Cortex Management Audit Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| Cortex Management Audit Messages | Base Rule | General Audit Messages | Information |
| Cortex Mgmt - Logon Success | Sub Rule | User Logon | Authentication Success |
| Cortex Mgmt - Logon Failure | Sub Rule | User Logon Failure | Authentication Failure |
| Cortex Mgmt - Failed Task | Sub Rule | Failed Operation | Warning |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
| host name | N/A | N/A | Name of any relevant affected hosts. |
| HEADER/Vendor | N/A | N/A | Vendor information |
| HEADER/Device Product | N/A | N/A | Device Product information |
| HEADER/Device Version | <version> | Text/String | Device Version information |
| HEADER/Device Event Class ID | <vmid> | Text/String | N/A |
| HEADER/name | <vendorinfo> <tag1> | Text/String | Action type |
| HEADER/Severity | <severity> | Number | Severity: 0 - Unknown |
| suser | <login> | Text/String | Username of the user who initiated the action. |
| end | N/A | N/A | Timestamp |
| externalId | <threatid> | Number | External ID |
| cs1Label | N/A | N/A | N/A |
| cs1 | <login>,<domainorigin> | Text/String | Email address of the user. |
| cs2Label | N/A | N/A | N/A |
| cs2 | <action> | Text/String | Sub-category of the action. |
| cs3Label | N/A | N/A | N/A |
| cs3 | <result> <tag2> | Text/String | The result of the action (Success, Fail, or N/A) |
| cs4Label | N/A | N/A | N/A |
| cs4 | <reason> | Text/String | If the action or activity failed, this field indicates the identified cause. |
| msg | <subject> | Text/String | N/A |
| tenantname | N/A | N/A | Name of the tenant |
| tenantCDLid | N/A | N/A | ID of the tenant |
| CSPaccountname | N/A | N/A | CSP ID |