Review Audit Logs
    • 21 Jun 2024
    • 1 Minute to read
    • PDF

    Review Audit Logs

    • PDF

    Article summary

    Red Canary records audit logs when a number of actions are taken by both users and the platform. The list of activities resulting in audit logs is continually growing and includes events such as the following:

    • Authentication token usage

    • Automation trigger and playbook execution

    • Canary exporter key generation

    • Email preparation and sending

    • Endpoint live response actions

    • Login success and failure

    • Multi-factor authentication enabling/disabling

    • User invitations

    • User role changes

    Only users with the Admin role can view audit logs.

    Viewing recent audit logs 

    You can view and download audit logs that have been recently created.

    1. Click your user icon at the top right of your Red Canary, and then click Audit Logs.
      Audit_Logs_new.png

    To filter audit logs by action, user, or subject

    1. Select an action from the Filter by Action dropdown.

    2. Select a user from the Filter by User dropdown.

    3. Select a subject from the Filter by Subject dropdown.

    4. Click  to download the latest 10,000 audit logs, or use the API to retrieve the complete list.

    Triggering automation playbooks when an audit log is created 

    You can use automation playbooks to trigger playbooks when an audit log is created.

    1. From the navigation menu, click Automation.

    2. Click Configure new trigger and select When an Audit Log is created. 

    3. Click Add condition and configure the trigger to match the desired audit log type.

    4. Associate one or more playbooks to the trigger.

    Learn more about taking action with playbooks and actions.

    EDR/EPP Audit Logs

    Red Canary collects and records audit logs from certain Endpoint Detection and Response (EDR)/Endpoint Protection Platform (EPP) platforms so you can take advantage of Red Canary’s API and automation features.

    VMware Carbon Black Response EDR and CrowdStrike Falcon support EPP/EDR audit log collection.

    VMware Carbon Black Response EDR

    For VMware Carbon Black Response EDR deployments hosted by Red Canary, the contents of the Live Response log and Endpoint Isolation log are analyzed and mapped to the endpoints and users as much as possible.

    The action for each audit log will be...

    • live_response_command for entries from the Live Response log.

    • endpoint_isolated and endpoint_deisolated for entries from the Endpoint Isolation log.

    CrowdStrike Falcon

    CrowdStrike Falcon processes and maps raw events labeled Event_UserActivityAuditEvent and Event_AuthActivityAuditEvent to endpoints and users in Red Canary.

    The action for each audit log is based on the OperationName of the raw CrowdStrike event.


    Was this article helpful?