Red Canary records audit logs when a number of actions are taken by both users and the platform. The list of activities resulting in audit logs is continually growing and includes events such as:

• Authentication token usage
• Automation trigger and playbook execution
• Canary exporter key generation
• Email preparation and sending
• Endpoint live response actions
• Login success and failure
• Multi-factor authentication enabling/disabling
• User invitations
• User role changes

Only users with the Admin role can view audit logs.

Viewing recent audit logs 

You can view and download audit logs that have been recently created.

To view audit logs:

1. Click Administration > Audit Logs in the site navigation.

To filter audit logs by action, user, or subject:

1. Select an action from the Filter by Action dropdown.
2. Select a user from the Filter by User dropdown.
3. Select a subject from the Filter by Subject dropdown.

Click Download CSV to download the latest 10,000 audit logs, or use the API to retrieve the complete list.

Triggering automation playbooks when an audit log is created 

You can use automation playbooks to trigger playbooks when an audit log is created.

To trigger an automation playbook when an audit log is created:

1. Click Automate > Triggers in the site navigation.
2. Click New Trigger and select When an Audit Log is created. 
3. Click Add condition and configure the trigger to match the desired audit log type.
4. Associate one or more playbooks to the trigger.

Learn more about taking action with playbooks and actions.