Carbon Black EDR keeps an audit trail of user activity. Use the following procedure to view and export this data.
Procedure
- On the navigation bar, click Users, click Teams, and then click Activity Audit.
The following information is displayed:
Field
Description
Username
The user name of the user who accessed the console.
Timestamp
The date and time that the user logged in.
Remote IP
The IP address of the computer from which the user logged in.
Request Information
The request (POST, GET, DELETE, etc.) being sent to the server.
Result
The HTTP response code when the user accesses a resource. For example, a successful authentication shows an HTTP 200 code response. A request to access a resource to which the user does not have permission usually results in redirection to the HUD page or displays an HTTP 403 code.
Description
The HTTP response description. For example, an HTTP 200 response shows OK, while an HTTP 403 response shows a Requires Authentication response.
- Click Export to CSV to export the activity results in a CSV format with the filename UserActivity.csv .
Note: If you have access to the Carbon Black EDR server, you can directly view the log for user activity in the following file: /var/log/cb/coreservices/debug.log.