Red Canary records audit logs when a number of actions are taken by both users and the platform. The list of activities resulting in audit logs is continually growing and includes events such as the following:

• Authentication token usage
• Automation trigger and playbook execution
• Canary exporter key generation
• Email preparation and sending
• Endpoint live response actions
• Login success and failure
• Multi-factor authentication enabling/disabling
• User invitations
• User role changes

Only users with the Admin role can view audit logs.

Viewing recent audit logs 

You can view and download audit logs that have been recently created.

1. Click your user icon at the top right of your Red Canary, and then click Audit Logs.
   

To filter audit logs by action, user, or subject...

1. Select an action from the Filter by Action dropdown.
2. Select a user from the Filter by User dropdown.
3. Select a subject from the Filter by Subject dropdown.

Click ICON_DOWNLOAD to download the latest 10,000 audit logs, or use the API to retrieve the complete list.

Triggering automation playbooks when an audit log is created 

You can use automation playbooks to trigger playbooks when an audit log is created.

1. From the navigation menu, click Automation.
2. Click Configure new trigger and select When an Audit Log is created. 
3. Click Add condition and configure the trigger to match the desired audit log type.
4. Associate one or more playbooks to the trigger.

Learn more about taking action with playbooks and actions.