Device Events

Note: Only users with an Administrator role can view Device Events.

Device Events provides a record of devices leveraging Client Management in Cisco XDR and deployment activity for those devices.

Choose Client Management > Device Events in the navigation menu to open the Device Events page.

Device Events page showing search for device and event log tables with date filtering.

The device inventory includes Host Name, Last updated, OS Type, OS Version, and UID.

The deployment activity includes Event Time, Event Type, Timestamp, and IP Address when you expand the event details.

To find events, first select a specific device by using the search box to enter a Host Name or UCid and click Select Device to see related events.

Device Events page displaying search results for devices, listing host names and OS details.

Once a device is selected, a record of the Cloud Management Deployment activity is displayed. Expanding the row for a specific event displays the event details.

Device Events table showing event details, including JSON data for a package installation.

  • Event Type

    • int-new-instance-key - A new instance key was generated for the "Previous deployment ID computer" (every computer is identified with a unique device instance key).
    • no-wmi - No WMI services are available to perform data collection.
    • pass-pkg-install - A Packaging and Signing Service bootstrap binary attempted to install a package.
    • pkg-install - The agent attempted to install a package.
    • pkg-reconfig - An existing package was reconfigured; configuration files have been added, removed, or replaced.
    • pkg-uninstall - A package has been uninstalled.

  • Event Details

    • bid - The business identifier of the client that experienced/recorded the event.
    • did - Current deployment ID.
    • odid - Previous deployment ID.
    • pip - The remote endpoint public IP (<IP>[:<PORT>]) that submitted the event; should be added by the server.
    • tse - TimeStamp Event; what time the event occurred.
    • tssrv - TimeStamp on backend server.
    • tstx - TimeStamp Transmission; what time the client sent the event to the server.
    • ucid - The UCID of the client that experienced or recorded the event.

To filter the events by a specified time range, select a start and end date and click Apply Filter.

To edit the columns that are displayed in the Event Details table, click the (Edit Columns) icon and check the boxes next to the column names. You can also drag and drop the column names in the order you want to view them in the table.

Edit Columns modal showing options to select and reorder columns for device events.