Cortex Agent Audit Messages

Cortex Agent Audit Messages

Base Rule

General Audit Messages

Information

Cortex Agent - Action Failed

Sub Rule

Action Failure

Error

Cortex Agent - Install

Sub Rule

Software Installed

Configuration

Cortex Agent - Uninstall

Sub Rule

Software Uninstalled

Configuration

Cortex Agent - Upgrade

Sub Rule

Software Updated

Configuration

Cortex Agent - Policy Change

Sub Rule

Policy Modified : System

Policy

Cortex Agent - Start Failure

Sub Rule

Failed Service Start

Error

Cortex Agent - Service Stopped

Sub Rule

Process/Service Stopped

Startup and Shutdown

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

version number

N/A

N/A

Version number

timestamp 

N/A

N/A

Date and time when the action occurred.

host name

N/A

N/A

Name of any relevant affected hosts.

HEADER/Vendor

N/A

N/A

Vendor information

HEADER/Device Product

N/A

N/A

Device Product information

HEADER/Device Version

<version>

Text/String

Device Version information

HEADER/Device Event Class ID

<vmid>

Text/String

N/A

HEADER/name

<vendorinfo>
<tag1>

Text/String

Action type

HEADER/Severity

<severity>

Number

Severity:

0 - Unknown
6 - Low
8 - Medium
9 - High

dvchost

<domainorigin> 

Text/String

Domain

shost

<Sname>

Text/String

Username of the user who initiated the action.

cat

<threatname>

Text/String

Category

end

N/A

N/A

Timestamp

rt

N/A

N/A

Received time 

cs1Label=agentversion

N/A

N/A

Version of the Cortex XDR agent running on the endpoint.

cs2Label=subtype

<action>
<tag2>

Text/String

Sub-category of the action.

cs3Label=result

<result>
<tag3>

Text/String

The result of the action (Success, Fail, or N/A).

cs4Label=reason

<reason>

Text/String

If the action or activity failed, this field indicates the identified cause.

msg

<subject>

Text/String

N/A

tenantname

N/A

N/A

Name of the tenant

tenantCDLid

N/A

N/A

ID of the tenant

CSPaccountname

N/A

N/A

CSP ID