This article provides a quick reference to filtering your detection analytics.
To group and understand your detection analytics, you can filter them by attribute.
From the navigation menu, click the Analytics dropdown.
Enter attributes in the Detection Analytics filter bar, and then press Return or Enter.
Supported filter attributes
Attribute | Description | Example |
Name | The detection analytic's name. |
|
Description | A string contained in the detection analytic's description. |
|
Detection Type | The primary type of detection to identify behavior. |
|
Source | Filter by the source of the detection analytic. |
|
Attack Technique | A MITRE ATT&CK® technique number that the detection analytic identifies. |
|
Associated Indicators | An atomic indicator that the detection analytic identifies. Examples include application publisher names and binary hashes. |
|
First Detection Time | The first time Red Canary identified a threat in your environment using the detection analytic. |
|
Latest Detection Time | The latest time Red Canary identified a threat in your environment using the detection analytic. |
|
Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.
To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.