Skip to main content
Red Canary help

Monitoring Sensor Health and Connection to Red Canary

  • Updated .

Red Canary relies on telemetry data from sensors deployed in your environment. To help you understand the state of that data connection, Red Canary assigns states on other metadata to each endpoint to help you understand how the Endpoint is behaving and how Red Canary is treating that Endpoint. 

Endpoint Labels and Statuses: 

Endpoint States:

These are the states that Red Canary recognizes for your endpoints.

  • Enrolled: Has an EDR/EPP sensor installed. 
  • Unenrolled: Unenrolled indicates that Red Canary has knowledge of an endpoint, but we don't detect that an EDR/EPP sensor is installed.
  • Monitored: Endpoint is enrolled and currently checking in / sending telemetry to the EDR platform. It is possible to be enrolled but not currently monitored, though as soon as the endpoint comes back online it will be enrolled + monitored again.
  • Unmonitored: Telemetry is not making it to Red Canary to be monitored. This may be because the endpoint is powered off, suspended, missing, or the sensor may have been uninstalled. 
  • Protected: 
    • MDR: this endpoint has a sensor installed.
    • CWP: the CWP sensor is collecting telemetry and health data.
  • Unprotected: 
    • MDR:, this endpoint does not have a sensor installed. 
    • CWP: the endpoint is on the Free subscription, is offline, or is in safe mode and is not collecting telemetry.
  • Isolated: Isolated Endpoints have been isolated on the network by the underlying EDR product. Red Canary will continue to collect telemetry from Isolated Endpoints.
  • Uncommunicative: Uncommunicative Endpoints haven't checked in recently. (2 hours for servers, 1 week for workstations). These endpoints may still be sending telemetry data.

Endpoint Metadata:

In addition to specific states of an endpoint, Red Canary collects additional metadata about each endpoint in order to provide improved context and situational awareness.

  • First Seen Time: This is the first time the Red Canary learned that an endpoint exists. This can happen through endpoint discovery, sensor enrollment, or when it is identified in an Alert Center alert. This is the first "Checkin" time for this Endpoint. The First Seen Time timestamp does not reflect the first time that Red Canary received telemetry data from an endpoint.
  • Last Check In Time: This is the last time the endpoint sync last observed the endpoint. Receiving telemetry data from an endpoint does not count as a Check In. 
  • Decommissioned Time: This is the time when an endpoint was Decommissioned in Red Canary. Decommissioned Endpoints are not monitored.
  • Last Detection Time: This is the last time this endpoint was involved in a Red Canary detection. 

Sensor Health Issues: the sensor is reporting health issues which affect performance and may affect telemetry available to Red Canary.