Many Red Canary users use Endpoint Tags to group and add attributes about those endpoints. Common use cases we've seen include:

  • Tagging endpoints by geography or business unit/function
  • Denoting specific endpoints as "high risk"
  • Tagging endpoint types that have specific response playbooks such as critical infrastructure, domain controllers, etc.

Alerting integrations can now route detection alerts to a specific integration based on those Endpoint Tags. When creating or modifying any Integration, select specific integrations and choose Filter by endpoint tag.

Note that an endpoint tag is automatically created and synchronized from our underlying EDR platforms, so if you used Carbon Black's Sensor Groups or CrowdStrike's Deployment Groups, they are automatically synced over for you.

Did this answer your question?