View, export, extract, and purge the audit trail in Cortex XSOAR. The audit trail logs all administrative user actions in Cortex XSOAR.
The management audit logs display a log of all administrative user interactions within Cortex XSOAR. By default, the logs are sorted by Timestamp and cover which users interacted in what way with system objects, and associated data.
You can filter by field, such as email, ID, user name, type, etc., and you can save filters for later use. In addition, you can adjust the appearance of the columns and add or remove columns.
To view the audit logs, go to → .
By default, the Object ID column is hidden. You can add the Object ID column by clicking the table settings menu button and selecting Object ID. This column displays the specific ID associated with the logged action. For example, for incident creation, the Incident ID is displayed and for user creation, the User ID is displayed. Not all actions have an associated Object ID.
To export the management audit logs as a tsv text-based file, click the Export to file button. You can also forward management audit notifications to a syslog server or an email distribution list.
The following table describes the log types and sub types.
API Keys
Includes the following subtypes:
Authentication
Includes the following subtypes:
Licensing
Includes details about the license such as expiration and ingestion violation.
Permissions
Includes user role permissions such as:
Cortex Automation
XSOAR Migration
Includes audit information about the migration from Cortex XSOAR 6 to 8, such as whether users were migrated, the cutoff date, and whether content and integrations were resynced.