Reviewing Your Endpoints
From the main screen of your Red Canary console you are able to see the endpoints monitored graph. This provides an overview of the monitored endpoints over time as well as a quick link to any endpoints that are currently not sending telemetry.
How to check activity for your endpoint
Navigate to the endpoints page from the Red Canary console by clicking the "Endpoints" tab on the left hand navigation pane.
For each endpoint listed there are three columns that represent different activity types:
First Seen: This is the first time an endpoint has checked in with its current sensor ID. (Note that an endpoint may appear multiple times in cases of multiple installs or if the EDR sensor is changed.)
Last Checkin: This is the time of the last successful API call to the endpoint. This timestamp is from the EDR platform.
Last Activity: This is the last telemetry receipt sync time; this timestamp is from the Red Canary ingestor. The endpoint is protected if the sensor has sent telemetry within three hours of the Last Checkin time. If this value is "Unknown" then the endpoint has never sent telemetry.
It is normal for the Last Activity time to not be current for workstations over the weekends as employees power down their endpoints and no new telemetry is collected. Outside of weekends, if an endpoint or collection of endpoints does not send telemetry for three consecutive days, a telemetry health check ticket is opened automatically with support.
Identify endpoints that are not longer active
From the main screen of your Red Canary console you are able to see the endpoints monitored graph. This provides an overview of the monitored endpoints over time as well as a quick link to any endpoints that are currently not sending telemetry. These may represent acute issues (such as a sensor version incompatibility due to updates) or they may represent old endpoints that are no longer relevant in your organization (such as workstations belonging to former employees).
You can use filters to understand and review endpoint connections to Red Canary.
How to decommission endpoints that are not longer active.
You should decommission an endpoint when you no longer expect to monitor them and you want to remove them from most reports, emails, and other views.
What if I need to reinstate an endpoint after decommissioning?
If you have decommissioned an endpoint on accident or in response to a threat, you are able to reinstate it by clicking on that endpoint from the endpoints page and then selecting "reinstate" from the banner. Please review Decommissioning Endpoints for more details.
A Note About Uninstalling Sensors
Decommissioning an endpoint in Red Canary will not uninstall the sensor. Please perform uninstalls from your EDR console. You may also be able to remove endpoints that are no longer in use from your EDR console as well, depending on the service:
VMware Carbon Black Cloud
Uninstall and Deregister Sensors:
Uninstalling a Linux sensor:
VMware Carbon Black EDR Remove Endpoint : https://help.redcanary.com/hc/en-us/articles/4411631880855-Remove-Endpoint-from-our-VMware-Carbon-Black-EDR-server