In accordance with security best practices, Red Canary records privileged activity for your review.
Accessing the Audit Logs
Audit logs can be located by navigating to Profile > Audit Logs. Note: You must have the Administrator role to access this page.
The following activity is recorded in the audit logs:
- Allowed Email Domains Changed: A new user outside of your organization has been invited to the Portal, and their domain added to the Allowed Emails Domains list
- Canary Exporter Keys Generated: Canary Exporter authentication keys have been generated
- Email Prepared: An email (daily/weekly status, integration, notification) has been prepared to be sent
- Email Sent: An email was sent to a specific email address
- Endpoint Isolation Status Changed: An endpoint has been isolated or removed from isolation
- Hash Banned: An MD5 hash has been banned in your EDR platform
- Integration Successfully Triggered: A configured integration has successfully triggered
- Integration Unsuccessfully Triggered: A configured integration failed to trigger due to an error
- Login Failure: A user failed to log in successfully
- Login Successful: A user logged in successfully
- Multi Factor Auth Enabled: Multi-factor authentication was enabled for a user's account (on by default)
- Password Reset: A user's account password was reset
- Sso Login Failure: logging a failure with SSO authentication
- Sso Login Successful: SSO authentication successes
- User Invitation Accepts: An invited user has accepted their Portal invitation and set up an account
- User Invitation Sent: A Portal invitation has been sent to a specific user
- User Removed: A user account was removed
- User Role Added: A new role was granted to an existing user account
- User Role Removed: A role was removed from an existing user account
Red Canary collects and records audit logs from certain EPP/EDR platforms so you can take advantage of Red Canary’s API and automation features.
EPP/EDR audit log collection is supported by VMware Carbon Black Response EDR and CrowdStrike Falcon.
VMware Carbon Black Response EDR
For VMware Carbon Black Response EDR deployments hosted by Red Canary, the contents of the Live Response log and Endpoint Isolation log are processed and mapped to the endpoints and users in Red Canary as well as possible.
The action for each audit log will be:
- live_response_command for entries from the Live Response log.
- endpoint_isolated and endpoint_deisolated for entries from the Endpoint Isolation log.
For CrowdStrike Falcon, the raw events named Event_UserActivityAuditEvent and Event_AuthActivityAuditEvent are processed and mapped to the endpoints and users in Red Canary.
The action for each audit log is based on the OperationName of the raw CrowdStrike event.