Endpoints

Endpoints are the computing devices that are used throughout your organization. Software sensors deployed to those endpoints collect detailed telemetry about what is happening on those systems at the operating system level and transmit it to Red Canary for analysis.

Your endpoints are the most critical assets to protect from adversaries because:

• For most organizations, they are where important data resides or is accessed.

• They are the systems that vulnerable users use every day.

Red Canary’s endpoint page allows you to filter your endpoints by many attributes, including several pre-built filters for common use cases, such as recently enrolled endpoints, isolated endpoints, and endpoints running end-of-life operating systems.

Where do endpoints come from?

Endpoints are identified through several Red Canary processes, and can be:

• Collected from your Endpoint Detection and Response (EDR)/Endpoint Protection Platforms (EPP)

• Discovered in your cloud accounts

• Identified when processing alerts from your security products

When Red Canary has enough information to conclude that endpoint data from multiple sources refers to the same endpoint, it automatically merges all of that information together.

How are endpoints classified?

Endpoints can be classified in several ways:

• Endpoints are enrolled if they have an EDR/EPP sensor installed. 

• Endpoints are protected if: 

  • they have an EDR/EPP sensor installed.

  • the sensor has sent telemetry within three hours of the last checkin time.

  • that sensor is configured to send telemetry to Red Canary (not in any form of safe mode or reduced functionality mode).

  • Red Canary is configured to monitor that endpoint for licensing/usage purposes. Endpoints are decommissioned when you no longer expect to monitor them and you want to remove them from most reports, emails, and other views.

Tags are automatically applied to endpoints

Red Canary automatically applies a number of tags to endpoints as they are created and updated. Learn more about tagging endpoints for context and reporting.

What information is retained about endpoints?

Unlike most security platforms, which simply retain the last hostname or IP address used by an endpoint, Red Canary captures every change to those data points, which is crucial for investigating security incidents.

As of August 12th, 2024, to help maintain a clean and accurate endpoint inventory, Red Canary will automatically remove endpoints from the inventory if they meet each of the following criteria:

• The "Last activity at" time is more than one year ago.

• The "Last check-in" time is more than one year ago.

• The endpoint has zero associated alerts (all time).

• The endpoint has zero associated events or threats (all time).

Endpoints with associated alerts, events, or threats will not be affected, ensuring that data potentially needed for investigations remains available.

When endpoints are discovered, they will be treated as new and subject to the same display policy.

Are endpoints still monitored and protected if they are decommissioned?

Yes. If you decommission an endpoint and it later comes back up, those endpoints are still monitored for threats.

Note: Endpoints will remain decommissioned until you reinstate them.