Login
      Contents x
      Filter Endpoints
      • 25 Sep 2024
      • 2 Minutes to read
      • PDF
      Contents

      Filter Endpoints

      • Updated on 25 Sep 2024
      • 2 Minutes to read
      • PDF
      Article summary

      To assess your inventory of systems and take actions on multiple endpoints at once, you can filter endpoints by their attributes.

      Note: Endpoints needs at least four characters of an endpoint's hostname for the search to return valid results.

      1. From the navigation menu, click Endpoints

      2. Enter attributes in the Endpoint inventory filter bar, and then press Enter or Return.

      Supported filter attributes

      Attribute

      Description

      Example

      Endpoint

      Hostname

      Hostnames the endpoint has held over time.

      admin-pc

      MAC address

      MAC addresses the endpoint has used over time.

      00-14-22-01-23-45

      IP address

      IP addresses the endpoint has used over time.

      127.0.0.1

      Reporting tag

      Current "key":"value" reporting tags applied to an endpoint.

      "Business Unit":"Headquarters"

      "Business Unit":* (any endpoint with any value of this tag)

      "Business Unit":! (any endpoint without this tag)

      Operating system

      An endpoint's current operating system.

      operating_system:"Windows 7"

      End-of-life operating system

      A boolean that indicates whether the endpoint's operating system has reached its end of life.

      end_of_life_operating_system:true

      end_of_life_operating_system:false

      Endpoint type

      The type of endpoint, for example, "workstation" or "server."

      endpoint_type:server

      endpoint_type:workstation

      Sensor Attributes

      Sensor ID

      The underlying EDR product's sensor ID.

      abcd1234-abcd-1111-2222-4321dcba1234

      Sensor version

      The underlying EDR product's sensor version, as reported by the sensor.

      sensor_version:006.002.002.90503

      Sensor health issues

      A boolean that indicates whether the sensor is reporting serious health issues that affect performance.

      sensor_reporting_health_issues:true

      Sensor groups

      Organizational or policy groups containing sensors, usually configured in the EDR console.

      sensor_group_contains:remediate

      sensor_group:exactly-this-name

      Monitoring

      Monitoring status

      An endpoint's monitoring status, for example, "unmonitored."

      monitoring_status:monitored

      monitoring_status:unmonitored

      Enrolled

      A boolean that indicates whether a sensor is active on an endpoint.

      enrolled:true

      enrolled:false

      Isolated

      A boolean that indicates whether an endpoint is isolated from its network by the underlying EDR product.

      isolated:true

      isolated:false

      First seen time

      The time when Red Canary first saw the endpoint via discovery or sensor installation.

      first_seen_at:2022-02-01..

      Decommissioned time

      The time when an endpoint was last decommissioned.

      decommissioned_at:2022-02-01..

      Latest detection time

      The last time when Red Canary identified a threat on an endpoint.

      latest_detection_at:2022-02-01..

      Last check-in time

      The last time when an endpoint communicated with Red Canary or its EDR platform.

      last_checkin_time:2022-02-01..

      Uncommunicative endpoints

      The endpoint hasn’t communicated with Red Canary (Last Check-In Time) for three hours. This filter requires an endpoint to have a sensor installed or it will not be returned in the filter results.

      uncommunicative:true

      uncommunicative:false

       

      Decommissioned

      A boolean that indicates whether an endpoint is currently decommissioned in Red Canary.

      decommissioned:true

      decommissioned:false

      Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.

      To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.

      Exposing External Service UUID

      To make it easier to filter endpoints by external service, we exposed the external service UUID in more places.  You can now see an external service’s UUID on the /account/external_services/* pages.

      Additionally, we show the UUID of the external service for each endpoint in the Source column of the results. 

      endpoint source.png

      Finally, in the filtering for endpoints help menu, click Learn more about filtering for endpoints. Instead of just presenting the service's UUID, we show a description of the related external service next to each external service filter example.

      Filter for endpoint.png

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout