Skip to main content

Monitoring (Events, Audits, Alerts)

Overview

The Xshield security platform generates messages for important and critical events or actions that occur on the platform. These include users (administrators) performing configuration operations that change the security posture of the enterprise to the platform taking actions on critical network events that again may impact the security postures.

The Xshield security platform has three concepts:

  • Event
  • Audit
  • Alert

Event

An event is a message reported by the platform (and not due to user operation) on the occurrence of something that requires customer attention or is a notification of success or failure of an operation that was performed by the user.

Audit

An event generated on performing user operations are marked as audits. This is not necessarily the success or failure event of the operation.

Alert

Alert is a mechanism to filter a specific set of events and also be able to mark them for notification on the platform. Additionally, the notifications can be sent to configured e-mail addresses.

1. Events

Agent Events

  • Agent Config Change: Logs modifications to an agent's configuration settings. These including operations such as enabling/disabling logging, setting timer values etc.
  • Agent Decommission: Records when an agent is removed from the server or endpoint along with removing the data associated with the asset on the platform.
  • Agent Diag Collection Failed: Indicates a failure in collecting diagnostic data from an agent.
  • Agent Password Validation Failed: Captures an unsuccessful attempt to validate an agent's password that is used for stopping or uninstalling the Xshield agent.
  • Agent Policy Configured: Logs when the host firewall rules are programmed successfully.
  • Agent Policy Tampered: Alerts when an agent’s host firewall rules has been altered without authorization.
  • Agent Reachable: Indicates an agent has re-established communication after being unreachable.
  • Agent Restart Successful: Confirms a successful restart of an agent.
  • Agent Uninstalled: Logs when an agent is uninstalled on the system.
  • Agent Unreachable: Indicates that an agent has lost communication with the platform. These may be due to network issues resulting in lack of connectivity to the Xshield platform.
  • Agent Upgrade: Logs an event when an agent software upgrade is requested.
  • Agent Upgrade Failed: Indicates a failure during an agent upgrade.
  • Agent Upgrade Successful: Confirms the successful completion of an agent upgrade to a newer software version.

Alert Events

  • Alert Dismissed: Logs when an alert is manually dismissed by a user.
  • Alert Rule Enabled: Captures the activation of an alert rule.
  • Alert Rule Snoozed: Indicates an alert rule has been temporarily paused as too many events matching the rule (1000) have been received.

Appliance (Gatekeeper) Events

  • Appliance Config Update Failed: Indicates a failure in updating appliance configurations.
  • Appliance Config Update Requested: Logs a request to update an appliance’s configuration.
  • Appliance Config Update Successful: Confirms a successful appliance configuration update.
  • Appliance DHCP Status Down: Alerts when the DHCP service is down.
  • Appliance DHCP Status Not Applicable: Captures when DHCP status is not relevant.
  • Appliance DHCP Status Up: Confirms that DHCP service is functioning.
  • Appliance DISK Utilization High: Alerts when disk usage exceeds an optimal level.
  • Appliance DISK Utilization Optimal: Indicates that disk usage is within acceptable limits.
  • Appliance Failover: Logs when an appliance switches to a failover state.
  • Appliance HA Synchronize Status Down: Indicates a failure in high-availability synchronization.
  • Appliance HA Synchronize Status Not Applicable: Captures when HA synchronization does not apply.
  • Appliance HA Synchronize Status Up: Confirms that HA synchronization is working correctly.
  • Appliance LAN LINK Status Down: Logs when a LAN connection is lost.
  • Appliance LAN LINK Status Up: Captures when a LAN connection is restored.
  • Appliance LAN Utilization High: Alerts when LAN utilization exceeds optimal levels.
  • Appliance LAN Utilization Optimal: Confirms that LAN utilization is within acceptable limits.
  • Appliance Reboot: Logs when an appliance is rebooted.
  • Appliance Recovery Successful: Indicates successful appliance recovery after an issue.
  • Appliance Service Restart: Logs when an appliance service is restarted.
  • Appliance Uninstalled: Captures the removal of an appliance from the network.
  • Appliance WAN Utilization High: Alerts when WAN utilization exceeds an optimal threshold.
  • Appliance WAN Utilization Optimal: Confirms that WAN utilization is within acceptable levels.
  • Manage Devices Successful: Logs when device management tasks are completed successfully.
  • Unmanage Devices Successful: Captures when devices are successfully unmanaged.
  • VLAN Failover: Logs when a VLAN failover occurs.

Asset Events

  • Asset Minimal Status Changed: Tracks changes in the minimum operational status of an asset.
  • Named Network Assigned: Logs when an asset is assigned to a named network.
  • Named Network Removed: Captures when an asset is removed from a named network.
  • Port Status Changed: Logs modifications to the status of a network port.
  • Pushed to Firewall: Indicates when a configuration update is pushed to the firewall.
  • Tagged Asset: Captures when an asset is tagged for classification or tracking.
  • Template Assigned: Logs when a template is applied to an asset.
  • Template Removed: Captures when a template is removed from an asset.
  • User Logged In: Logs when a user successfully logs into the platform.
  • User Logged Out: Captures when a user logs out.

Integration Events

  • Alert Upload Failure: Indicates a failure in uploading alert data.
  • Audit Upload Failure: Captures when audit data fails to upload.
  • Event Upload Failure: Logs failures when events cannot be uploaded.
  • Unable to Generate Presigned URL: Indicates a failure in generating a presigned URL for integration purposes.
  • Verify the Integration Credentials for an Activated Configuration: Logs issues with integration authentication.

Policy Events

  • Blocked Communication Attempt: Alerts when unauthorized communication is blocked.

SCIM Events

  • Error in User Creation: Logs when an error occurs during SCIM user creation.
  • Group Created: Captures the creation of a SCIM group.
  • Group Deleted: Logs when a SCIM group is removed.
  • Group Updated: Captures modifications to a SCIM group.
  • User Created: Logs when a SCIM user is created.
  • User Deleted: Captures the deletion of a SCIM user.
  • User Updated: Logs modifications to SCIM user details.

Tag Events

  • Created Tag: Captures when a new tag is created.
  • Segment Created: Logs the creation of a new segment.
  • Segment Deleted: Captures when a segment is removed.

Tenant Events

  • User Invite Accepted: Logs when a user accepts an invitation to a tenant.

Traffic Events

  • Malicious IP Communication: Captures instances where communication with a known malicious IP is detected.

2. Audits

Agent Audits

  • Agent Config Update: Records when an agent configuration is modified.
  • Agent Debug Log Disable: Captures when debug logging is disabled for an agent.
  • Agent Debug Log Enable: Logs when debug logging is enabled for an agent.
  • Agent Decommission: Records when an agent is taken out of service.
  • Agent Diag Collection: Captures when diagnostic data is collected from an agent.
  • Agent North South Traffic Collection: Logs when north-south traffic monitoring is enabled for an agent.
  • Agent Restart: Captures when an agent is restarted.
  • Agent Uninstalled: Logs when an agent is removed from a system.
  • Agent Upgrade: Records when an agent upgrade process is initiated.

Alert Audits

  • Alert Dismissed: Logs when an alert is dismissed by a user.
  • Alert Rule Disabled: Captures when an alert rule is deactivated.
  • Alert Rule Enabled: Logs when an alert rule is activated.
  • Alert Rule Notification Status Disabled: Indicates when alert rule notifications are turned off.
  • Alert Rule Notification Status Enabled: Logs when alert rule notifications are turned on.
  • Auto-dismissed Alert Notification: Captures alerts that are automatically dismissed based on predefined rules.
  • Updated Recipients: Logs modifications to alert notification recipients.

Appliance Audits

  • Appliance Config Update Requested: Captures when an appliance configuration update is initiated.
  • Appliance Decommission: Logs when an appliance is removed from service.
  • Appliance Reboot: Captures when an appliance is restarted.
  • Appliance Recovery Initiated: Logs the initiation of an appliance recovery process.
  • Appliance Service Restart: Captures when a service on an appliance is restarted.
  • Delete Devices Successful: Logs successful deletion of devices from management.
  • Manage Devices Requested: Captures when a device management request is made.
  • Unmanage Devices Requested: Logs when a request is made to remove a device from management.

Asset Audits

  • Asset Minimal Status Changed: Logs updates to the minimal operational status of an asset.
  • Asset Status Changed: Captures modifications to an asset's operational status.
  • Create Named Network: Logs the creation of a named network.
  • Create Template: Captures when a template is created.
  • Delete Named Network: Logs when a named network is removed.
  • Delete Template: Captures the deletion of a template.
  • Named Network Assigned: Logs when a named network is assigned to an asset.
  • Named Network Removed: Captures when a named network is removed from an asset.
  • Port Status Changed: Logs changes in network port status.
  • Pushed to Firewall: Captures when a configuration update is pushed to the firewall.
  • Tagged Asset: Logs when an asset is tagged.
  • Template Assigned: Captures when a template is applied to an asset.
  • Template Removed: Logs when a template is removed from an asset.
  • Update Named Network: Captures modifications to an existing named network.
  • Update Template: Logs when a template is updated.

CrowdStrike Audits

  • Host Group Status Change: Captures changes in the status of a CrowdStrike host group.

Integration Audits

  • Integration Updated: Logs updates made to an integration configuration.

Policy Audits

  • Refresh Inbound Progressive Snapshot: Captures when an inbound policy snapshot is refreshed.

SCIM Audits

  • SCIM IDP Deleted: Logs when an identity provider is removed from SCIM.
  • SCIM Token Generated: Captures when a new SCIM token is created.
  • User Group Activated: Logs when a SCIM user group is activated.
  • User Group Inactivated: Captures when a SCIM user group is deactivated.

Tag Audits

  • Created Tag: Logs when a new tag is created.
  • Deleted Tag: Captures when a tag is removed.
  • Updated Tag: Logs modifications to an existing tag.
  • Named Network(s) Added to Segment: Captures when named networks are added to a segment.
  • Named Network(s) Removed from Segment: Logs when named networks are removed from a segment.
  • Policy Minimal Status Changed: Captures modifications to the minimal status of a policy.
  • Segment Cloned: Logs when a segment is cloned.
  • Segment Created: Captures when a new segment is created.
  • Segment Deleted: Logs when a segment is deleted.
  • Segment Updated: Captures modifications to an existing segment.
  • Tag Rule Created: Logs the creation of a tag-based rule.
  • Tag Rule Deleted: Captures when a tag-based rule is removed.
  • Tag Rule Updated: Logs modifications to an existing tag-based rule.
  • Template(s) Added to Segment: Captures when templates are added to a segment.
  • Template(s) Removed from Segment: Logs when templates are removed from a segment.

Tenant Audits

  • Add Auth Config: Captures when an authentication configuration is added.
  • Add Password: Logs when a password is added to a user account.
  • Assign Role to User: Captures when a role is assigned to a user.
  • Delete Auth Config: Logs when an authentication configuration is removed.
  • Created New Role: Captures when a new role is created.
  • Delete Password: Logs when a password is removed from a user account.
  • Delete User: Captures when a user is deleted.
  • Delete User Invite: Logs when a user invitation is removed.
  • Invite User: Captures when a new user is invited to the platform.
  • Org Profile Edited: Logs modifications to an organization’s profile.
  • Switch Tenant: Captures when a user switches between tenants.
  • Tenant Invite Accepted: Logs when a user accepts an invitation to a tenant.
  • Update Auth Config: Captures modifications to authentication settings.
  • Update Password: Logs when a user password is updated.

User Audits

  • API Key Addition: Logs when an API key is added.
  • API Key Deletion: Captures when an API key is removed.
  • Login: Logs when a user successfully logs into the platform.
  • Logout: Captures when a user logs out of the platform.SaaS Cybersecurity Platform: Event and Audit Catalog