Whether you have one endpoint or thousands, monitoring how your endpoints are behaving is an essential part of understanding what is being monitored and protected in your security stack. Red Canary relies on telemetry from sensors installed on your endpoints that then generate information about potentially threatening events and alerts about security activity on those endpoints. These endpoints are assigned different states and metadata that you can use to understand how the endpoint is behaving and how Red Canary is interacting with it.
View your endpoints' status
From the navigation menu, click Endpoints to discover information about all of your endpoints that Red Canary has observed. From here, you can review high-level information about how your endpoints are functioning, such as the number of endpoints that have recently been online (within the previous three hours) and the number of endpoints enrolled.
Scroll to Endpoint Inventory to find a comprehensive list of endpoints with additional information about each endpoint. To ensure that your endpoints are behaving as expected, use the Endpoint inventory filter bar to find endpoints by endpoint state.
Filter endpoints by monitoring state
Filter for endpoints in a specific state in the Endpoint Inventory filter bar on the Endpoints page. Click into the filter to find common states and use cases to search by or enter your own.
Note: Endpoint states are updated the following time an endpoint is observed by Red Canary. If a sensor stops checking in or has been offline, Red Canary will show the state the endpoint was in three hours before its Last Check In Time.
For example, if Red Canary receives telemetry from an endpoint that has been offline for months, it may still show as Monitored if Red Canary received telemetry from the endpoint three hours before its Last Check In Time.
| State | Definition | Filter Example |
| Monitored | The endpoint is enrolled and turned on, and Red Canary expects to receive telemetry from this endpoint. | monitoring_status:monitored |
| Unmonitored |
The endpoint isn’t sending telemetry to or being monitored by Red Canary. This could be because the endpoint is turned off, suspended, missing, or uninstalled. |
|
| Enrolled |
The sensor is installed on the endpoint and has been observed at least once by Red Canary. |
|
| Enrolled without Sensor |
The sensor isn’t installed on the endpoint, but the endpoint has been observed at least once by Red Canary. |
|
| Online |
The endpoint has been online in the last three hours. |
|
| Missing |
Depending on your EDR vendor, the endpoint may be:
|
|
| Isolated |
The endpoint is isolated on the network as a response to a threat. |
|
| Decommissioned |
The endpoint is decommissioned and no longer monitored by Red Canary. |
|
| Decommissioned Time |
This is the time the endpoint was decommissioned and no longer monitored by Red Canary. |
|
| Latest Detection Time |
This is the latest time the endpoint was involved in a potentially threatening event. |
|
| Last Check-In Time |
This is the last time the endpoint sync observed the endpoint. Note: Receiving telemetry from the endpoint doesn’t count as a check in. |
|
| Uncommunicative |
The endpoint hasn’t communicated with Red Canary (Last Check-In Time) for either two hours for servers or one week for workstations. |
|
Supported filter attributes
| Attribute | Description | Example |
| Hostname | Hostnames the endpoint has held over time. |
|
| MAC address | MAC addresses the endpoint has used over time. |
|
| IP address | IP addresses the endpoint has used over time. |
|
| Reporting tag | Current "key":"value" reporting tags applied to an endpoint. |
|
| Operating system | An endpoint's current operating system. |
|
| End-of-life operating system | A boolean that indicates whether the endpoint's operating system has reached its end of life. | end_of_life_operating_system:true |
| Endpoint type | The type of endpoint, for example, "workstation" or "server." |
|
| Sensor ID | The underlying EDR product's sensor ID. | abcd1234-abcd-1111-2222-4321dcba1234 |
| Sensor version | The underlying EDR product's sensor version, as reported by the sensor. |
|
| Sensor health issues | A boolean that indicates whether the sensor is reporting serious health issues that affect performance. |
|
| Monitoring status | An endpoint's monitoring status, for example, "unmonitored." |
|
| Enrolled | A boolean that indicates whether a sensor is active on an endpoint. |
|
| Isolated | A boolean that indicates whether an endpoint is isolated from its network by the underlying EDR product. |
|
| First seen time | The time when Red Canary first saw the endpoint via discovery or sensor installation. | first_seen_at:2022-02-01.. |
| Decommissioned time | The time when an endpoint was last decommissioned. | decommissioned_at:2022-02-01.. |
| Latest detection time | The last time when Red Canary identified a threat on an endpoint. | latest_detection_at:2022-02-01.. |
| Last check-in time | The last time when an endpoint communicated with Red Canary or its EDR platform. | last_checkin_time:2022-02-01.. |
| Uncommunicative endpoints |
The endpoint hasn’t communicated with Red Canary (Last Check-In Time) for either two hours for servers or one week for workstations. |
|
Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.
To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.
Exposing External Service UUID
To make it easier to filter endpoints by external service, we exposed the external service UUID in more places. You can now see an external service’s UUID on the /account/external_services/* pages.
Additionally, we show the UUID of the external service for each endpoint in the Source column of the results.
Finally, in the filtering for endpoints help menu, click Learn more about filtering for endpoints.Next to each external service filter example we show a description of the corresponding external service, rather than just showing the service’s UUID.
Review in-depth information about an endpoint
To review more information about a specific endpoint, click an Identifier in the Endpoints inventory section.
This displays the endpoint’s detail page where you can review the endpoint’s activity and other important metadata about how a sensor and endpoint are behaving. In addition to various statuses, Red Canary collects metadata to provide activity history of an endpoint.
| Field | Definition |
| Discovered by |
The EDR provider that is monitoring this endpoint. |
| Discovered at |
This is the first time Red Canary has detected the existence of the endpoint. This can happen through endpoint discovery, sensor enrollment, or when identified in an alert via a configured Alert Source. Note: This doesn’t reflect the first time that Red Canary received data from the endpoint. |
| Sensor Health Issue? |
If true ( If false ( |
| Last Check-In Time |
This is the last time the endpoint sync observed the endpoint. Note: Receiving telemetry from the endpoint doesn’t count as a check in. |
| Last Activity Time |
This is the last time the endpoint sync received telemetry from the endpoint. Note: If you notice a large discrepancy between your endpoint’s Last Check-In Time and Last Activity Time, the sensor is likely having an issue sending telemetry. |
Comments
0 comments
Please sign in to leave a comment.