When subscribing to either native Endpoint Detection and Response (EDR) formatted or Red Canary standardized data, you can opt to only collect specific event types in your Docker run statement when initiated the Canary Exporter. Please find the following list of event types for each data format.

Red Canary Standardized Data

binary
child_process
endpoint
file_creation
file_deletion
file_modification
model_attributes
network_connection
process_handle_open
process_thread_open
registry_key_deletion
registry_value_deletion
remote_thread_creation
module_load
process_end
process_start
registry_key_creation
registry_value_write

Carbon Black Response Native Data

The canonical list of native Carbon Black Response event types can be found here.

CrowdStrike Falcon Native Data

The canonical list of native CrowdStrike Falcon event types can be found here.

Did this answer your question?