Audit log information:
CylanceOPTICS

The following table lists the information that is added to the audit log for

CylanceOPTICS

administrative actions. You can use the filtering options available in the console to filter the audit log results.

Category	Action	Details
Advanced Query	Execute	Query: `<EQL_query>`
Advanced Query Export	Add	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`
Advanced Query Export	Download	Name: `<name>`; Description: `<description>`
Advanced Query Export	Remove	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`
Advanced Query Snapshot	Add	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`
Advanced Query Snapshot	Edit	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`
Advanced Query Snapshot	Remove	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`
Advanced Query Template	Add	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`; Query: `<EQL_query>`
Advanced Query Template	Edit	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`; Query: `<EQL_query>`
Advanced Query Template	Remove	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`
Detections	Change Status	Detection: `<detection label>`; Detection ID: `<detection id>`; Device: `<device name>`; Previous Status: `<previous detection status>`; New Status: `<new detection status>`
Detections	Remove	Detection: `<detection label>`; Detection ID: `<detection id>`; Device: `<device name>`
Detection Exception	Add	Name: `<name>`
Detection Exception	Edit	Name: `<name>`
Detection Exception	Remove	Name: `<name>`
Detection Rule	Add	Name: `<name>`; Description: `<description>`; Severity: `<severity>`; OS: `<OS list>`
Detection Rule	Edit	Name: `<name>`; Description: `<description>`; Severity: `<severity>`; OS: `<OS list>`
Detection Rule	Remove	Name: `<name>`; Description: `<description>`; Severity: `<severity>`; OS: `<OS list>`
Detection Rule Set	Add	Name: `<name>`; Description: `<description>`; Device Policy: `<device policy name>`
Detection Rule Set	Edit	Name: `<name>`; Description: `<description>`; Device Policy: `<device policy name>`
Detection Rule Set	Remove	Name: `<name>`; Description: `<description>`; Device Policy: `<device policy name>`
Device	File Download	Device: `<device name>`; File: `<file path and name>`
Device	Lock	Device: `<device name>`; Configuration Profile: `<profile name>`; Lockdown Period: `<lockdown period>`
Device	Unlock	Device: `<device name>`
Device	Change Lockdown Profile	Device: `<device name>`; Configuration Profile: `<profile name>`
Device	Show Unlock Key	Device: `<device name>`
Focus Data	Add	Device: `<device name>`; Type: `<focus view type>`; Artifact: `<focus view artifact>`
InstaQuery	Add	Name: `<IQ name>`, Artifact: `<IQ artifact>`, Facet: `<IQ facet>`, Term: `<IQ term>`
InstaQuery	Remove	Name: `<IQ name>`, Artifact: `<IQ artifact>`, Facet: `<IQ facet>`, Term: `<IQ term>`
Job Service	Stop	Name: `<name>`; Service: `<parent service type>`
Lockdown Configuration	Add	Configuration Profile: `<configuration profile>`; Description: `<description>`; Whitelist Definitions: `<allowed_connections>`
Lockdown Configuration	Delete	Configuration Profile: `<configuration profile>`
Lockdown Configuration	Edit	Configuration Profile: `<configuration profile>`; Description: `<description>`; Whitelist Definitions: `<allowed_connections>`
Package Deploy	Add	Name: `<name>`; Packages: `<packages>`
Package Deploy	Remove	Name: `<name>`
Package PlayBook	Add	Name: `<name>`; Packages: `<packages>`
Package PlayBook	Edit	Name: `<name>`; Packages: `<packages>`
Package PlayBook	Remove	Name: `<name>`; Packages: `<packages>`
PlayBook Result	Remove	Device: `<device name>`; Playbook Name: `<playbook name>`; Detection ID: `<detection id>`; Status: `<status>`
Remote Response	Connect	Device: `<device name>`
Remote Response	Disconnect	Device: `<device name>`
Scheduled Advanced Query	Add	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`; Schedule: `<schedule_details>`
Scheduled Advanced Query	Edit	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`; Schedule: `<schedule_details>`
Scheduled Advanced Query	Remove	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`
Scheduled Advanced Query	Remove Result	Name: `<name>`; Description: `<description>`; Result Timestamp: `<result_timestamp>`; Results: `<result_count>`
Scheduled Advanced Query	Start	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`; Schedule: `<schedule_details>`
Scheduled Advanced Query	Stop	Name: `<name>`; Description: `<description>`; Shared: `<isShared>`; Schedule: `<schedule_details>`

Section:

Auditing administrator actions

Audit log information: CylanceOPTICS

Audit log information:
CylanceOPTICS