Red Canary collects and records audit logs from certain Endpoint Detection and Response (EDR)/Endpoint Protection Platform (EPP) platforms so you can take advantage of Red Canary’s API and automation features.

VMware Carbon Black Response EDR and CrowdStrike Falcon support EPP/EDR audit log collection.

VMware Carbon Black Response EDR

For VMware Carbon Black Response EDR deployments hosted by Red Canary, the contents of the Live Response log and Endpoint Isolation log are analyzed and mapped to the endpoints and users as much as possible.

The action for each audit log will be...

• live_response_command for entries from the Live Response log.
• endpoint_isolated and endpoint_deisolated for entries from the Endpoint Isolation log.

CrowdStrike Falcon

CrowdStrike Falcon processes and maps raw events labeled Event_UserActivityAuditEvent and Event_AuthActivityAuditEvent to endpoints and users in Red Canary.

The action for each audit log is based on the OperationName of the raw CrowdStrike event.