You can filter your audit logs by attribute, and then download a CSV of the results.

1. Click your user icon at the top right of your Red Canary, and then click Audit Logs.
2. Enter attributes in the Audit Log filter bar, and then press Return or Enter.
3. Click ICON_DOWNLOAD to download a CSV of your endpoint usage. 

Supported filter attributes

Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.

Supported action types

• "Allowed Email Domains Changed"
• "Authentication Token Reset" 
• "Authentication Token Used" 
• "Automate Action Executed" 
• "Automate Playbook Executed" 
• "Automate Respond Executed" 
• "Automate Respond Trigger Matched" 
• "Automate Respond Trigger Rejected" 
• "Automate Scheduling Action Execution" 
• "Automate Scheduling Action Execution For Successful Playbook" 
• "Automate Scheduling Playbook Execution" 
• "Automate Trigger Executed" 
• "Canary Exporter Keys Generated" 
• "Email Prepared" 
• "Email Sent" 
• "Endpoint Deisolated" 
• "Endpoint Isolated" 
• "Endpoint Isolation Status Changed" 
• "External Alert Confirmed Threatening" 
• "External Alert Dismissed As Not Threat" 
• "External Alert Source Sync Succeeded" 
• "Forced Sign Out" 
• "Hash Banned" 
• "Integration Successfully Triggered" 
• "Integration Unsuccessfully Triggered" 
• "Live Response Command" 
• "Live Response Isolation" 
• "Login Failure" 
• "Login Successful" 
• "Multi Factor Auth Disabled" 
• "Multi Factor Auth Enabled" 
• "Password Reset" 
• "Send Webhook" 
• "Send Webhook Failure" 
• "SMS Message Status Changed" 
• "Sso Login Failure" 
• "Sso Login Successful" 
• "User Added" 
• "User Destroyed" 
• "User Invitation Accepted" 
• "User Invitation Sent" 
• "User Removed" 
• "User Role Added" 
• "User Role Removed"