Agent Configuration—Configuration of a particular Cortex XDR agent on a particular endpoint.
Agent Installation—Installation of the Cortex XDR agent on a particular endpoint.
Alert Exclusions—Suppression of particular alerts from Cortex XSIAM .
Alert Fields—Modification of alert fields.
Alert Layouts—Modification of alert layouts.
Alert Layout Rules—Modification of alert layout rules.
Alert Notifications—Modification of the format or timing of alerts.
Alert Rules—Modification of alert rules.
API Key—Modification of the Cortex XSIAM API key.
Authentication—User sessions started, along with the user name that started the session.
Broker API—Operation related to the Broker application programming interface (API).
Broker VM—Operation related to the Broker virtual machine (VM).
Dashboards—Use of particular dashboards.
Device Control Permanent Exceptions—Modification of permanent device control exceptions.
Device Control Profile—Modification of a device control profile.
Device Control Temporary Exceptions—Modification of temporary device control exceptions.
Disk Encryption Profile—Modification of a disk encryption profile.
Endpoint Administration—Management of endpoints.
Endpoint Groups—Management of endpoint groups.
Extensions Policy—Modification of extension policy settings, including host firewall and disk encryption.
Extensions Profiles—Modification of extension profile settings.
Global Exceptions—Management of global exceptions.
Host Firewall Profile—Modification of a host firewall profile.
Host Insights— Initiation of Host Insights data collection scan (Host Inventory and Vulnerability Assessment).
Incident Management—Actions taken on incidents and on the assets, alerts, and artifacts in incidents.
Ingest Data—Import of data for immediate use or storage in a database.
Integrations—Integration operations, such as integrating Slack for outbound notifications.
Licensing—Any licensing-related operation.
Live Terminal—Remote terminal sessions created and actions taken in the file manager or task manager, a complete history of commands issued, their success, and the response.
Managed Threat Hunting—Activity relating to managed threat hunting.
MSSP—Management of security services providers.
Policy & Profiles—Activity related to managing policies and profiles.
Prevention Policy Rules—Modification of prevention policy rules.
Protection Policy—Modification of the protection policy.
Protection Profile—Modification of the protection profile.
Public API—Authentication activity using an associated Cortex XSIAM API key.
Query Center—Operations in the Query Center.
Remediation—Remediation operations.
Reporting—Any reporting activity.
Response—Remedial actions taken. For example: Isolate a host, undo host isolation, add a file hash signature to the block list, or undo the addition to the block list.
Rules—Modification of rules.
Rules Exceptions—Creation, editing, or deletion under Rules exceptions.
SaaS Collection—Any collected SaaS data.
Script Execution—Any script execution.
Starred Incidents—Modification of starred incidents.
Vulnerability Assessment—Any vulnerability assessment activity.