Filter and find specific threats in Red Canary.
To group and understand your threats, you can filter them by attribute.
From the navigation menu, click Threats.
Enter attributes in the Threats filter bar, and then press Enter.
Threat table attributes
Key | Attribute | Description | Example |
1 | Severity | The severity of the threat. Separate multiple values with a vertical bar (|). | severity:high severity:high|medium |
2 | Threat | This is the unique threat ID. |
|
3 | Classification | Strings indicating the classification and sub-classification of a threat. Separate multiple values with a vertical bar (|). | classification:"Malicious Software" classification:"Worm"|"Process" |
4 | Endpoint | The hostname of the endpoint associated with the threat. | hostname |
5 | Identity | The username of the user associated with the threat. | Username |
6 | Acknowledged at | The date and time the threat was last acknowledged. | acknowledged_at:2022-02-02.. |
7 | Acknowledged by | The email of the user who acknowledged the threat. | acknowledged_by:johndoe@acme.com |
8 | Published at | The publishing date and time. | published_at:2022-02-02.. |
9 | State | The state of the threat. Valid options are new, acknowledged, remediated, and not_remediated. Separate multiple values with a vertical bar (|). | state:new state:new|acknowledged state:remediated|not_remediated |
10 | Last Seen | Filter by the date and time that associated activity was last observed. | last_seen:2022-02-02.. |
A note on dates and times:
Date filters are specified with a from..to syntax where either from or to can be unbounded:
2020-01-01.. filters for matches on or after (>=) the from date
..2020-01-01 filters for matches on or before (<=) the to date
2020-01-01..2020-01-31 filters for matches on or after (>=) the from date and on or before (<=) the to date
To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.