Filter Identities

Updated on 20 Mar 2024
1 Minute to read

Article summary

Did you find this summary helpful?

Thank you for your feedback

Identities are the users who operate on endpoints and other systems in your organization. These users can be humans interacting with your systems or the built-in system and service users that are part of every operating system.

To better understand and group your identities, you can filter them by attribute.

From the navigation menu, click Identities.
Enter attributes in the Identities filter bar, and then hit Return or Enter.

Supported filter attributes

Attribute	Description	Example
Username	The identity's username.	`username:testy-mcuserton`
UID	The identity's unique identifier.	`uid:S-1-5-21-1524466345-1983322813-2932557491-500` `uid:S-1-5-3`
Type	The identity type, for example, "endpoint domain account."	`type:endpoint_domain_account` `type:endpoint_local_account` `type:endpoint_system_account`
Logon domain	The logon domain, which is any string in the identity preceded by a double backslash (`\\`).	`logon_domain:acmecorp`
Reporting tag	Current `"key":"value"` reporting tags applied to an identity.	`custom_tag:value` `"Business Unit":"Headquarters"` `"Business Unit":*` (any identity with any value of this tag) `"Business Unit":!` (any identity without this tag)
Latest detection time	The last time when Red Canary identified a threat associated with an identity.	`latest_detection_at:2022-03-02..`

A note on dates and times:

Date filters are specified with a from..to syntax where either from or to can be unbounded:

2020-01-01.. filters for matches on or after (>=)the from date
..2020-01-01 filters for matches on or before (<=)the to date
2020-01-01..2020-01-31 filters for matches on or after (>=)the from date and on or before (<=) the to date

Was this article helpful?

What's Next

Reports

Table of contents

Supported filter attributes