Skip to main content
Red Canary help

Review endpoint connections to Red Canary

  • Updated .

Whether you have one endpoint or thousands, monitoring how your endpoints are behaving is an essential part of understanding what is being monitored and protected in your security stack. Red Canary relies on telemetry from sensors installed on your endpoints that then generate information about potentially threatening events and alerts about security activity on those endpoints. These endpoints are assigned different states and metadata that you can use to understand how the endpoint is behaving and how Red Canary is interacting with it.

View your endpoints' status

Click Endpoints in Red Canary to find information about all your endpoints that Red Canary has observed. From here, you can assess high-level information how your endpoints are behaving, such as the number of endpoints that have been recently online (within the last three hours) and the number of endpoints enrolled.

Scroll to Endpoint Inventory to find a comprehensive list of endpoints with additional information about each endpoint. To ensure that your endpoints are behaving as expected, use the Endpoint Inventory filter bar to find endpoints by endpoint state.

EndpointStatus2.png

Filter endpoints by monitoring state

Filter for endpoints in a specific state in the Endpoint Inventory filter bar on the Endpoints page. Click into the filter to find common states and use cases to search by or enter your own.

Note: Endpoint states are updated the next time relative to the last time an endpoint is observed by Red Canary. If a sensor stops checking in or has been offline, Red Canary will show the state the endpoint was in three hours before its Last Check In Time. For example, if Red Canary has received telemetry from an endpoint that has been offline for months, it could still show as Monitored as long as Red Canary has received telemetry from the endpoint three hours prior to its Last Check In Time.

State Definition Filter Example
Monitored The endpoint is enrolled and turned on, and Red Canary expects to receive telemetry from this endpoint. monitoring_status:monitored
Unmonitored

The endpoint isn’t sending telemetry to or being monitored by Red Canary. This could be because the endpoint is turned off, suspended, missing, or uninstalled.

monitoring_status:unmonitored
Enrolled

The sensor is installed on the endpoint and has been observed at least once by Red Canary.

enrolled:true
Enrolled without Sensor

The sensor isn’t installed on the endpoint, but the endpoint has been observed at least once by Red Canary.

enrolled_without_sensor:true
Online

The endpoint has been online in the last three hours.

state:online
Missing

Depending on your EDR vendor, the endpoint may be:

  • Carbon Black Response: offline but not considered shutdown or suspended
  • Carbon Black Cloud: inactive or pending
  • MDR for Infrastructure: not checking in with Red Canary within the past hour
  • CrowdStrike Falcon: offline
  • Endgame: unmonitored
  • Microsoft: unable to send data

state:missing
Isolated

The endpoint is isolated on the network as a response to a threat.

isolated:true
Decommissioned

The endpoint is decommissioned and no longer monitored by Red Canary.

state:decommissioned
Decommissioned Time

This is the time the endpoint was decommissioned and no longer monitored by Red Canary.

decommissioned_at:YYYY-MM-DD..
Latest Detection Time

This is the latest time the endpoint was involved in a potentially threatening event.

latest_detection_at:YYYY-MM-DD..
Last Check-In Time

This is the last time the endpoint sync observed the endpoint. 

Note: Receiving telemetry from the endpoint doesn’t count as a check in.

last_checkin_time:YYYY=MM-DD..
Uncommunicative

The endpoint hasn’t communicated with Red Canary (Last Check-In Time) for either two hours for servers or one week for workstations.

uncommunicative:server

uncommunicative:workstation

 

Review in-depth information about an endpoint

To review more information about a specific endpoint, click an Identifier in the Endpoints Inventory section. 

EndpointStatus3.png

This displays the endpoint’s detail page where you can review the endpoint’s activity and other important metadata about how a sensor and endpoint are behaving. In addition to various statuses, Red Canary collects metadata to provide activity history of an endpoint.

Endpoints2.png

Field Definition
Discovered by

The EDR provider that is monitoring this endpoint.
Discovered at

This is the first time Red Canary learned that the endpoint exists. This can happen through endpoint discovery, sensor enrollment, or when identified in an alert via a configured Alert Source.  

Note: This doesn’t reflect the first time that Red Canary received data from the endpoint.
Sensor Health Issue?

If true (sensor_reporting_health_issues:true), the sensor on the endpoint is having issues checking in with Red Canary.


If false (sensor_reporting_health_issues:false), the sensor on the endpoint is checking in regularly.
Last Check-In Time

This is the last time the endpoint sync observed the endpoint. 

Note: Receiving telemetry from the endpoint doesn’t count as a check in.
Last Activity Time

This is the last time the endpoint sync received telemetry from the endpoint.

Note: If you notice a large discrepancy between your endpoint’s Last Check-In Time and Last Activity Time, the sensor is likely having an issue sending telemetry.

Comments

0 comments

Please sign in to leave a comment.