• EDR (formerly CB Response): 6.x and Higher

• Only the output of "audit.log.useractivity" is supported at this time.
• By default, only user actions to log in and log outs are tracked. 
• To enable user API tracking, which can indicate actions taken within the EDR UI:

1. On the master server, edit /etc/cb/cb.conf
2. Add or modify:

EnableExtendedApiAuditLogging=true

3. Restart services

• Hosted EDR customers should open Carbon Black support case to enable "EnableExtendedApiAuditLogging"
• Additional audit logs are planned for future releases, including:
  • audit.log.liveresponse
  • audit.log.isolation
  • audit.log.banning