Management Audit Logs - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-10-14
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

View, export, extract, and purge the audit trail in Cortex XSOAR. The audit trail logs all administrative user actions in Cortex XSOAR.

The management audit logs display a log of all administrative user interactions within Cortex XSOAR. The logs are sorted by date and cover which users interacted in what way with system objects, and associated data.

Note

The audit logs do not include actions performed in the War Room. These actions are documented in the War Room.

You can filter by field, such as email, ID, user name, type, etc., and you can save filters for later use. In addition, you can adjust the appearance of the columns and add or remove columns.

To view the audit logs, navigate to Settings & InfoManagement Audit Logs.

To export the management audit logs as a .tsv file, click the Export to file button. You can also forward management audit notifications to a syslog server or an email distribution list.

The following table describes components and actions.

Component

Actions

APIKey

  • add

  • edit

  • delete

Classifier

  • add

  • copy

  • edit

Content

  • install

ContentPack

  • edit

  • install

  • delete

ContributionPack

  • add

  • edit

  • delete

Credentials

  • add

  • edit

  • delete

Dashboard

  • add

  • edit

  • delete

Engine

  • add

  • edit

  • delete

Entry

  • delete

  • removeentrypermanently

  • edit

Execute

  • add

HyperProcess(reputation)

  • add

  • delete

Incident

  • edit

  • close

  • execute

  • delete

  • duplicate

  • notcreated

  • add

IncidentField

  • add

  • edit

  • delete

  • export

  • export (bulk)

  • import

  • import (bulk)

IncidentType

  • attach

  • detach

  • disable

  • enable

  • delete

  • edit

  • add

Indicator

  • edit

  • add

  • delete

IndicatorBulkEdit

  • edit

Integration permissions

  • edit

Integrations

  • add

  • edit

  • delete

IntegrationsConfig

  • add

  • edit

  • delete

  • upload

Investigation

  • close

  • reopen

  • edit

  • add

Jobs

  • add

  • edit

  • disable

  • enable

  • delete

  • pause

  • resume

  • runnow

  • abort

Layout

  • create

  • edit

  • delete

  • attach

  • detach

  • duplicate

  • import

  • export

List

  • create

  • edit

  • delete

Authentication

  • login

  • logout

Playbook

  • add

  • edit

  • attach

  • detach

  • upload

  • copy

  • delete

PreprocessRule

  • edit

  • add

Script

  • copy

  • upload

  • edit

  • add

  • delete

ServerConfiguration

  • edit

Permissions

  • user permissions assigned

  • user permissions edited

  • user permissions revoked

  • user access disabled

  • user access enabled

  • role created

  • role edited

  • role deleted

Whitelist

  • delete

  • batchcreate

  • add

Widget

  • edit

  • add

  • reset