To assess your inventory of systems and take actions on multiple endpoints at once, you can filter endpoints by their attributes.
Note
You need to enter at least four characters of an endpoint's hostname for the search to return valid results.
From the navigation menu, click Endpoints.
Enter attributes in the Endpoint inventory filter bar, and then press Enter or Return.
Supported Filter Attributes
Attribute | Description | Example |
Endpoint | ||
Hostname | Hostnames the endpoint has held over time. |
|
MAC address | MAC addresses the endpoint has used over time. |
|
IP address | IP addresses the endpoint has used over time. |
|
Reporting tag | Current |
|
Operating system | An endpoint's current operating system. |
|
End-of-life operating system | A boolean that indicates whether the endpoint's operating system has reached its end of life. |
|
Endpoint type | The type of endpoint, for example, "workstation" or "server." |
|
Sensor Attributes | ||
Sensor ID | The underlying EDR product's sensor ID. |
|
Sensor version | The underlying EDR product's sensor version, as reported by the sensor. |
|
Sensor health issues | A boolean that indicates whether the sensor is reporting serious health issues that affect performance. |
|
Sensor groups | Organizational or policy groups containing sensors, usually configured in the EDR console. |
|
Monitoring | ||
Monitoring status | An endpoint's monitoring status, for example, "unmonitored." |
|
Enrolled | A boolean that indicates whether a sensor is active on an endpoint. |
|
Isolated | A boolean that indicates whether an endpoint is isolated from its network by the underlying EDR product. |
|
First seen time | The time when Red Canary first saw the endpoint via discovery or sensor installation. |
|
Decommissioned time | The time when an endpoint was last decommissioned. |
|
Latest detection time | The last time when Red Canary identified a threat on an endpoint. |
|
Last check-in time | The last time when an endpoint communicated with Red Canary or its EDR platform. |
|
Uncommunicative endpoints | The endpoint hasn’t communicated with Red Canary (Last Check-In Time) for three hours. This filter requires an endpoint to have a sensor installed or it will not be returned in the filter results. |
|
Decommissioned | A boolean that indicates whether an endpoint is currently decommissioned in Red Canary. |
|
Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.
To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.
Exposing External Service UUID
To make it easier to filter endpoints by external service, we exposed the external service UUID in more places. You can now see an external service’s UUID on the /account/external_services/* pages.
Additionally, we show the UUID of the external service for each endpoint in the Source column of the results.
Finally, on the Endpoints page, click into the Search Bar to see the filter attribute used to filter by external service ID.
Exporting Endpoint Details
To export your endpoint inventory, use the Download button. A CSV formatted file will be delivered to your email once the results are available. Endpoint exports have a maximum of 100,000 entries. Additional entries will be truncated.
Note
The filters that are present in the filter bar will be applied to your CSV download.
