Decommission Endpoints
    • 11 Jul 2024
    • 4 Minutes to read
    • PDF

    Decommission Endpoints

    • PDF

    Article summary

    You can decommission an endpoint that Red Canary should no longer monitor, such as a system that has been deactivated. This is an important step in maintaining an accurate inventory of which endpoints should be monitored so Red Canary can alert you when a monitored system goes offline unexpectedly.

    When you decommission an endpoint, it will no longer appear in Red Canary reports or lists of "active" endpoints, since an active endpoint is one that is being monitored by Red Canary. All data about the endpoint and the endpoint's threat history is retained. When decommissioning, certain Endpoint Protection Platform (EPP) / Endpoint Detection and Response (EDR) platforms allow sensor uninstallation to be enqueued.

    Note: Endpoints will remain decommissioned until you reinstate them.

    Only users with the Admin role can decommission the Endpoint.

    You can decommission endpoints and optionally choose to request uninstallation of the EPP/EDR sensor.

    Decommission an endpoint

    1. View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.

    2. Click Decommission

    3. For EPP/EDR platforms that support remote sensor uninstallation, choose whether you would like Red Canary to trigger uninstallation when the endpoint next checks in or to leave the sensor. In nearly all circumstances, you should choose to trigger sensor uninstallation.

      Note: If you do not choose to uninstall the sensor, the sensor will still report to the EDR platform and will only be decommissioned from Red Canary.

    4. Click Confirm Decommission.

    Decommission multiple endpoints

    1. From Red Canary click Endpoints in the site navigation.

    2. Click the (□) icon on one or more endpoints that you want to decommission.

    3. Click Decommission.

    4. For EPP/EDR platforms that support remote sensor uninstallation, choose whether you would like Red Canary to trigger uninstallation when the endpoint next checks in or to leave the sensor. In nearly all circumstances, you should choose to trigger sensor uninstallation.

    5. Click Confirm Decommission

    Bulk decommission endpoints 

    Use filtering on the Red Canary Endpoints page to bulk decommission a large number of endpoint simultaneously.

    Caution: Be very careful when filtering so that you don't inadvertently decommission the wrong endpoints.

    In the following directions, we are going to assume that you have already setup a Playbook to auto-decommission endpoints that have not checked in for 59 days. (This means that all endpoints that have yet to hit that 59 day mark will be auto-decommissioned as soon as they hit day 59. However, all the endpoints that have already hit day 59+ will NOT be auto-decommissioned. These are the endpoints that we want to target).

    Note: Playbooks are not retroactive, and an auto-decommission playbook will not decommission Endpoints that stopped checking in for X number of days prior to the configuration of the Playbook itself.

    For the sake of example, we'll pretend that today is January 1, 2023 (1/1/2023). We’ll also assume that you configured your auto-decommission Playbook today (1/1/2023). This means that all endpoints that hit the 59 day mark today (1/1/23) will not be decommissioned. Only endpoints that hit the 59 day mark going forward will be auto-decommissioned.

    1. From the navigation menu, click Endpoints.

    2. In the Endpoint inventory filter field, clear the “state:enrolled” filter, and then enter the following filter: 

      • last_checkin_time:..2022-11-03 (59 days ago).

        Note: The “..” preceding the date tells Red Canary to look for any endpoint whose “Last Checkin time” was 11/3/22 or before. 

    3. Click the magnifying glass icon to apply the filter. Red Canary will find all the endpoints that match the filter.
      mceclip0.png

    4. Select the Identifier check box.

      Note: This will select only the endpoints on the Endpoints page.

       

    5. Click Decommission.
      mceclip5.png
      The system will decommission all of the endpoints. The amount of time required to do so will depend on how many endpoints were in your list.

    Recommission or reinstate an endpoint

    Recommission an endpoint

    1. From the navigation menu, click Endpoints.

    2. Click on the decommissioned endpoint to select it.

    3. From the top banner select reinstate it.

    Reinstate using API

    You can also use the Red Canary Reinstate API query to bulk reinstate your endpoints. 

    1. Click on your User icon on the top right of your Red Canary dashboard.

    2. Select API.

    3. Scroll down to Endpoints - Operations about Endpoints.

    4. Select POST /openapi/v3/endpoints/reinstate

    5. Enter the endpoints IDs to reinstate them.

      reinstate_endpoint.png

    FAQ

    What if threatening activity is identified on a decommissioned endpoint?

    If the sensor software is still installed and a decommissioned sensor comes back to life, it will resume sending telemetry to Red Canary. In this case, the endpoint would still be monitored for threatening activity.

    What happens to the decommissioned endpoint in Red Canary?

    Decommissioning doesn’t delete the endpoint from Red Canary even if the sensor is uninstalled, as the endpoint will still be accessible from the Endpoints page. Use the state:decommissioned filter on the Endpoint page to display all decommissioned endpoints.


    Was this article helpful?