Monitor Data Model Rules Activity - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Learn more about the monitored Cortex XSIAM Data Model Rules activities.

Cortex XSIAM logs entries for events related to the Data Model Rules monitored activities. Cortex XSIAM stores the logs for 365 days. To view the Data Model Rules audit logs, select Settings Management Audit Logs.

To ensure you and your colleagues stay informed about Data Model Rules activity, you can Configure Notification Forwarding to forward your Data Model Rules audit logs to an email distribution list or Syslog server.

You can customize your view of the logs by adding or removing filters to the Management Audit Logs table. You can also filter the page result to narrow down your search. The following table describes the default and optional fields that you can view in the Cortex XSIAM Management Audit Logs table:


Certain fields are exposed and hidden by default. An asterisk (*) is beside every field that is exposed by default.




Log message that describes the action.


Email of the user who performed the action.

Host Name*

This field is not applicable for Data Model Rules logs.


Unique ID of the action.


This field is not applicable for Data Model Rules logs.


The result of the action ( Success, Fail, or Partial)


Severity associated with the log:

  • Critical

  • High

  • Medium

  • Low

  • Informational


Date and time when the action occurred.

Type* and Sub-Type*

Additional classifications of Data Model Rules logs (Type and Sub-Type):

  • XDM Config:

    • Saving XDM mappings file—Indicates whenever a Data Model Rule is saved in the editor, the specific changes made to the Cortex Data Model (XDM) mappings. In addition, indicates whenever the changes weren't able to be saved.

    • Disabled—Indicates the Data Model Rule and associated dataset that are now disabled. This invalid rule is excluded from the query until the changes are made to fix the problem.

    • Enabled—Indicates the Data Model Rule and associated dataset that have been updated and are now enabled.

User Name*

Name of the user who performed the action.