Decommissioning an endpoint is most often performed when a system has been removed from duty and should no longer be monitored by Red Canary. This is an important process in maintaining an accurate inventory of what endpoints should be monitoring so we can alert you when a monitored system goes offline unexpectedly.
Select Record > Endpoints and find the endpoint(s) that you wish to decommission. If you know the hostname, use go to endpoint to jump to the endpoint.
Click the Decommission icon.
For Cb Response endpoints, choose whether you would like Red Canary to trigger a remote uninstallation of the Cb Response sensor when the endpoint next checks in. This is the appropriate choice in nearly all cases.
For Crowdstrike Falcon endpoints, sensor uninstallation must be performed using your enterprise software management tools.
Once an endpoint has been decommissioned:
- It will no longer appear in most lists of "active" endpoints in Red Canary
- All data about the endpoint and the endpoint's detection history is retained
- You can reinstate any decommissioned endpoint by selecting reinstate while viewing the endpoint
- Decommissioned endpoints are shown in the Recently Decommissioned Endpoints Insight