Login
      Contents x
      Review Endpoint Connections to Red Canary
      • 12 Jul 2024
      • 5 Minutes to read
      • PDF
      Contents

      Review Endpoint Connections to Red Canary

      • Updated on 12 Jul 2024
      • 5 Minutes to read
      • PDF
      Article summary

      Whether you have one endpoint or thousands, monitoring how your endpoints are behaving is an essential part of understanding what is being monitored and protected in your security stack. Red Canary relies on telemetry from sensors installed on your endpoints that then generate information about potentially threatening events and alerts about security activity on those endpoints. These endpoints are assigned different states and metadata that you can use to understand how the endpoint is behaving and how Red Canary is interacting with it.

      View your endpoints' status

      From the navigation menu, click Endpoints to discover information about all of your endpoints that Red Canary has observed. From here, you can review high-level information about how your endpoints are functioning, such as the number of endpoints that have recently been online (within the previous three hours) and the number of endpoints enrolled.

      An endpoint can have one of the following states:

      • Online: The endpoint has checked in within three hours

      • Suspended: The endpoint has not checked in for over three hours

      • Uninstalled: The endpoint’s sensor has been uninstalled

      Scroll to Endpoint Inventory to find a comprehensive list of endpoints with additional information about each endpoint. To ensure that your endpoints are behaving as expected, use the Endpoint inventory filter bar to find endpoints by endpoint state.

      Filter endpoints by monitoring state

      Filter for endpoints in a specific state in the Endpoint Inventory filter bar on the Endpoints page. Click into the filter to find common states and use cases to search by or enter your own.

      Note: Endpoint states are updated the following time an endpoint is observed by Red Canary. If a sensor stops checking in or has been offline, Red Canary will show the state the endpoint was in three hours before its Last Check In Time.

      For example, if Red Canary receives telemetry from an endpoint that has been offline for months, it may still show as Monitored if Red Canary received telemetry from the endpoint three hours before its Last Check In Time.

      Supported filter attributes

      Attribute

      Description

      Example(s)

       

      Hostname

      Hostnames the endpoint has held over time.

      admin-pc

       

      MAC Address

      MAC addresses the endpoint has used over time.

      00-14-22-01-23-45

       

      IP Address

      IP addresses the endpoint has used over time.

      127.0.0.1

       

      Reporting Tag

      Filter by "key":"value" reporting tags currently applied to an endpoint. Keys or tags that include a space must be wrapped in double quote, e.g. "Business Unit". Click an endpoint's reporting tag to add it to your search.

      "Business Unit":"Headquarters"

      "Business Unit":* (any endpoint with any value of this tag)

      "Business Unit":! (any endpoint without this tag)

       

      Operating System

      Filter by the endpoint’s current operating system (a system reporting tag) or by whether the operating system has reached end of life.

      operating_system:"Windows 7"

      end_of_life_operating_system:true

       

      Endpoint Type

      Filter by endpoint type.

      endpoint_type:server

      endpoint_type:workstation

       

      External Service

      Filter by external service.

      external_service:a64af6aa - Cb Response (VMware Carbon Black EDR)

       

      Sensor Attributes

       

       

       

      Sensor ID

      The underlying EDR product’s sensor ID.

      abcd1234-abcd-1111-2222-4321dcba1234

       

      Sensor Version

      Filter by the underlying EDR product’s sensor version (as reported by the sensor; you can view examples of these by visiting any endpoint page).

      sensor_version:006.002.002.90503

       

      Sensor Health Issues

      Filter by whether the sensor is reporting serious health issues that affect performance.

      sensor_reporting_health_issues:true

       

      Sensor Groups

      Organizational or policy groups containing sensors

       

      sensor_group_contains:remediate

      sensor_group:exactly-this-name

       

      Monitoring

       

       

       

      Monitoring status

      Filter by endpoints that have not sent telemetry recently.

      monitoring_status:monitored

      monitoring_status:unmonitored

       

      Enrolled

      Filter by whether the endpoint has a sensor currently installed on it.

      enrolled:true

       

      Isolated

      Filter by whether the endpoint has been isolated from the network using the underlying EDR product.

      isolated:true

       

      First Seen Time

      Filter by the time when the endpoint was first seen by Red Canary through sensor installation or discovery.

      first_seen_at:2024-06-03..

       

      Decommissioned Time

      Filter by the time when the endpoint was last decommissioned in Red Canary.

      decommissioned_at:2024-06-03..

       

      Latest Detection Time

      Filter by the latest time when Red Canary identified a Threat involving this endpoint.

      latest_detection_at:2024-06-03..

       

      Last Checkin Time

      Filter by the latest time when the endpoint communicated with Red Canary or its EPP/EDR platform.

      last_checkin_time:2024-06-01..

       

      Uncommunicative Endpoints

      Filter by endpoints that have not checked in recently.

      uncommunicative:true

      uncommunicative:false

       

       

      A note on Dates and times

      Data filters are specified with a from…to syntax where either from or to can be unbounded:

      2020-01-01.. filters for matches on or after (>=) the from date

      ..2020-01-01 filters for matches on or before (<=) the to date

      2020-01-01..2020-01-31 filters for matches on or after (>=) the from date and on or before (<=) the to date

      Dates can be specified as iso8601 dates or date-times.

      To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.

      Create Automate Triggers using Endpoint Statuses 

      You can use Automation to initiate play books based on when an Endpoint’s Status changes.

      Endpoint Status Automation Triggers

      1. Select the trigger.

      2. Enter the conditions.

      3. Select the appropriate status(es).

        • An endpoint can have one of the following states:

          • Online: The endpoint has checked in within 3 hours.

          • Suspended: The endpoint has not checked in for over 3 hours.

          • Uninstalled: The endpoint's sensor has been uninstalled.

        • Click Filter endpoints by monitoring state for a more complete list.

      Exposing External Service UUID

      To make it easier to filter endpoints by external service, we exposed the external service UUID in more places.  You can now see an external service’s UUID on the /account/external_services/* pages.

      Additionally, we show the UUID of the external service for each endpoint in the Source column of the results.

      Finally, in the filtering for endpoints help menu, click Learn more about filtering for endpoints. Instead of just presenting the service's UUID, we show a description of the related external service next to each external service filter example.

      Review in-depth information about an endpoint

       

      To review more information about a specific endpoint, click an Identifier in the Endpoints inventory section.

      This displays the endpoint’s detail page where you can review the endpoint’s activity and other important metadata about how a sensor and endpoint are behaving. In addition to various statuses, Red Canary collects metadata to provide activity history of an endpoint.

      Field

      Definition

      Discovered by

      The EDR provider that is monitoring this endpoint.

      Discovered at

      This is the first time Red Canary has detected the existence of the endpoint. This can happen through endpoint discovery, sensor enrollment, or when identified in an alert via a configured Alert Source.  

      Note: This doesn’t reflect the first time that Red Canary received data from the endpoint.

      Sensor Health Issue?

      If true (sensor_reporting_health_issues:true), the sensor on the endpoint is having issues checking in with Red Canary.

      If false (sensor_reporting_health_issues:false), the sensor on the endpoint is checking in regularly.

      Last Check-In Time

      This is the last time the endpoint sync observed the endpoint. 

      Note: Receiving telemetry from the endpoint doesn’t count as a check in.

      Last Activity Time

      This is the last time the endpoint sync received telemetry from the endpoint.

      Note: If you notice a large discrepancy between your endpoint’s Last Check-In Time and Last Activity Time, the sensor is likely having an issue sending telemetry.

      Was this article helpful?
      What's Next
      PRODUCTS
      USE RED CANARY
      SUPPORT
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout