • Severity—Low

Pathfinder credentials request completed

  • Sub Type—Edit Credentials

  • Status—Success

  • Severity—Low

Pathfinder credentials request failed

  • Sub Type—Edit Credentials

  • Status—Fail

  • Severity—Low

Pathfinder Test request completed

  • Sub Type—Test

  • Status—Success

  • Severity—Low

Pathfinder Test request failed

  • Sub Type—Test

  • Status—Fail

  • Severity—Low

Type—Dashboards

Enabled Dashboard ID {dashboard_id}

  • Sub Type—Enable Dashboard

  • Status—Success

  • Severity—Informational

Disabled Dashboard ID {dashboard_id}

  • Sub Type—Disable Dashboard

  • Status—Success

  • Severity—Informational

Deleted Dashboard ID {dashboard_id}

  • Sub Type—Delete Dashboard

  • Status—Success

  • Severity—Informational

Created Dashboard ID {dashboard_id}

  • Sub Type—Create New Dashboard

  • Status—Success

  • Severity—Informational

Edited Dashboard ID {dashboard_id}

  • Sub Type—Edit Dashboard

  • Status—Success

  • Severity—Informational

Type—Device Control Permanent Exceptions

Device control permanent exceptions were edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit device control permanent exceptions

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Exception was added to device control permanent exceptions profile

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to add exception to device control permanent exceptions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Device Control Profile

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

A whitelist entry {vendor} {product} {serial} was added from a violation event to profile {profile_name}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to add exception to device control exceptions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Device Control Temporary Exceptions

A temporary exception for {vendor} {product} {serial} on {target} {target_name} with {permission} permissions for {time} {time_units} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a temporary exception from violation

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

Device control temporary exceptions were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update device control temporary exceptions

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Disk Encryption Profile

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a host disk encryption profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a host disk encryption profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a host disk encryption profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—EDL Management

Enable EDL

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Disable EDL

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Edit username

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Edit password

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Edit username and password

  • Sub Type—Edit

  • Severity—Informational

  • Status—Success

EDL Authentication

  • Sub Type—Authentication

  • Status—Fail

  • Severity—Informational

Type—Endpoint Administration

Uninstall agent on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Upgrade {platform} on {scope} to {versions}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Retrieve endpoint data from {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Change managing server on {scope} using the following distribution IDs {distribution_ids}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Set agent proxy ({proxy_addresses}) for {host_name}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Delete {host_name}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Cancel {action_name} (id={group_action_id}) for {scope}

  • Sub Type—Cancel

  • Status—Success

  • Severity—Informational

Disable agent proxy for {host_name}

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Could not include {endpoint-id} in auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Fail

  • Severity—Informational

Could not exclude {endpoint-id} from auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Fail

  • Severity—Informational

Could not include {endpoint-id} and {x} other endpoints in auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Fail

  • Severity—Informational

Could not exclude {endpoint-id} and {x} other endpoints from auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Fail

  • Severity—Informational

{endpoint-id} was excluded from auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

{endpoint-id} was included in auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

{endpoint-id} and {x} other endpoints were included in auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

{endpoint-id} and {x} other endpoints were excluded from auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

(tag_name) to (endpoint_name) and 5 other endpoints

  • Sub Type—Assign

  • Status—Success

  • Severity—Informational

(tag_name) from (endpoint_name) and 5 other endpoints

  • Sub Type—Remove

  • Status—Success

  • Severity—Informational

Endpoint token was viewed for hash (hash_id) and agent id (agent-id)

  • Sub Type—View Token

  • Status—Success

  • Severity—Informational

Set endpoint token with (x) days expiration on (agent-id)

  • Sub Type—Set Token

  • Status—Success

  • Severity—Low

Type—Endpoint Groups

Endpoint group '{group_name}' created

  • Sub Type—Create Group

  • Status—Success

  • Severity—Informational

Endpoint group '{group_name}' failed to create

  • Sub Type—Create Group

  • Status—Fail

  • Severity—Informational

Endpoint group '{group_name}' deleted

  • Sub Type—Delete Group

  • Status—Success

  • Severity—Informational

Endpoint group '{group_name}' failed to delete

  • Sub Type—Delete Group

  • Status—Fail

  • Severity—Informational

Endpoint group edited {modified_fields}

  • Sub Type—Edit Group

  • Status—Success

  • Severity—Informational

Endpoint group '{group_name}' failed to update

  • Sub Type—Edit Group

  • Status—Fail

  • Severity—Informational

Type-Event Forwarding

{operation} Endpoint Event Forwarding

  • Sub Type—Change Endpoint Event Forwarding settings

  • Status—Success

  • Severity—Informational

{operation} GB Event Forwarding

  • Sub Type—Change GB Event Forwarding settings

  • Status—Success

  • Severity—Informational

Generated New Service Account JSON Web Token

  • Sub Type—Event Forwarding Authentication

  • Status—Success

  • Severity—Informational

Type—Extensions Policy

Device Control policy rules were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update device control policy rules

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Extensions policy rules were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update extensions policy rules

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Extensions Profile

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create an extensions profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete an extensions profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit an extensions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Featured Alert Fields

Added {count}new featured {field_type} {plural}

  • Sub Type—Add

  • Status—Success

  • Severity—Informational

Failed to add {count}new featured {field_type}{plural}

  • Sub Type—Add

  • Status—Fail

  • Severity—Informational

Deleted {count}featured {field_type} {plural}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete {count}featured {field_type}{plural}

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

Edited {count}featured {field_type} {plural}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit {count}featured {field_type}{plural}

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Imported new featured {field_type} {plural}

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

Failed to import new featured {field_type}{plural}

  • Sub Type—Import

  • Status—Fail

  • Severity—Informational

Replaced all featured {field_type} {plural} with a new list containing {count}values

  • Sub Type—Replace

  • Status—Success

  • Severity—Informational

Failed to replace {count}featured {field_type}{plural}

  • Sub Type—Replace

  • Status—Fail

  • Severity—Informational

Type—Global Exceptions

Global exceptions were edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit global exceptions

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

{exception_type} was added to global exceptions profile

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to add exception to global exceptions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Host Firewall Profile

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a host firewall profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a host firewall profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a host firewall profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Host Insights

Endpoint host insights collection initiated successfully

  • Sub Type—Collect Host Insights from an Endpoint

  • Status—Success

  • Severity—Informational

Failed initiating host insights collection from an endpoint

  • Sub Type—Collect Host Insights from an Endpoint

  • Status—Fail

  • Severity—Informational

Type—Incident Management

Changed incident {incident_id} status to {new_status}

  • Sub Type—Change Incident Status

  • Status—Success

  • Severity—Informational

Changed incident {incident_id} severity to {new_severity}

  • Sub Type—Change Incident Severity

  • Status—Success

  • Severity—Informational

Changed incident {incident_id} name to {new_name}

  • Sub Type—Edit Incident Name

  • Status—Success

  • Severity—Informational

Deleted incident {incident_id} name

  • Sub Type—Deleted Incident Name

  • Status—Success

  • Severity—Informational

Incident {incident_id} assigned to {user_name}

  • Sub Type—Assign Incident

  • Status—Success

  • Severity—Informational

Incident {incident_id} unassigned

  • Sub Type—Unassigned Incident

  • Status—Success

  • Severity—Informational

Added artifact {artifact_type}: {artifact_value} to incident {incident_id}

  • Sub Type—Add Key Artifact

  • Status—Success

  • Severity—Informational

Added asset {asset_type}:{asset_value} to incident {incident_id}

  • Sub Type—Add Key Asset

  • Status—Success

  • Severity—Informational

Deleted artifact {artifact_type}: {artifact_value} from incident {incident_id}

  • Sub Type—Delete Key Artifact

  • Status—Success

  • Severity—Informational

Deleted asset {asset_type}:{asset_value} from incident {incident_id}

  • Sub Type—Delete Key Asset

  • Status—Success

  • Severity—Informational

Moved {count} alerts from incident {src_incident_id} to incident {dst_incident_id}

  • Sub Type—Move Alerts

  • Status—Success

  • Severity—Informational

Merged {src_incident_ids} with incident {dst_incident_id}

  • Sub Type—Merge Incidents

  • Status—Success

  • Severity—Informational

Merged {src_incident_ids} incidents with incident {dst_incident_id}

  • Sub Type—Merge Incidents

  • Status—Success

  • Severity—Informational

Changed assignee of {count} incident{plural} to {user_name}

  • Sub Type—Bulk Change Incident Assignee

  • Status—Success

  • Severity—Informational

Changed status of {count} incident{plural} to {status}

  • Sub Type—Bulk Change Incident status

  • Status—Success

  • Severity—Informational

Changed severity of {count} incident{plural} to {severity}

  • Sub Type—Bulk Change Incident Severity

  • Status—Success

  • Severity—Informational

Changed scoring of {count} incident{plural} to {manual_score}

  • Sub Type—Change Scoring

  • Status—Success

  • Severity—Informational

Changed scoring of {count} incident{plural} to rule-based scoring

  • Sub Type—Change Scoring

  • Status—Success

  • Severity—Informational

Changed scoring of incident #{incident_id} to {manual_score}

  • Sub Type—Change Scoring

  • Severity—InformationalStatus—Success

Changed scoring of incident #{incident_id} to rule-based scoring

  • Sub Type—Change Scoring

  • Status—Success

  • Severity—Informational

Type—Ingest Data

Requested to ingest {num_of_alerts} CEFs

  • Sub Type—CEF

  • Status—Success

  • Severity—Informational

Requested to ingest {num_of_alerts} LEEFs

  • Sub Type—LEEF

  • Status—Success

  • Severity—Informational

Requested to ingest {num_of_alerts} parsed alerts

  • Sub Type—Parsed Alerts

  • Status—Success

  • Severity—Informational

Type—Integrations

Created syslog integration {syslog_name} (ID={syslog_id}

  • Sub Type—Create Syslog Integrations

  • Status—Success

  • Severity—Informational

Edited syslog integration {syslog_name} (ID={syslog_id})

  • Sub Type—Edit Syslog Integrations

  • Status—Success

  • Severity—Informational

Deleted syslog integration {syslog_name} (ID={syslog_id})

  • Sub Type—Delete Syslog Integrations

  • Status—Success

  • Severity—Informational

Type—Licensing

Host Insights Add-on license has expired

  • Sub Type—Expiration

  • Status—Success

  • Severity—Low

{license_name} license has expired

  • Sub Type—Expiration

  • Status—Success

  • Severity—Informational

{license_name} license will expire in less than {time_remaining_in_days} days

  • Sub Type—Expiration

  • Status—Success

  • Severity—Informational

Your agents with data collection license pool reached {usage_percentage}% capacity, {usage} out of {purchased} agents installed

  • Sub Type—Quota

  • Status—Success

  • Severity—Informational

Your agents with data collection license pool reached full capacity

  • Sub Type—Quota

  • Status—Success

  • Severity—Informational

Your installed agents license pool reached {usage_percentage}% capacity, {usage} out of {purchased} agents installed

  • Sub Type—Quota

  • Status—Success

  • Severity—Informational

Your installed agents license pool reached full capacity

  • Sub Type—Quota

  • Status—Success

  • Severity—Informational

Type—Live Terminal

Connection request sent to host: {host}

  • Sub Type—Connect

  • Status—Success

  • Severity—Low

Connection request sent to host: {host}

  • Sub Type—Connect

  • Status—Fail

  • Severity—Low

Connection opened

  • Sub Type—Status

  • Status—Success

  • Severity—Low

Connection opened

  • Sub Type—Status

  • Status—Fail

  • Severity—Low

Connection closed

  • Sub Type—Status

  • Status—Success

  • Severity—Low

Failed to {description}

  • Sub Type—Status

  • Status—Fail

  • Severity—Low

{error_detail} in {path}

  • Sub Type—Delete File

  • Status—Fail

  • Severity—Low

Delete file {path}

  • Sub Type—Delete File

  • Status—Success

  • Severity—Low

Delete file {name} in {path}

  • Sub Type—Delete File

  • Status—Success

  • Severity—Low

{error_detail} in {path}

  • Sub Type—Move File

  • Status—Fail

  • Severity—Low

Move file {path} to {target_path}

  • Sub Type—Move File

  • Status—Success

  • Severity—Low

Move file {name} from {path} to {target_path}

  • Sub Type—Move File

  • Status—Success

  • Severity—Low

{error_detail} in {path}

  • Sub Type—Copy File

  • Status—Fail

  • Severity—Low

Copy file {path} to {target_path}

  • Sub Type—Copy File

  • Status—Success

  • Severity—Low

Copy file {name} from {path} to {target_path}

  • Sub Type—Copy File

  • Status—Success

  • Severity—Low

Type—Managed Threat Hunting

Pairing with {name} was removed

  • Sub Type—Pairing

  • Status—Success

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Register

  • Status—Success

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Re-register

  • Status—Success

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Register

  • Status—Fail

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Re-register

  • Status—Fail

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Unregistered

  • Status—Success

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Unregistered

  • Status—Fail

  • Severity—Informational

Type—MSSP

Synced {len(biocs)} BIOC rules and {len(exceptions)} exceptions

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Synced {len(inclusions)} starred alerts

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Synced {len(whitelists)} exclusion alerts

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Synced {len(profiles)} profiles

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Synced {len(ab_list)} allow/block items

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Failed to fetch data from signed_url

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(biocs)} BIOC rules and {len(exceptions)} exceptions

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(inclusions)} starred alerts

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(whitelists)} exclusion alerts

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(ab_list)} allow/block list items

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(profiles)} profiles

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Type—Permission

{user name} was assigned permissions of role {role name}

  • Sub Type—User Permissions Assigned

  • Status—Success

  • Severity—Informational

{user name} permissions were updated from {role name} to {role name}

  • Sub Type—User Permissions Edited

  • Status—Success

  • Severity—Informational

{user name} permissions were removed

  • Sub Type—User Permissions Revoked

  • Status—Success

  • Severity—Informational

{user name} access has been disabled due to due to last login timeout

  • Sub Type—User Access Disabled

  • Status—Success

  • Severity—Informational

{user name} access has been manually disabled

  • Sub Type—User Access Disabled

  • Status—Success

  • Severity—Informational

{user name} access has been enabled

  • Sub Type—User Access Enabled

  • Status—Success

  • Severity—Informational

{role name} created with the following permissions: {1,2,3,}

  • Sub Type—Role Created

  • Status—Success

  • Severity—Informational

{role name} edited, the following permissions {1,2} were added and the following permissions removed {1,2,3}

  • Sub Type—Role Edited

  • Status—Success

  • Severity—Informational

{role name} deleted

  • Sub Type—Role Deleted

  • Status—Success

  • Severity—Informational

Type—Policy & Profiles

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was created by {parent_tenant}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a profile by {parent_tenant} by {parent_tenant}

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted by {parent_tenant}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a profile by {parent_tenant}

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

{exception_type} was added to exceptions profile {profile_name}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to add exception to exceptions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited by {parent_tenant}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a profile by {parent_tenant}

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

  • <X> profiles were exported

  • Policy rule <name> was exported

  • <x> policy rules were exported

  • Sub Type—Import / Export

  • Status—Success

  • Severity—Informational

  • <X> profiles were imported

  • Policy rule <name> was imported

  • <x> policy rules were imported

  • Sub Type—Import / Export

  • Status—Success

  • Severity—Informational

Type—Prevention Policy Rules

Policy rules were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update policy rules

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Policy rules reverted to previous state due to profile removal by {parent_tenant}

  • Sub Type—Revert

  • Status—Success

  • Severity—Informational

Type—Public API

Source IP: {source_ip}, API key ID: {key_id}

  • Sub Type—Authentication failed

  • Status—Fail

  • Severity—Informational

Type—Query Center

Query ID {identifier} was executed

  • Sub Type—Run Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was scheduled

  • Sub Type—Schedule Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was removed from scheduled queries

  • Sub Type—Remove Scheduling

  • Status—Success

  • Severity—Informational

Query ID {identifier} was renamed

  • Sub Type—Rename Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was removed

  • Sub Type—Remove Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was saved

  • Sub Type—Save Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was enabled

  • Sub Type—Enable Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was disabled

  • Sub Type—Disable Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was rescheduled

  • Sub Type—Edit Query

  • Status—Success

  • Severity—Informational

Type—Remediation

Created remediation action to {operations} from {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Canceled {action_name} (id={group_action_id}) on {scope}

  • Sub Type—Cancel

  • Status—Success

  • Severity—Low

Type—Reporting

Downloaded report '{report_names}' ID {report_ids}

  • Sub Type—Download Report

  • Status—Success

  • Severity—Informational

Deleted report(s) '{report_names}' ID(s) {report_ids}

  • Sub Type—Delete Report

  • Status—Success

  • Severity—Informational

Created report template '{template_name}' ID {template_id}

  • Sub Type—Create New Report Template

  • Status—Success

  • Severity—Informational

Disabled report template '{template_name}' ID {template_id}

  • Sub Type—Disable Report Template

  • Status—Success

  • Severity—Informational

Enabled report template '{template_name}' ID {template_id}

  • Sub Type—Enable Report Template

  • Status—Success

  • Severity—Informational

Edited report template '{template_name}' ID {template_id}

  • Sub Type—Edit Report Template

  • Status—Success

  • Severity—Informational

Deleted report template(s) '{template_name}' ID(s) {template_id}

  • Sub Type—Delete Report Template

  • Status—Success

  • Severity—Informational

Emailed report '{template_name}' ID {report_id} to {emails}

  • Sub Type—Email Report

  • Status—Success

  • Severity—Informational

Failed to upload report {upload_report_name} to bucket {bucket_name}

  • Sub Type—Run Report

  • Status—Fail

  • Severity—Informational

Scheduled report failed to start due to timeout

  • Sub Type—Run Report

  • Status—Fail

  • Severity—Informational

Slack report '{template_name}' ID {report_id} to {channels}

  • Sub Type—Slack Report

  • Status—Success

  • Severity—Informational

Type—Response

Retrieve {count} file(s) from {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Retrieve alert data from {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Quarantine {path}, SHA256: {hash} on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Restore quarantined file with hash {hash} on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Malware scan on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Abort malware scan on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Isolate {scope} from the network

  • Sub Type—Create

  • Status—Success

  • Severity—Low

UnIsolate {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Kill process {process_name} on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Initiate Live Terminal on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Delete {count} hash(es) from allow list

  • Sub Type—Delete

  • Status—Success

  • Severity—Low

Delete {cout} hash(es) from block list

  • Sub Type—Delete

  • Severity—LowStatus—Success

Delete isolation comment of {scope}

  • Sub Type—Delete

  • Status—Success

  • Severity—Low

Cancel {action_name} (id= {action_id}) for {scope}

  • Sub Type—Cancel

  • Status—Success

  • Severity—Low

Enable {count} hash(es) from allow list

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

Enable and move {count} hash(es) from allow list to block list

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

Enable {count} hash(es) from block list

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

Enable and move {count} hash(es) from block list to allow list

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

{add_on_name} Add-on activated successfully

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

Disable {count} hash(es) from allow list

  • Sub Type—Disable

  • Status—Success

  • Severity—Low

Disable {count} hash(es) from block list

  • Sub Type—Disable

  • Status—Success

  • Severity—Low

{add_on_name} Add-on disabled successfully

  • Sub Type—Disable

  • Status—Success

  • Severity—Low

Move {count} hash(es) to block list

  • Sub Type—Move

  • Status—Success

  • Severity—Low

Move {count} hash(es) to allow list

  • Sub Type—Move

  • Status—Success

  • Severity—Low

Edit comment of {count} hash in allow list

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Updated incident ID of a hash from allow list: {hash} to: {incident_id}

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Removed incident ID of a hash from allow list: {hash}

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Edit comment of {count} hash in block list

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Updated incident ID of a hash from block list: {hash} to: {incident_id}"

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Removed incident ID of a hash from block list: {hash}

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Edit isolation comment of {scope} to {isolate_comment}

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Disable {capability} on {scope}

  • Sub Type—Disable Capability

  • Status—Success

  • Severity—Low

Removed {ip} from the blocked IP address list of {scope}

  • Sub Type—Unblock

  • Status—Success

  • Severity—Low

Type—Rules

IOC created - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

BIOC created - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

IOC deleted - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

BIOC deleted - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

IOC changed - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Change

  • Status—Success

  • Severity—Informational

Changed {count} IOCs

  • Sub Type—Change

  • Status—Success

  • Severity—Informational

BIOC changed - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Change

  • Status—Success

  • Severity—Informational

Changed {count} BIOCs

  • Sub Type—Change

  • Status—Success

  • Severity—Informational

IOC disabled - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Disabled {count} IOCs

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

IOC Rule #{rule_id} ({rule_name}) has been disabled as it reached {limit} limit of hits in the past 24 hours.

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

BIOC disabled - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

BIOC rule {rule_id} has been automatically disabled because it reached {hits} matches in the last {time} - name: {rule_name} severity: {rule_severity} type: {rule_type}

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Disabled {count} BIOCs

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Analytics BIOC rule disabled - name: '{rule_name}' global rule id: '{global_rule_id}'

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Disabled {count} Analytics BIOC rules

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

BIOC Rule #{rule_id} ({rule_name}) has been disabled as it reached {limit} limit of hits in the past 24 hours.

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

IOC enabled - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Enabled {count} IOCs

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

BIOC enabled - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Enabled {count} BIOCs

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Analytics BIOC rule enabled - name: '{rule_name}' global rule id: '{global_rule_id}'

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Enabled {count} Analytics BIOC rules

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Imported {count} IOCs

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

Imported {count} BIOCs

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

{count} IOCs expired

  • Sub Type—Expire

  • Status—Success

  • Severity—Informational

Exported {count} BIOCs

  • Sub Type—Export

  • Status—Success

  • Severity—Informational

BIOC content updated - Palo Alto Networks repository provided a BIOC update

  • Sub Type—Content Update

  • Status—Success

  • Severity—Informational

Type—Rules Exceptions

Added new rule exception

  • Sub Type—Add

  • Status—Success

  • Severity—Informational

Edited rule exception ID:{exception_id}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Deleted {exception_ids_len} rule exceptions

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Deleted rule exception ID: {exception_id}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Exported {exception_id} rule exception

  • Sub Type—Export

  • Severity—Informationaltatus—Success

Exported {exported_exceptions} rule exceptions

  • Sub Type—Export

  • Severity—Informationaltatus—Success

Imported {exception_id} rule exception

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

Imported {imported_exceptions} rule exceptions

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

Type—SaaS Collection

{vendor} Data Collection for {name} created.

  • Sub Type—Create Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} deleted.

  • Sub Type—Delete Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} edited.

  • Sub Type—Edit Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} disabled.

  • Sub Type—Disable Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} enabled.

  • Sub Type—Enable Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} was disconnected with error '{disconnected_error}'

  • Sub Type—Configuration Disconnected

  • Status—Fail

  • Severity—Informational

Collection authentication failed. Collection key ID {key_id}. Source IP: {source_ip}

  • Sub Type—Authentication Failed

  • Status—Fail

  • Severity—Informational

Okta API call exceeded rate limit due to too many requests. HTTP Status: 429 Too Many Requests. The collection of data from {okta_domain} is suspended for several minutes.

  • Sub Type—Data Collection

  • Status—Fail

  • Severity—Informational

Type—Scoring Rules

Scoring rules were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update scoring rules

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Script ExecutionRun {script_name} on {scope}

  • Sub Type—Run script

  • Status—Success

  • Severity—Low

Cancel {action_name} (id={group_action_id}) for {scope}

  • Sub Type—Cancel

  • Status—Success

  • Severity—Low

Abort {action_name} (id={group_action_id}) for {scope}

  • Sub Type—Abort

  • Status—Success

  • Severity—Low

Add {outcome} script, name: {name}, description: {description}, compatible for {platform}, script id: {script_id}

  • Sub Type—Add Script

  • Status—Success

  • Severity—Informational

Edit {script_name}, script id - {script_id}: {updated_values}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Delete {script_name}, script id: {script_id}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Type—Security Settings

Changed user login expiration from {old_user_login_expiration} hours to {old_user_login_expiration} hours

  • Sub Type—Change Session Expiration

  • Status—Success

  • Severity—Informational

Changed dashboard expiration from {previous_dashboard_expiration} to {new_dashboard_expiration}

  • Sub Type—Change Session Expiration

  • Status—Success

  • Severity—Informational

{action} session’s approved domains {domain_list}

  • Sub Type—Change Session’s Approved Domains

  • Status—Success

  • Severity—Informational

Note

Action is Enabled, Disabled, or Changed.

domain_list is in one of the following formats.

  • for domainX, domainY

  • from: domainX to: domainY

  • (empty)

{action} session’s approved CIDRs {CIDR_list}

  • Sub Type—Change Session’s Approved CIDRs

  • Status—Success

  • Severity—Informational

Note

Action is Enabled, Disabled, or Changed.

CIDR_list is in one of the following formats.

  • for CIDRX, CIDRY

  • from: CIDRX to: CIDRY

  • (empty)

{action} user expiration {expiration_change}

  • Sub Type—Change User Expiration Settings

  • Status—Success

  • Severity—Informational

Note

Action is Enabled, Disabled or Changed.

expiration_change is in one of the following formats.

  • for x days

  • from x days to y days

  • (empty)

Added domain(s) {domains_list} to the Allowed Domains list

  • Sub Type—Add Allowed Distribution List Domain

  • Status—Success

  • Severity—Informational

Deleted domain(s) {domains_list} from the Allowed Domains list

  • Sub Type—Delete Allowed Distribution List Domain

  • Status—Success

  • Severity—Informational

Type—Starred Incidents

Incident {incident_id} was manually starred

  • Sub Type—Manual Star

  • Status—Success

  • Severity—Informational

Incident {incident_id} was manually unstarred

  • Sub Type—Manual Un-star

  • Status—Success

  • Severity—Informational

{count} incident{plural} were starred

  • Sub Type—Bulk Star

  • Status—Success

  • Severity—Informational

{count} incident{plural} were un-starred

  • Sub Type—"Bulk Un-star

  • Status—Success

  • Severity—Informational

Enabled starring policy {edit_id}

  • Sub Type—Enable Policy

  • Status—Success / Fail

  • Severity—Informational

Disabled starring policy {edit_id}

  • Sub Type—Disable Policy

  • Status—Success / Fail

  • Severity—Informational

Edited starring policy {edit_id}

  • Sub Type—Edit Policy

  • Status—Success / Fail

  • Severity—Informational

Deleted starring policy

  • Sub Type—Delete Policy

  • Status—Success / Fail

  • Severity—Informational

Created starring policy {res}

  • Sub Type—Create Policy

  • Status—Success / Fail

  • Severity—Informational

Type—System

Temporary Devops access granted to user: ({member})

  • Sub Type—Devops Access

  • Status—Success

  • Severity—Informational