Whether you have one endpoint or thousands, monitoring how your endpoints are behaving is an essential part of understanding what is being monitored and protected in your security stack. Red Canary relies on telemetry from sensors installed on your endpoints that then generate detections and alerts about security activity and possible threats to those endpoints. These endpoints are assigned statuses and metadata that you can use to understand how the endpoint is behaving and how Red Canary is interacting with it.
An endpoint may have various statuses that reflect the health of a sensor.
|Enrolled||The sensor is installed on the endpoint and has been observed at least once by Red Canary.|
|Monitored||The endpoint is enrolled and turned on, and Red Canary expects to receive telemetry from this endpoint.|
The endpoint isn’t sending telemetry to or being monitored by Red Canary. This could be because the endpoint is turned off, suspended, missing, or uninstalled.
Red Canary is receiving telemetry about the endpoint and generating alerts about the data being monitored.
The endpoint is isolated on the network as a response to a threat.
The endpoint hasn’t communicated with Red Canary for either two hours for servers or one week for workstations.
Depending on your EDR vendor, the endpoint may be:
In addition to various statuses, Red Canary collects metadata to provide activity history of an endpoint.
|First Seen Time||
This is the first time Red Canary learned that the endpoint exists. This can happen through endpoint discovery, sensor enrollment, or when identified in an alert via a configured Alert Source.
Note: This doesn’t reflect the first time that Red Canary received data from the endpoint.
|Last Check In Time||
This is the last time the endpoint sync observed the endpoint.
Note: Receiving telemetry from the endpoint doesn’t count as a check in.
This is the last time the endpoint sync received telemetry from the endpoint.
This is the date the endpoint was decommissioned and no longer monitored by Red Canary.
|Last Detection Time||
This is the last time the endpoint was involved in a Red Canary detection.
If true, the endpoint is checking in and sending telemetry to Red Canary.
If false, the endpoint is unhealthy or hasn’t checked in for three hours.