Skip to main content
Skip table of contents

Cortex Agent Audit Messages

Vendor Documentation


Rule Name

Rule Type

Common Event

Cortex Agent Audit MessagesBase RuleGeneral Audit MessagesInformation
Cortex Agent - Action FailedSub RuleAction FailureError
Cortex Agent - InstallSub RuleSoftware InstalledConfiguration
Cortex Agent - UninstallSub RuleSoftware UninstalledConfiguration
Cortex Agent - UpgradeSub RuleSoftware UpdatedConfiguration
Cortex Agent - Policy ChangeSub RulePolicy Modified : SystemPolicy
Cortex Agent - Start FailureSub RuleFailed Service StartError
Cortex Agent - Service StoppedSub RuleProcess/Service StoppedStartup and Shutdown

Mapping with LogRhythm Schema 

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
version numberN/AN/AVersion number
timestamp N/AN/ADate and time when the action occurred.
host nameN/AN/AName of any relevant affected hosts.
HEADER/VendorN/AN/AVendor information
HEADER/Device ProductN/AN/ADevice Product information
HEADER/Device Version<version> Text/StringDevice Version information
HEADER/Device Event Class ID<vmid>Text/StringN/A
Text/StringAction type


0 - Unknown
6 - Low
8 - Medium
9 - High

dvchost<domainorigin> Text/StringDomain
shost<Sname>Text/StringUsername of the user who initiated the action.
endN/A N/ATimestamp
rtN/A N/AReceived time 
cs1Label=agentversionN/A N/AVersion of the Cortex XDR agent running on the endpoint.
Text/StringSub-category of the action.
Text/StringThe result of the action (Success, Fail, or N/A).
cs4Label=reason<reason>Text/StringIf the action or activity failed, this field indicates the identified cause.
tenantnameN/A N/AName of the tenant
tenantCDLidN/A N/AID of the tenant
CSPaccountnameN/AN/ACSP ID
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.