Red Canary lists endpoint hostnames in three different places when publishing new threats:
- Threat notification emails
- Threats landing page in Red Canary
- Threat detail pages in Red Canary
When Red Canary discovers and publishes a threat, we want to ensure that we provide you with the most accurate, actionable information. To that end, we always display current hostnames.
It's important to understand that there are some circumstances in which a hostname in your environment might change between the time when you are first notified of a threat via email versus when you are reviewing the threat in Red Canary at a later time. If an affected endpoint hostname changes in your environment between the time that the threat notification email is sent and when you are viewing the threat in Red Canary, the hostname in Red Canary will be different from the hostname in the notification email.
In Red Canary threat notification emails, you will see a summary headline, such as “[THREAT-123] Malicious Software (Credential Theft) affecting desktop-abc456”. (In this example, the hostname is "desktop-abc456".) Regardless of the hostname in the notification email, the threat detail page in Red Canary will always contain the current hostname of the affected endpoint in your environment.
When the Red Canary platform detects that a hostname has changed, we display an indicator next to the endpoint name in the headline of the threat detail page:
If you want to see past hostnames, follow these steps:
- At the top of a threat detail page, in the Affected Endpoint frame, click the affected endpoint.
- Scroll down to the Network names and addresses section.
- Look at Past Hostnames.