Filter Identities

  • Updated on Mar 5, 2025
  • Published on Feb 5, 2024
  • 1 minute(s) read
Prev Next

Identities are the users who operate on endpoints and other systems in your organization. These users can be humans interacting with your systems or the built-in system and service users that are part of every operating system.

To better understand and group your identities, you can filter them by attribute.

  1. From the navigation menu, click Identities.

  2. Enter attributes in the Identities filter bar, and then hit Return or Enter.

Supported filter attributes

Attribute

Description

Example

Username

The identity's username.

username:testy-mcuserton

UID

The identity's unique identifier.

uid:S-1-5-21-1524466345-1983322813-2932557491-500


uid:S-1-5-3

Type

The identity type, for example, "endpoint domain account."

type:endpoint_domain_account


type:endpoint_local_account


type:endpoint_system_account

Logon domain

The logon domain, which is any string in the identity preceded by a double backslash (\\).

logon_domain:acmecorp

Reporting tag

Current "key":"value" reporting tags applied to an identity.

custom_tag:value


"Business Unit":"Headquarters"


"Business Unit":* (any identity with any value of this tag)


"Business Unit":! (any identity without this tag)

Latest detection time

The last time when Red Canary identified a threat associated with an identity.

latest_detection_at:2022-03-02..

A note on dates and times:

Date filters are specified with a from..to syntax where either from or to can be unbounded:

  • 2020-01-01.. filters for matches on or after (>=)the from date

  • ..2020-01-01 filters for matches on or before (<=)the to date

  • 2020-01-01..2020-01-31 filters for matches on or after (>=)the from date and on or before (<=) the to date