Cortex Agent Audit Messages

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
Cortex Agent Audit Messages	Base Rule	General Audit Messages	Information
Cortex Agent - Action Failed	Sub Rule	Action Failure	Error
Cortex Agent - Install	Sub Rule	Software Installed	Configuration
Cortex Agent - Uninstall	Sub Rule	Software Uninstalled	Configuration
Cortex Agent - Upgrade	Sub Rule	Software Updated	Configuration
Cortex Agent - Policy Change	Sub Rule	Policy Modified : System	Policy
Cortex Agent - Start Failure	Sub Rule	Failed Service Start	Error
Cortex Agent - Service Stopped	Sub Rule	Process/Service Stopped	Startup and Shutdown

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
version number	N/A	N/A	Version number
timestamp	N/A	N/A	Date and time when the action occurred.
host name	N/A	N/A	Name of any relevant affected hosts.
HEADER/Vendor	N/A	N/A	Vendor information
HEADER/Device Product	N/A	N/A	Device Product information
HEADER/Device Version	<version>	Text/String	Device Version information
HEADER/Device Event Class ID	<vmid>	Text/String	N/A
HEADER/name	<vendorinfo> <tag1>	Text/String	Action type
HEADER/Severity	<severity>	Number	Severity: 0 - Unknown 6 - Low 8 - Medium 9 - High
dvchost	<domainorigin>	Text/String	Domain
shost	<Sname>	Text/String	Username of the user who initiated the action.
cat	<threatname>	Text/String	Category
end	N/A	N/A	Timestamp
rt	N/A	N/A	Received time
cs1Label=agentversion	N/A	N/A	Version of the Cortex XDR agent running on the endpoint.
cs2Label=subtype	<action> <tag2>	Text/String	Sub-category of the action.
cs3Label=result	<result> <tag3>	Text/String	The result of the action (Success, Fail, or N/A).
cs4Label=reason	<reason>	Text/String	If the action or activity failed, this field indicates the identified cause.
msg	<subject>	Text/String	N/A
tenantname	N/A	N/A	Name of the tenant
tenantCDLid	N/A	N/A	ID of the tenant
CSPaccountname	N/A	N/A	CSP ID