Login
      Contents x
      Filter Audit Logs
      • 01 Aug 2024
      • 1 Minute to read
      • PDF
      Contents

      Filter Audit Logs

      • Updated on 01 Aug 2024
      • 1 Minute to read
      • PDF
      Article summary

      You can filter your audit logs by attribute, and then download a CSV of the results.

      1. Click your user icon at the top right of your Red Canary, and then click Audit Logs.

      2. Enter attributes in the Audit Log filter bar, and then press Return or Enter.

      3. Click to download a CSV of your endpoint usage. 

      Supported filter attributes

      Attribute

      Description

      Example

      Creation time

      The date and time the audit log was created.

      created_at:2020-04-05..2020-04-08

      Action

      The audit log action type. You can search for multiple actions at once by separating them with a vertical bar (|).

      action:"Automate Playbook Executed"


      action:"Send Email"|"Send Webhook"

      User

      The user who executed an action.

      user:johndoe@example.com


      user:automatebot+noreply@redcanary.co

      Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.

      Supported action types

      Category

      Events

      Authentication

      "Authentication Token Reset", "Authentication Token Used", "Forced Sign Out", "Login Failure", "Login Successful", "Multi Factor Auth Disabled", "Multi Factor Auth Enabled"

      Automate

      "Automate Action Executed", "Automate Playbook Executed", "Automate Respond Executed", "Automate Respond Trigger Matched", "Automate Respond Trigger Rejected", "Automate Scheduling Action Execution", "Automate Scheduling Action Execution For Successful Playbook", "Automate Scheduling Playbook Execution", "Automate Trigger Executed"

      Integrations

      "Integration Successfully Triggered", "Integration Unsuccessfully Triggered", "Send Webhook", "Send Webhook Failure"

      Notifications

      "Email Prepared", "Email Sent", "SMS Message Status Changed"

      Security

      "Endpoint Deisolated", "Endpoint Isolated", "Endpoint Isolation Status Changed", "External Alert Confirmed Threatening", "External Alert Dismissed As Not Threat", "Hash Banned", "Live Response Isolation"

      User Management

      "User Added", "User Destroyed", "User Invitation Accepted", "User Invitation Sent", "User Removed", "User Role Added", "User Role Removed"

      Others

      "Activity Monitor Created", "Activity Monitored Deleted", "Activity Monitor Updated", "Allowed Email Domains Changed", "Canary Exporter Keys Generated", "External Alert Source Sync Succeeded", "Live Response Command", "Password Reset", "Sso Login Failure", "Sso Login Successful"

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout