Carbon Black EDR keeps an audit trail of user activity. Use the following procedure to view and export this data.


  1. On the navigation bar, click Users and then click Activity Audit.
    The following information is displayed:




    The user name of the user who accessed the console.


    The date and time that the user logged in.

    Remote IP

    The IP address of the computer from which the user logged in.

    Request Information

    The request (POST, GET, DELETE, etc.) being sent to the server.


    The HTTP response code when the user accesses a resource. For example, a successful authentication shows an HTTP 200 code response. A request to access a resource to which the user does not have permission usually results in redirection to the HUD page or displays an HTTP 403 code.


    The HTTP response description. For example, an HTTP 200 response shows OK, while an HTTP 403 response shows a Requires Authentication response.

  2. Click Export to CSV to export the activity results in a CSV format with the filename UserActivity.csv .
    Note: If you have access to the Carbon Black EDR server, you can directly view the log for user activity in the following file: /var/log/cb/coreservices/debug.log.