Red Canary collects and records audit logs from certain EPP/EDR platforms so you can take advantage of Red Canary’s API and automation features.

EPP/EDR audit log collection is supported by VMware Carbon Black Response EDR and CrowdStrike Falcon.

VMware Carbon Black Response EDR

For VMware Carbon Black Response EDR deployments hosted by Red Canary, the contents of the Live Response log and Endpoint Isolation log are processed and mapped to the endpoints and users in Red Canary as well as possible.

The action for each audit log will be:

• live_response_command for entries from the Live Response log.
• endpoint_isolated and endpoint_deisolated for entries from the Endpoint Isolation log.

CrowdStrike Falcon

For CrowdStrike Falcon, the raw events named Event_UserActivityAuditEvent and Event_AuthActivityAuditEvent are processed and mapped to the endpoints and users in Red Canary. 

The action for each audit log is based on the OperationName of the raw CrowdStrike event.