Skip to main content
Red Canary help

Monitoring Sensor Health and Connection to Red Canary

  • Updated .

Red Canary relies on telemetry data from sensors deployed in your environment. To help you understand the state of that data connection, Red Canary assigns states on other metadata to each endpoint to help you understand how the Endpoint is behaving and how Red Canary is treating that Endpoint. 

Endpoint Labels and Statuses: 

Endpoint States:

These are the states that Red Canary recognizes for your endpoints.

  • Enrolled: Has an EDR/EPP sensor installed and observed by Red Canary at least once. 
  • Unenrolled: Unenrolled indicates that Red Canary has knowledge of an endpoint, but we don't detect that an EDR/EPP sensor is installed.
  • Monitored: Endpoint is enrolled and currently checking in / sending telemetry to the EDR platform. It is possible to be enrolled but not currently monitored, though as soon as the endpoint comes back online it will be enrolled + monitored again.
  • Unmonitored: Telemetry is not making it to Red Canary to be monitored. This may be because the endpoint is powered off, suspended, missing, or the sensor may have been uninstalled. 
  • Protected: 
    • MDR: this endpoint has a sensor installed.
    • CWP: the CWP sensor is collecting telemetry and health data.
  • Unprotected: 
    • MDR: this endpoint does not have a sensor installed. 
    • CWP: the endpoint is on the Free subscription, is offline, or is in safe mode and is not collecting telemetry.
  • Isolated: Isolated Endpoints have been isolated on the network by the underlying EDR product. Red Canary will continue to collect telemetry from Isolated Endpoints.
  • Uncommunicative: Uncommunicative Endpoints haven't checked in recently. (2 hours for servers, 1 week for workstations). These endpoints may still be sending telemetry data.
  • Missing: Red Canary uses health information provided by the EDR sensor to determine if a monitored, and potentially online Endpoint isn't sending telemetry data.  The exact criteria that determines if an Endpoint is "missing" varies between each EDR vendor.
    • Carbon Black Response - Carbon Black Response identifies the endpoint as offline, but has not seen a "shutdown", "suspended," or other explicit state change signal from the sensor.
    • Carbon Black Cloud - Endpoint status is "inactive" or "pending". 
    • Cloud Workload Protection (CWP) - The endpoint has not checked in with Red Canary within the past hour. 
    • Crowdstrike Falcon - Crowdstrike Falcon no longer reports the endpoint as "online". 
    • Endgame - Endpoint status, as reported by Endgame is "unmonitored".
    • Microsoft - Endpoint data is either not being seen or communications are impaired.

Endpoint Metadata:

In addition to specific states of an endpoint, Red Canary collects additional metadata about each endpoint in order to provide improved context and situational awareness.

  • First Seen Time: This is the first time Red Canary learned that an endpoint exists. This can happen through endpoint discovery, sensor enrollment, or when it is identified in an alert via a configured Alert Source. This is the first "Checkin" time for this Endpoint. The First Seen Time timestamp does not reflect the first time that Red Canary received telemetry data from an endpoint.
  • Last Check In Time: This is the last time the endpoint sync last observed the endpoint. Receiving telemetry data from an endpoint does not count as a Check In. 
  • Decommissioned Time: This is the time when an endpoint was Decommissioned in Red Canary. Decommissioned Endpoints are not monitored.
  • Last Detection Time: This is the last time this endpoint was involved in a Red Canary detection. 

Sensor Health Issues: the sensor is reporting health issues which affect performance and may affect telemetry available to Red Canary.

Related articles