Management Audit Log Messages - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-03-22
Last date published
2023-09-25
Category
Administrator Guide

The following table displays the Cortex XDR management audit log messages by log type.

Message

Details

Type-Action Center

Action # {action_id} completed successfully. {action--_description}.

  • Sub Type—Action Completed

  • Status—Success

  • Severity—Low

Action # {action_id} completed with {partial success}. {action--_description}.

  • Sub Type—Action Completed

  • Status—Failed

  • Severity—Low

Action # {action_id} {failed / timeout / expired.} {action--_description}.

  • Sub Type—Action Completed

  • Status—Failed

  • Severity—Low

Action # completed successfully. Action description: Set Endpoint token with (x) days

  • Sub Type—Action Completed

  • Status—Success

  • Severity—Low

Type—Agent Configuration

Agent global uninstall password updated

  • Sub Type—Global uninstall password

  • Status—Success

  • Severity—Informational

Agent auto upgrade configuration updated

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

Agent content bandwidth management{bandwidth_allocation}

  • Sub Type—Content bandwidth management

  • Status—Success

  • Severity—Informational

Agent advanced analysis configuration updated

  • Sub Type—Advanced Analysis

  • Status—Success

  • Severity—Informational

Type—Agent Installation

Distribution creation timeout for distribution id {distribution_id} packages generation - WLM task timed-out

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

Deleted installation package\'{distribution.dist_name}\

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Edited installation package\'{current_distribution.dist_name}\

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to create {general_desc}

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

Created {general_desc}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Type—Alert Exclusions

Auto-resolved {cases_info} incidents because all of the alerts they contain are excluded

  • Sub Type—Auto-Resolve Incidents

  • Status—Success

  • Severity—Informational

Reopened incident ID {cases_info} due to manual user action

  • Sub Type—Unresolve Auto-Resolved Incidents

  • Status—Success

  • Severity—Informational

Failed to Add exclusion policy {name}

  • Sub Type—Add exclusion policy fail

  • Status—Fail

  • Severity—Informational

Add exclusion policy #{res}

  • Sub Type—Add exclusion policy

  • Status—Success

  • Severity—Informational

Failed to Edit exclusion policy {edit_id}

  • Sub Type—Edit exclusion policy fail

  • Status—Fail

  • Severity—Informational

Edit exclusion policy #{edit_id}

  • Sub Type—Edit exclusion policy

  • Status—Success

  • Severity—Informational

Failed to delete exclusion policy

  • Sub Type—Delete exclusion policy fail

  • Status—Fail

  • Severity—Informational

Delete exclusion policy {','.join(map(str, whitelist_ids))}

  • Sub Type—Delete exclusion policy

  • Status—Success

  • Severity—Informational

Type—Alert Notifications

Notification ID {rule_id} Created

  • Sub Type—New Configuration

  • Status—Success

  • Severity—Informational

Notification ID {rule_id} Edited

  • Sub Type—Edit Configuration

  • Status—Success

  • Severity—Informational

Notification ID {rule_id} Enabled

  • Sub Type—Enable Configuration

  • Status—Success

  • Severity—Informational

Notification ID {rule_id} Disabled

  • Sub Type—Disable Configuration

  • Status—Success

  • Severity—Informational

Notification ID {rule_id} Deleted

  • Sub Type—Delete Configuration

  • Status—Success

  • Severity—Informational

Type—Alert Rules

Alert rule ID {rule_id} created

  • Sub Type—New Alert Rule

  • Status—Success

  • Severity—Informational

Alert rule ID {rule_id} edited

  • Sub Type—Edit Alert Rule

  • Status—Success

  • Severity—Informational

Alert rule ID {rule_id} deleted

  • Sub Type—Delete Alert Rule

  • Status—Success

  • Severity—Informational

Alert rule ID {rule_id} was enabled

  • Sub Type—Enable Alert Rule

  • Status—Success

  • Severity—Informational

Alert rule ID {rule_id} was disabled

  • Sub Type—Disable Alert Rule

  • Status—Success

  • Severity—Informational

Type—Api Key

Api Key ID {id} was added

  • Sub Type—Add New Key

  • Status—Success

  • Severity—Informational

Api Key ID {id} was edited

  • Sub Type—Edit Key

  • Status—Success

  • Severity—Informational

Deleted Api Keys: {id}

  • Sub Type—Delete Key

  • Status—Success

  • Severity—Informational

Api Key ID {id} was deleted

  • Sub Type—Delete Key

  • Status—Success

  • Severity—Informational

Type—Authentication

  • Sub Type—Login

  • Status—Success

  • Severity—Informational

  • Sub Type—Logout

  • Status—Success

  • Severity—Informational

User {user name} has failed to log in into the tenant, as the user is disabled

  • Sub Type—Login

  • Status—Fail

  • Severity—Informational

Type—Broker API

Broker {broker_id} has failed to authenticate

  • Sub Type—Authentication failed

  • Status—Fail

  • Severity—Informational

Type—Broker VMs

Broker VM register request completed

  • Sub Type—Register

  • Status—Success

  • Severity—Low

Broker VM register request failed

  • Sub Type—Register

  • Status—Fail

  • Severity—Low

{app_pretty} activated on broker VM {device_id}

  • Sub Type—Applet Activated

  • Status—Success

  • Severity—Low

{app_pretty} failed to activate on broker VM {device_id}

  • Sub Type—Applet Activated

  • Status—Fail

  • Severity—Low

Setting configuration {app_pretty} on broker VM {device_id}

  • Sub Type—Applet Set Configuration

  • Status—Success

  • Severity—Low

Failed setting configuration {app_pretty} on broker VM {device_id}

  • Sub Type—Applet Set Configuration

  • Status—Fail

  • Severity—Low

Getting {app_pretty}'s configurations of broker VM {device_id}

  • Sub Type—Applet Get Configuration

  • Status—Success

  • Severity—Low

Failed getting {app_pretty} configurations for broker VM {device_id}

  • Sub Type—Applet Get Configuration

  • Status—Fail

  • Severity—Low

{app_pretty} deactivated on broker VM {device_id}

  • Sub Type—Applet Deactivated

  • Status—Success

  • Severity—Low

{app_pretty} failed to deactivate on broker VM {device_id}

  • Sub Type—Applet Deactivated

  • Status—Fail

  • Severity—Low

Broker VM {device_id} retrieve logs request created

  • Sub Type—Broker Log

  • Status—Success

  • Severity—Low

Broker VM {device_id} retrieve logs failed request

  • Sub Type—Broker Log

  • Status—Fail

  • Severity—Low

Broker VM {device_id} was deleted

  • Sub Type—Remove Device

  • Status—Success

  • Severity—Low

Failed to delete Broker VM {device_id}

  • Sub Type—Remove Device

  • Status—Fail

  • Severity—Low

Sent action {action_name} to device: {device_id}

  • Sub Type—Action on device

  • Status—Success

  • Severity—Low

Failed to send action {action_name} to device: {device_id}

  • Sub Type—Action on device

  • Status—Fail

  • Severity—Low

Failed to start Live Shell with Broker device: {device_id}

  • Sub Type—Action on device

  • Status—Fail

  • Severity—Low

Set configuration for device {device_id}

  • Sub Type—Device configuration

  • Status—Success

  • Severity—Low

Failed to set configuration for device {device_id}

  • Sub Type—Device configuration

  • Status—Fail

  • Severity—Low

Broker VM {device_name} has disconnected from the Cortex XDR server.

  • Sub Type—Disconnect

  • Status—Fail

  • Severity—Low

Pathfinder configuration request completed

  • Sub Type—Edit Configuration

  • Status—Success

  • Severity—Low

Pathfinder configuration request failed

  • Sub Type—Edit Configuration

  • Status—Fail

  • Severity—Low

Pathfinder credentials request completed

  • Sub Type—Edit Credentials

  • Status—Success

  • Severity—Low

Pathfinder credentials request failed

  • Sub Type—Edit Credentials

  • Status—Fail

  • Severity—Low

Pathfinder Test request completed

  • Sub Type—Test

  • Status—Success

  • Severity—Low

Pathfinder Test request failed

  • Sub Type—Test

  • Status—Fail

  • Severity—Low

Type—Dashboards

Enabled Dashboard ID {dashboard_id}

  • Sub Type—Enable Dashboard

  • Status—Success

  • Severity—Informational

Disabled Dashboard ID {dashboard_id}

  • Sub Type—Disable Dashboard

  • Status—Success

  • Severity—Informational

Deleted Dashboard ID {dashboard_id}

  • Sub Type—Delete Dashboard

  • Status—Success

  • Severity—Informational

Created Dashboard ID {dashboard_id}

  • Sub Type—Create New Dashboard

  • Status—Success

  • Severity—Informational

Edited Dashboard ID {dashboard_id}

  • Sub Type—Edit Dashboard

  • Status—Success

  • Severity—Informational

Type—Device Control Permanent Exceptions

Device control permanent exceptions were edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit device control permanent exceptions

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Exception was added to device control permanent exceptions profile

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to add exception to device control permanent exceptions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Device Control Profile

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

A whitelist entry {vendor} {product} {serial} was added from a violation event to profile {profile_name}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to add exception to device control exceptions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Device Control Temporary Exceptions

A temporary exception for {vendor} {product} {serial} on {target} {target_name} with {permission} permissions for {time} {time_units} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a temporary exception from violation

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

Device control temporary exceptions were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update device control temporary exceptions

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Disk Encryption Profile

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a host disk encryption profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a host disk encryption profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a host disk encryption profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—EDL Management

Enable EDL

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Disable EDL

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Edit username

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Edit password

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Edit username and password

  • Sub Type—Edit

  • Severity—Informational

  • Status—Success

EDL Authentication

  • Sub Type—Authentication

  • Status—Fail

  • Severity—Informational

Type—Endpoint Administration

Uninstall agent on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Upgrade {platform} on {scope} to {versions}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Retrieve endpoint data from {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Change managing server on {scope} using the following distribution IDs {distribution_ids}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Set agent proxy ({proxy_addresses}) for {host_name}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Delete {host_name}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Cancel {action_name} (id={group_action_id}) for {scope}

  • Sub Type—Cancel

  • Status—Success

  • Severity—Informational

Disable agent proxy for {host_name}

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Could not include {endpoint-id} in auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Fail

  • Severity—Informational

Could not exclude {endpoint-id} from auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Fail

  • Severity—Informational

Could not include {endpoint-id} and {x} other endpoints in auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Fail

  • Severity—Informational

Could not exclude {endpoint-id} and {x} other endpoints from auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Fail

  • Severity—Informational

{endpoint-id} was excluded from auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

{endpoint-id} was included in auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

{endpoint-id} and {x} other endpoints were included in auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

{endpoint-id} and {x} other endpoints were excluded from auto upgrade

  • Sub Type—Agent auto upgrade

  • Status—Success

  • Severity—Informational

(tag_name) to (endpoint_name) and 5 other endpoints

  • Sub Type—Assign

  • Status—Success

  • Severity—Informational

(tag_name) from (endpoint_name) and 5 other endpoints

  • Sub Type—Remove

  • Status—Success

  • Severity—Informational

Endpoint token was viewed for hash (hash_id) and agent id (agent-id)

  • Sub Type—View Token

  • Status—Success

  • Severity—Informational

Set endpoint token with (x) days expiration on (agent-id)

  • Sub Type—Set Token

  • Status—Success

  • Severity—Low

Type—Endpoint Groups

Endpoint group '{group_name}' created

  • Sub Type—Create Group

  • Status—Success

  • Severity—Informational

Endpoint group '{group_name}' failed to create

  • Sub Type—Create Group

  • Status—Fail

  • Severity—Informational

Endpoint group '{group_name}' deleted

  • Sub Type—Delete Group

  • Status—Success

  • Severity—Informational

Endpoint group '{group_name}' failed to delete

  • Sub Type—Delete Group

  • Status—Fail

  • Severity—Informational

Endpoint group edited {modified_fields}

  • Sub Type—Edit Group

  • Status—Success

  • Severity—Informational

Endpoint group '{group_name}' failed to update

  • Sub Type—Edit Group

  • Status—Fail

  • Severity—Informational

Type-Event Forwarding

{operation} Endpoint Event Forwarding

  • Sub Type—Change Endpoint Event Forwarding settings

  • Status—Success

  • Severity—Informational

{operation} GB Event Forwarding

  • Sub Type—Change GB Event Forwarding settings

  • Status—Success

  • Severity—Informational

Generated New Service Account JSON Web Token

  • Sub Type—Event Forwarding Authentication

  • Status—Success

  • Severity—Informational

Type—Extensions Policy

Device Control policy rules were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update device control policy rules

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Extensions policy rules were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update extensions policy rules

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Extensions Profile

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create an extensions profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete an extensions profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit an extensions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Featured Alert Fields

Added {count}new featured {field_type} {plural}

  • Sub Type—Add

  • Status—Success

  • Severity—Informational

Failed to add {count}new featured {field_type}{plural}

  • Sub Type—Add

  • Status—Fail

  • Severity—Informational

Deleted {count}featured {field_type} {plural}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete {count}featured {field_type}{plural}

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

Edited {count}featured {field_type} {plural}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit {count}featured {field_type}{plural}

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Imported new featured {field_type} {plural}

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

Failed to import new featured {field_type}{plural}

  • Sub Type—Import

  • Status—Fail

  • Severity—Informational

Replaced all featured {field_type} {plural} with a new list containing {count}values

  • Sub Type—Replace

  • Status—Success

  • Severity—Informational

Failed to replace {count}featured {field_type}{plural}

  • Sub Type—Replace

  • Status—Fail

  • Severity—Informational

Type—Global Exceptions

Global exceptions were edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit global exceptions

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

{exception_type} was added to global exceptions profile

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to add exception to global exceptions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Host Firewall Profile

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a host firewall profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a host firewall profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a host firewall profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Host Insights

Endpoint host insights collection initiated successfully

  • Sub Type—Collect Host Insights from an Endpoint

  • Status—Success

  • Severity—Informational

Failed initiating host insights collection from an endpoint

  • Sub Type—Collect Host Insights from an Endpoint

  • Status—Fail

  • Severity—Informational

Type—Incident Management

Changed incident {incident_id} status to {new_status}

  • Sub Type—Change Incident Status

  • Status—Success

  • Severity—Informational

Changed incident {incident_id} severity to {new_severity}

  • Sub Type—Change Incident Severity

  • Status—Success

  • Severity—Informational

Changed incident {incident_id} name to {new_name}

  • Sub Type—Edit Incident Name

  • Status—Success

  • Severity—Informational

Deleted incident {incident_id} name

  • Sub Type—Deleted Incident Name

  • Status—Success

  • Severity—Informational

Incident {incident_id} assigned to {user_name}

  • Sub Type—Assign Incident

  • Status—Success

  • Severity—Informational

Incident {incident_id} unassigned

  • Sub Type—Unassigned Incident

  • Status—Success

  • Severity—Informational

Added artifact {artifact_type}: {artifact_value} to incident {incident_id}

  • Sub Type—Add Key Artifact

  • Status—Success

  • Severity—Informational

Added asset {asset_type}:{asset_value} to incident {incident_id}

  • Sub Type—Add Key Asset

  • Status—Success

  • Severity—Informational

Deleted artifact {artifact_type}: {artifact_value} from incident {incident_id}

  • Sub Type—Delete Key Artifact

  • Status—Success

  • Severity—Informational

Deleted asset {asset_type}:{asset_value} from incident {incident_id}

  • Sub Type—Delete Key Asset

  • Status—Success

  • Severity—Informational

Moved {count} alerts from incident {src_incident_id} to incident {dst_incident_id}

  • Sub Type—Move Alerts

  • Status—Success

  • Severity—Informational

Merged {src_incident_ids} with incident {dst_incident_id}

  • Sub Type—Merge Incidents

  • Status—Success

  • Severity—Informational

Merged {src_incident_ids} incidents with incident {dst_incident_id}

  • Sub Type—Merge Incidents

  • Status—Success

  • Severity—Informational

Changed assignee of {count} incident{plural} to {user_name}

  • Sub Type—Bulk Change Incident Assignee

  • Status—Success

  • Severity—Informational

Changed status of {count} incident{plural} to {status}

  • Sub Type—Bulk Change Incident status

  • Status—Success

  • Severity—Informational

Changed severity of {count} incident{plural} to {severity}

  • Sub Type—Bulk Change Incident Severity

  • Status—Success

  • Severity—Informational

Changed scoring of {count} incident{plural} to {manual_score}

  • Sub Type—Change Scoring

  • Status—Success

  • Severity—Informational

Changed scoring of {count} incident{plural} to rule-based scoring

  • Sub Type—Change Scoring

  • Status—Success

  • Severity—Informational

Changed scoring of incident #{incident_id} to {manual_score}

  • Sub Type—Change Scoring

  • Severity—InformationalStatus—Success

Changed scoring of incident #{incident_id} to rule-based scoring

  • Sub Type—Change Scoring

  • Status—Success

  • Severity—Informational

Type—Ingest Data

Requested to ingest {num_of_alerts} CEFs

  • Sub Type—CEF

  • Status—Success

  • Severity—Informational

Requested to ingest {num_of_alerts} LEEFs

  • Sub Type—LEEF

  • Status—Success

  • Severity—Informational

Requested to ingest {num_of_alerts} parsed alerts

  • Sub Type—Parsed Alerts

  • Status—Success

  • Severity—Informational

Type—Integrations

Created syslog integration {syslog_name} (ID={syslog_id}

  • Sub Type—Create Syslog Integrations

  • Status—Success

  • Severity—Informational

Edited syslog integration {syslog_name} (ID={syslog_id})

  • Sub Type—Edit Syslog Integrations

  • Status—Success

  • Severity—Informational

Deleted syslog integration {syslog_name} (ID={syslog_id})

  • Sub Type—Delete Syslog Integrations

  • Status—Success

  • Severity—Informational

Type—Licensing

Host Insights Add-on license has expired

  • Sub Type—Expiration

  • Status—Success

  • Severity—Low

{license_name} license has expired

  • Sub Type—Expiration

  • Status—Success

  • Severity—Informational

{license_name} license will expire in less than {time_remaining_in_days} days

  • Sub Type—Expiration

  • Status—Success

  • Severity—Informational

Your agents with data collection license pool reached {usage_percentage}% capacity, {usage} out of {purchased} agents installed

  • Sub Type—Quota

  • Status—Success

  • Severity—Informational

Your agents with data collection license pool reached full capacity

  • Sub Type—Quota

  • Status—Success

  • Severity—Informational

Your installed agents license pool reached {usage_percentage}% capacity, {usage} out of {purchased} agents installed

  • Sub Type—Quota

  • Status—Success

  • Severity—Informational

Your installed agents license pool reached full capacity

  • Sub Type—Quota

  • Status—Success

  • Severity—Informational

Type—Live Terminal

Connection request sent to host: {host}

  • Sub Type—Connect

  • Status—Success

  • Severity—Low

Connection request sent to host: {host}

  • Sub Type—Connect

  • Status—Fail

  • Severity—Low

Connection opened

  • Sub Type—Status

  • Status—Success

  • Severity—Low

Connection opened

  • Sub Type—Status

  • Status—Fail

  • Severity—Low

Connection closed

  • Sub Type—Status

  • Status—Success

  • Severity—Low

Failed to {description}

  • Sub Type—Status

  • Status—Fail

  • Severity—Low

{error_detail} in {path}

  • Sub Type—Delete File

  • Status—Fail

  • Severity—Low

Delete file {path}

  • Sub Type—Delete File

  • Status—Success

  • Severity—Low

Delete file {name} in {path}

  • Sub Type—Delete File

  • Status—Success

  • Severity—Low

{error_detail} in {path}

  • Sub Type—Move File

  • Status—Fail

  • Severity—Low

Move file {path} to {target_path}

  • Sub Type—Move File

  • Status—Success

  • Severity—Low

Move file {name} from {path} to {target_path}

  • Sub Type—Move File

  • Status—Success

  • Severity—Low

{error_detail} in {path}

  • Sub Type—Copy File

  • Status—Fail

  • Severity—Low

Copy file {path} to {target_path}

  • Sub Type—Copy File

  • Status—Success

  • Severity—Low

Copy file {name} from {path} to {target_path}

  • Sub Type—Copy File

  • Status—Success

  • Severity—Low

Type—Managed Threat Hunting

Pairing with {name} was removed

  • Sub Type—Pairing

  • Status—Success

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Register

  • Status—Success

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Re-register

  • Status—Success

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Register

  • Status—Fail

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Re-register

  • Status—Fail

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Unregistered

  • Status—Success

  • Severity—Informational

Registered to MTH service with email : {email}

  • Sub Type—Unregistered

  • Status—Fail

  • Severity—Informational

Type—MSSP

Synced {len(biocs)} BIOC rules and {len(exceptions)} exceptions

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Synced {len(inclusions)} starred alerts

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Synced {len(whitelists)} exclusion alerts

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Synced {len(profiles)} profiles

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Synced {len(ab_list)} allow/block items

  • Sub Type—Synchronization

  • Status—Success

  • Severity—Informational

Failed to fetch data from signed_url

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(biocs)} BIOC rules and {len(exceptions)} exceptions

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(inclusions)} starred alerts

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(whitelists)} exclusion alerts

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(ab_list)} allow/block list items

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Failed to sync {len(profiles)} profiles

  • Sub Type—Synchronization

  • Status—Fail

  • Severity—Informational

Type—Permission

{user name} was assigned permissions of role {role name}

  • Sub Type—User Permissions Assigned

  • Status—Success

  • Severity—Informational

{user name} permissions were updated from {role name} to {role name}

  • Sub Type—User Permissions Edited

  • Status—Success

  • Severity—Informational

{user name} permissions were removed

  • Sub Type—User Permissions Revoked

  • Status—Success

  • Severity—Informational

{user name} access has been disabled due to due to last login timeout

  • Sub Type—User Access Disabled

  • Status—Success

  • Severity—Informational

{user name} access has been manually disabled

  • Sub Type—User Access Disabled

  • Status—Success

  • Severity—Informational

{user name} access has been enabled

  • Sub Type—User Access Enabled

  • Status—Success

  • Severity—Informational

{role name} created with the following permissions: {1,2,3,}

  • Sub Type—Role Created

  • Status—Success

  • Severity—Informational

{role name} edited, the following permissions {1,2} were added and the following permissions removed {1,2,3}

  • Sub Type—Role Edited

  • Status—Success

  • Severity—Informational

{role name} deleted

  • Sub Type—Role Deleted

  • Status—Success

  • Severity—Informational

Type—Policy & Profiles

{platform} {profile_type} profile {profile_name} was created

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a profile

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was created by {parent_tenant}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

Failed to create a profile by {parent_tenant} by {parent_tenant}

  • Sub Type—Create

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a profile

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was deleted by {parent_tenant}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Failed to delete a profile by {parent_tenant}

  • Sub Type—Delete

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

{exception_type} was added to exceptions profile {profile_name}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to add exception to exceptions profile

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

{platform} {profile_type} profile {profile_name} was edited by {parent_tenant}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to edit a profile by {parent_tenant}

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

  • <X> profiles were exported

  • Policy rule <name> was exported

  • <x> policy rules were exported

  • Sub Type—Import / Export

  • Status—Success

  • Severity—Informational

  • <X> profiles were imported

  • Policy rule <name> was imported

  • <x> policy rules were imported

  • Sub Type—Import / Export

  • Status—Success

  • Severity—Informational

Type—Prevention Policy Rules

Policy rules were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update policy rules

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Policy rules reverted to previous state due to profile removal by {parent_tenant}

  • Sub Type—Revert

  • Status—Success

  • Severity—Informational

Type—Public API

Source IP: {source_ip}, API key ID: {key_id}

  • Sub Type—Authentication failed

  • Status—Fail

  • Severity—Informational

Type—Query Center

Query ID {identifier} was executed

  • Sub Type—Run Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was scheduled

  • Sub Type—Schedule Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was removed from scheduled queries

  • Sub Type—Remove Scheduling

  • Status—Success

  • Severity—Informational

Query ID {identifier} was renamed

  • Sub Type—Rename Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was removed

  • Sub Type—Remove Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was saved

  • Sub Type—Save Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was enabled

  • Sub Type—Enable Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was disabled

  • Sub Type—Disable Query

  • Status—Success

  • Severity—Informational

Query ID {identifier} was rescheduled

  • Sub Type—Edit Query

  • Status—Success

  • Severity—Informational

Type—Remediation

Created remediation action to {operations} from {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Canceled {action_name} (id={group_action_id}) on {scope}

  • Sub Type—Cancel

  • Status—Success

  • Severity—Low

Type—Reporting

Downloaded report '{report_names}' ID {report_ids}

  • Sub Type—Download Report

  • Status—Success

  • Severity—Informational

Deleted report(s) '{report_names}' ID(s) {report_ids}

  • Sub Type—Delete Report

  • Status—Success

  • Severity—Informational

Created report template '{template_name}' ID {template_id}

  • Sub Type—Create New Report Template

  • Status—Success

  • Severity—Informational

Disabled report template '{template_name}' ID {template_id}

  • Sub Type—Disable Report Template

  • Status—Success

  • Severity—Informational

Enabled report template '{template_name}' ID {template_id}

  • Sub Type—Enable Report Template

  • Status—Success

  • Severity—Informational

Edited report template '{template_name}' ID {template_id}

  • Sub Type—Edit Report Template

  • Status—Success

  • Severity—Informational

Deleted report template(s) '{template_name}' ID(s) {template_id}

  • Sub Type—Delete Report Template

  • Status—Success

  • Severity—Informational

Emailed report '{template_name}' ID {report_id} to {emails}

  • Sub Type—Email Report

  • Status—Success

  • Severity—Informational

Failed to upload report {upload_report_name} to bucket {bucket_name}

  • Sub Type—Run Report

  • Status—Fail

  • Severity—Informational

Scheduled report failed to start due to timeout

  • Sub Type—Run Report

  • Status—Fail

  • Severity—Informational

Slack report '{template_name}' ID {report_id} to {channels}

  • Sub Type—Slack Report

  • Status—Success

  • Severity—Informational

Type—Response

Retrieve {count} file(s) from {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Retrieve alert data from {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Quarantine {path}, SHA256: {hash} on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Restore quarantined file with hash {hash} on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Malware scan on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Abort malware scan on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Isolate {scope} from the network

  • Sub Type—Create

  • Status—Success

  • Severity—Low

UnIsolate {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Kill process {process_name} on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Initiate Live Terminal on {scope}

  • Sub Type—Create

  • Status—Success

  • Severity—Low

Delete {count} hash(es) from allow list

  • Sub Type—Delete

  • Status—Success

  • Severity—Low

Delete {cout} hash(es) from block list

  • Sub Type—Delete

  • Severity—LowStatus—Success

Delete isolation comment of {scope}

  • Sub Type—Delete

  • Status—Success

  • Severity—Low

Cancel {action_name} (id= {action_id}) for {scope}

  • Sub Type—Cancel

  • Status—Success

  • Severity—Low

Enable {count} hash(es) from allow list

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

Enable and move {count} hash(es) from allow list to block list

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

Enable {count} hash(es) from block list

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

Enable and move {count} hash(es) from block list to allow list

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

{add_on_name} Add-on activated successfully

  • Sub Type—Enable

  • Status—Success

  • Severity—Low

Disable {count} hash(es) from allow list

  • Sub Type—Disable

  • Status—Success

  • Severity—Low

Disable {count} hash(es) from block list

  • Sub Type—Disable

  • Status—Success

  • Severity—Low

{add_on_name} Add-on disabled successfully

  • Sub Type—Disable

  • Status—Success

  • Severity—Low

Move {count} hash(es) to block list

  • Sub Type—Move

  • Status—Success

  • Severity—Low

Move {count} hash(es) to allow list

  • Sub Type—Move

  • Status—Success

  • Severity—Low

Edit comment of {count} hash in allow list

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Updated incident ID of a hash from allow list: {hash} to: {incident_id}

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Removed incident ID of a hash from allow list: {hash}

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Edit comment of {count} hash in block list

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Updated incident ID of a hash from block list: {hash} to: {incident_id}"

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Removed incident ID of a hash from block list: {hash}

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Edit isolation comment of {scope} to {isolate_comment}

  • Sub Type—Edit

  • Status—Success

  • Severity—Low

Disable {capability} on {scope}

  • Sub Type—Disable Capability

  • Status—Success

  • Severity—Low

Removed {ip} from the blocked IP address list of {scope}

  • Sub Type—Unblock

  • Status—Success

  • Severity—Low

Type—Rules

IOC created - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

BIOC created - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Create

  • Status—Success

  • Severity—Informational

IOC deleted - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

BIOC deleted - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

IOC changed - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Change

  • Status—Success

  • Severity—Informational

Changed {count} IOCs

  • Sub Type—Change

  • Status—Success

  • Severity—Informational

BIOC changed - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Change

  • Status—Success

  • Severity—Informational

Changed {count} BIOCs

  • Sub Type—Change

  • Status—Success

  • Severity—Informational

IOC disabled - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Disabled {count} IOCs

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

IOC Rule #{rule_id} ({rule_name}) has been disabled as it reached {limit} limit of hits in the past 24 hours.

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

BIOC disabled - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

BIOC rule {rule_id} has been automatically disabled because it reached {hits} matches in the last {time} - name: {rule_name} severity: {rule_severity} type: {rule_type}

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Disabled {count} BIOCs

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Analytics BIOC rule disabled - name: '{rule_name}' global rule id: '{global_rule_id}'

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

Disabled {count} Analytics BIOC rules

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

BIOC Rule #{rule_id} ({rule_name}) has been disabled as it reached {limit} limit of hits in the past 24 hours.

  • Sub Type—Disable

  • Status—Success

  • Severity—Informational

IOC enabled - indicator: {indicator} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Enabled {count} IOCs

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

BIOC enabled - name: {rule_name} id: {rule_id} severity: {rule_severity} type: {rule_type}

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Enabled {count} BIOCs

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Analytics BIOC rule enabled - name: '{rule_name}' global rule id: '{global_rule_id}'

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Enabled {count} Analytics BIOC rules

  • Sub Type—Enable

  • Status—Success

  • Severity—Informational

Imported {count} IOCs

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

Imported {count} BIOCs

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

{count} IOCs expired

  • Sub Type—Expire

  • Status—Success

  • Severity—Informational

Exported {count} BIOCs

  • Sub Type—Export

  • Status—Success

  • Severity—Informational

BIOC content updated - Palo Alto Networks repository provided a BIOC update

  • Sub Type—Content Update

  • Status—Success

  • Severity—Informational

Type—Rules Exceptions

Added new rule exception

  • Sub Type—Add

  • Status—Success

  • Severity—Informational

Edited rule exception ID:{exception_id}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Deleted {exception_ids_len} rule exceptions

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Deleted rule exception ID: {exception_id}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Exported {exception_id} rule exception

  • Sub Type—Export

  • Severity—Informationaltatus—Success

Exported {exported_exceptions} rule exceptions

  • Sub Type—Export

  • Severity—Informationaltatus—Success

Imported {exception_id} rule exception

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

Imported {imported_exceptions} rule exceptions

  • Sub Type—Import

  • Status—Success

  • Severity—Informational

Type—SaaS Collection

{vendor} Data Collection for {name} created.

  • Sub Type—Create Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} deleted.

  • Sub Type—Delete Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} edited.

  • Sub Type—Edit Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} disabled.

  • Sub Type—Disable Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} enabled.

  • Sub Type—Enable Configuration

  • Status—Success

  • Severity—Informational

{vendor} Data Collection for {name} was disconnected with error '{disconnected_error}'

  • Sub Type—Configuration Disconnected

  • Status—Fail

  • Severity—Informational

Collection authentication failed. Collection key ID {key_id}. Source IP: {source_ip}

  • Sub Type—Authentication Failed

  • Status—Fail

  • Severity—Informational

Okta API call exceeded rate limit due to too many requests. HTTP Status: 429 Too Many Requests. The collection of data from {okta_domain} is suspended for several minutes.

  • Sub Type—Data Collection

  • Status—Fail

  • Severity—Informational

Type—Scoring Rules

Scoring rules were updated

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Failed to update scoring rules

  • Sub Type—Edit

  • Status—Fail

  • Severity—Informational

Type—Script ExecutionRun {script_name} on {scope}

  • Sub Type—Run script

  • Status—Success

  • Severity—Low

Cancel {action_name} (id={group_action_id}) for {scope}

  • Sub Type—Cancel

  • Status—Success

  • Severity—Low

Abort {action_name} (id={group_action_id}) for {scope}

  • Sub Type—Abort

  • Status—Success

  • Severity—Low

Add {outcome} script, name: {name}, description: {description}, compatible for {platform}, script id: {script_id}

  • Sub Type—Add Script

  • Status—Success

  • Severity—Informational

Edit {script_name}, script id - {script_id}: {updated_values}

  • Sub Type—Edit

  • Status—Success

  • Severity—Informational

Delete {script_name}, script id: {script_id}

  • Sub Type—Delete

  • Status—Success

  • Severity—Informational

Type—Security Settings

Changed user login expiration from {old_user_login_expiration} hours to {old_user_login_expiration} hours

  • Sub Type—Change Session Expiration

  • Status—Success

  • Severity—Informational

Changed dashboard expiration from {previous_dashboard_expiration} to {new_dashboard_expiration}

  • Sub Type—Change Session Expiration

  • Status—Success

  • Severity—Informational

{action} session’s approved domains {domain_list}

  • Sub Type—Change Session’s Approved Domains

  • Status—Success

  • Severity—Informational

Note

Action is Enabled, Disabled, or Changed.

domain_list is in one of the following formats.

  • for domainX, domainY

  • from: domainX to: domainY

  • (empty)

{action} session’s approved CIDRs {CIDR_list}

  • Sub Type—Change Session’s Approved CIDRs

  • Status—Success

  • Severity—Informational

Note

Action is Enabled, Disabled, or Changed.

CIDR_list is in one of the following formats.

  • for CIDRX, CIDRY

  • from: CIDRX to: CIDRY

  • (empty)

{action} user expiration {expiration_change}

  • Sub Type—Change User Expiration Settings

  • Status—Success

  • Severity—Informational

Note

Action is Enabled, Disabled or Changed.

expiration_change is in one of the following formats.

  • for x days

  • from x days to y days

  • (empty)

Added domain(s) {domains_list} to the Allowed Domains list

  • Sub Type—Add Allowed Distribution List Domain

  • Status—Success

  • Severity—Informational

Deleted domain(s) {domains_list} from the Allowed Domains list

  • Sub Type—Delete Allowed Distribution List Domain

  • Status—Success

  • Severity—Informational

Type—Starred Incidents

Incident {incident_id} was manually starred

  • Sub Type—Manual Star

  • Status—Success

  • Severity—Informational

Incident {incident_id} was manually unstarred

  • Sub Type—Manual Un-star

  • Status—Success

  • Severity—Informational

{count} incident{plural} were starred

  • Sub Type—Bulk Star

  • Status—Success

  • Severity—Informational

{count} incident{plural} were un-starred

  • Sub Type—"Bulk Un-star

  • Status—Success

  • Severity—Informational

Enabled starring policy {edit_id}

  • Sub Type—Enable Policy

  • Status—Success / Fail

  • Severity—Informational

Disabled starring policy {edit_id}

  • Sub Type—Disable Policy

  • Status—Success / Fail

  • Severity—Informational

Edited starring policy {edit_id}

  • Sub Type—Edit Policy

  • Status—Success / Fail

  • Severity—Informational

Deleted starring policy

  • Sub Type—Delete Policy

  • Status—Success / Fail

  • Severity—Informational

Created starring policy {res}

  • Sub Type—Create Policy

  • Status—Success / Fail

  • Severity—Informational

Type—System

Temporary Devops access granted to user: ({member})

  • Sub Type—Devops Access

  • Status—Success

  • Severity—Informational