Decommission Endpoints

1. View the endpoint using ⌘-K or by clicking Endpoints and filtering for the endpoint’s hostname.

2. Click Decommission. 

3. For EPP/EDR platforms that support remote sensor uninstallation, choose whether you would like Red Canary to trigger uninstallation when the endpoint next checks in or to leave the sensor. In nearly all circumstances, you should choose to trigger sensor uninstallation.

   Note: If you do not choose to uninstall the sensor, the sensor will still report to the EDR platform and will only be decommissioned from Red Canary.

4. Click Confirm Decommission.

1. From Red Canary click Endpoints in the site navigation.

2. Click the (□) icon on one or more endpoints that you want to decommission.

3. Click Decommission.

4. For EPP/EDR platforms that support remote sensor uninstallation, choose whether you would like Red Canary to trigger uninstallation when the endpoint next checks in or to leave the sensor. In nearly all circumstances, you should choose to trigger sensor uninstallation.

5. Click Confirm Decommission. 

Use filtering on the Red Canary Endpoints page to bulk decommission a large number of endpoint simultaneously.

Caution: Be very careful when filtering so that you don't inadvertently decommission the wrong endpoints.

In the following directions, we are going to assume that you have already setup a Playbook to auto-decommission endpoints that have not checked in for 59 days. (This means that all endpoints that have yet to hit that 59 day mark will be auto-decommissioned as soon as they hit day 59. However, all the endpoints that have already hit day 59+ will NOT be auto-decommissioned. These are the endpoints that we want to target).

Note: Playbooks are not retroactive, and an auto-decommission playbook will not decommission Endpoints that stopped checking in for X number of days prior to the configuration of the Playbook itself.

For the sake of example, we'll pretend that today is January 1, 2023 (1/1/2023). We’ll also assume that you configured your auto-decommission Playbook today (1/1/2023). This means that all endpoints that hit the 59 day mark today (1/1/23) will not be decommissioned. Only endpoints that hit the 59 day mark going forward will be auto-decommissioned.

1. From the navigation menu, click Endpoints.

2. In the Endpoint inventory filter field, clear the “state:enrolled” filter, and then enter the following filter: 

   • last_checkin_time:..2022-11-03 (59 days ago).

     Note: The “..” preceding the date tells Red Canary to look for any endpoint whose “Last Checkin time” was 11/3/22 or before. 

3. Click the magnifying glass icon to apply the filter. Red Canary will find all the endpoints that match the filter.
   

4. Select the Identifier check box.

   Note: This will select only the endpoints on the Endpoints page.

    

5. Click Decommission.
   
   The system will decommission all of the endpoints. The amount of time required to do so will depend on how many endpoints were in your list.

Recommission an endpoint

1. From the navigation menu, click Endpoints.

2. Click on the decommissioned endpoint to select it.

3. From the top banner select reinstate it.

   

Reinstate using API

You can also use the Red Canary Reinstate API query to bulk reinstate your endpoints. 

1. Click on your User icon on the top right of your Red Canary dashboard.

2. Select API.

3. Scroll down to Endpoints - Operations about Endpoints.

   

4. Select POST /openapi/v3/endpoints/reinstate

   

5. Enter the endpoints IDs to reinstate them.

   

What if threatening activity is identified on a decommissioned endpoint?

If the sensor software is still installed and a decommissioned sensor comes back to life, it will resume sending telemetry to Red Canary. In this case, the endpoint would still be monitored for threatening activity.

What happens to the decommissioned endpoint in Red Canary?

Decommissioning doesn’t delete the endpoint from Red Canary even if the sensor is uninstalled, as the endpoint will still be accessible from the Endpoints page. Use the state:decommissioned filter on the Endpoint page to display all decommissioned endpoints.