Login
        Contents x
        Audit Logs
        • 25 Jul 2025
        • 2 Minutes to read
        • PDF
        Contents

        Audit Logs

        • Updated on 25 Jul 2025
        • 2 Minutes to read
        • PDF
        Article summary

        Red Canary records audit logs when a number of actions are taken by both users and the platform. The list of activities resulting in audit logs is continually growing and includes events such as the following:

        • Authentication token usage

        • Automation trigger and playbook execution

        • Canary exporter key generation

        • Email preparation and sending

        • Endpoint live response actions

        • Login success and failure

        • Multi-factor authentication enabling/disabling

        • User invitations

        • User role changes

        Only users with the Admin role can view audit logs.

        View Audit Logs 

        To view audit logs, click your user icon at the top right of your Red Canary, then click Audit Logs.

        Filter Audit Logs

        You can filter your audit logs by attribute, and then download a CSV of the results.

        1. Enter attributes in the Audit Log filter bar, and then press Enter.

        2. Click to download a CSV of filtered logs.

        Supported Filter Attributes

        Attribute

        Description

        Example

        Creation time

        The date and time the audit log was created.

        created_at:2020-04-05..2020-04-08

        Action

        The audit log action type. You can search for multiple actions at once by separating them with a vertical bar (|).

        action:"Automate Playbook Executed"

        action:"Send Email"|"Send Webhook"

        User

        The user who executed an action.

        user:johndoe@example.com

        user:automatebot+noreply@redcanary.co

        Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.

        Supported Filter Action Types

        Category

        Events

        Authentication

        "Authentication Token Reset", "Authentication Token Used", "Forced Sign Out", "Login Failure", "Login Successful", "Multi Factor Auth Disabled", "Multi Factor Auth Enabled"

        Automate

        "Automate Action Executed", "Automate Playbook Executed", "Automate Respond Executed", "Automate Respond Trigger Matched", "Automate Respond Trigger Rejected", "Automate Scheduling Action Execution", "Automate Scheduling Action Execution For Successful Playbook", "Automate Scheduling Playbook Execution", "Automate Trigger Executed"

        Integrations

        "Integration Successfully Triggered", "Integration Unsuccessfully Triggered", "Send Webhook", "Send Webhook Failure"

        Notifications

        "Email Prepared", "Email Sent", "SMS Message Status Changed"

        Security

        "Endpoint Deisolated", "Endpoint Isolated", "Endpoint Isolation Status Changed", "External Alert Confirmed Threatening", "External Alert Dismissed As Not Threat", "Hash Banned", "Live Response Isolation"

        User Management

        "User Added", "User Destroyed", "User Invitation Accepted", "User Invitation Sent", "User Removed", "User Role Added", "User Role Removed"

        Others

        "Activity Monitor Created", "Activity Monitored Deleted", "Activity Monitor Updated", "Allowed Email Domains Changed", "Application Status Changed", "Canary Exporter Keys Generated", "External Alert Source Sync Succeeded", "Live Response Command", "Password Reset", "Sso Login Failure", "Sso Login Successful"

        Trigger Automation Playbooks

        You can use automation playbooks to trigger playbooks when an audit log is created.

        1. From the navigation menu, click Automation.

        2. Click Configure new trigger and select When an Audit Log is created. 

        3. Click Add condition and configure the trigger to match the desired audit log type.

        4. Associate one or more playbooks to the trigger.

        Learn more about taking action with playbooks and actions.

        Support for EDR/EPP Audit Logs

        Red Canary collects and records audit logs from certain Endpoint Detection and Response (EDR)/Endpoint Protection Platform (EPP) platforms so you can take advantage of Red Canary’s API and automation features.

        Carbon Black Response EDR and CrowdStrike Falcon support EPP/EDR audit log collection.

        Integration

        Audit Log Support

        Carbon Black Response EDR

        For Carbon Black Response EDR deployments hosted by Red Canary, the contents of the Live Response log and Endpoint Isolation log are analyzed and mapped to the endpoints and users as much as possible.

        The action for each audit log will be...

        • live_response_command for entries from the Live Response log.

        • endpoint_isolated and endpoint_deisolated for entries from the Endpoint Isolation log.

        CrowdStrike Falcon

        CrowdStrike Falcon processes and maps raw events labeled Event_UserActivityAuditEvent and Event_AuthActivityAuditEvent to endpoints and users in Red Canary.

        The action for each audit log is based on the OperationName of the raw CrowdStrike event.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout