Login
      Contents x
      Review Audit Logs
      • 21 Jun 2024
      • 1 Minute to read
      • PDF
      Contents

      Review Audit Logs

      • Updated on 21 Jun 2024
      • 1 Minute to read
      • PDF
      Article summary

      Red Canary records audit logs when a number of actions are taken by both users and the platform. The list of activities resulting in audit logs is continually growing and includes events such as the following:

      • Authentication token usage

      • Automation trigger and playbook execution

      • Canary exporter key generation

      • Email preparation and sending

      • Endpoint live response actions

      • Login success and failure

      • Multi-factor authentication enabling/disabling

      • User invitations

      • User role changes

      Only users with the Admin role can view audit logs.

      Viewing recent audit logs 

      You can view and download audit logs that have been recently created.

      1. Click your user icon at the top right of your Red Canary, and then click Audit Logs.
        Audit_Logs_new.png

      To filter audit logs by action, user, or subject

      1. Select an action from the Filter by Action dropdown.

      2. Select a user from the Filter by User dropdown.

      3. Select a subject from the Filter by Subject dropdown.

      4. Click  to download the latest 10,000 audit logs, or use the API to retrieve the complete list.

      Triggering automation playbooks when an audit log is created 

      You can use automation playbooks to trigger playbooks when an audit log is created.

      1. From the navigation menu, click Automation.

      2. Click Configure new trigger and select When an Audit Log is created. 

      3. Click Add condition and configure the trigger to match the desired audit log type.

      4. Associate one or more playbooks to the trigger.

      Learn more about taking action with playbooks and actions.

      EDR/EPP Audit Logs

      Red Canary collects and records audit logs from certain Endpoint Detection and Response (EDR)/Endpoint Protection Platform (EPP) platforms so you can take advantage of Red Canary’s API and automation features.

      VMware Carbon Black Response EDR and CrowdStrike Falcon support EPP/EDR audit log collection.

      VMware Carbon Black Response EDR

      For VMware Carbon Black Response EDR deployments hosted by Red Canary, the contents of the Live Response log and Endpoint Isolation log are analyzed and mapped to the endpoints and users as much as possible.

      The action for each audit log will be...

      • live_response_command for entries from the Live Response log.

      • endpoint_isolated and endpoint_deisolated for entries from the Endpoint Isolation log.

      CrowdStrike Falcon

      CrowdStrike Falcon processes and maps raw events labeled Event_UserActivityAuditEvent and Event_AuthActivityAuditEvent to endpoints and users in Red Canary.

      The action for each audit log is based on the OperationName of the raw CrowdStrike event.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout