Skip to main content
Red Canary help

Monitor endpoint statuses and connection to Red Canary

  • Updated .

Whether you have one endpoint or thousands, monitoring how your endpoints are behaving is an essential part of understanding what is being monitored and protected in your security stack. Red Canary relies on telemetry from sensors installed on your endpoints that then generate detections and alerts about security activity and possible threats to those endpoints. These endpoints are assigned statuses and metadata that you can use to understand how the endpoint is behaving and how Red Canary is interacting with it.

Endpoint statuses

An endpoint may have various statuses that reflect the health of a sensor.

Status Definition
Enrolled The sensor is installed on the endpoint and has been observed at least once by Red Canary.
Monitored The endpoint is enrolled and turned on, and Red Canary expects to receive telemetry from this endpoint.
Unmonitored

The endpoint isn’t sending telemetry to or being monitored by Red Canary. This could be because the endpoint is turned off, suspended, missing, or uninstalled.
Protected

Red Canary is receiving telemetry about the endpoint and generating alerts about the data being monitored.
Isolated

The endpoint is isolated on the network as a response to a threat.
Uncommunicative

The endpoint hasn’t communicated with Red Canary for either two hours for servers or one week for workstations.
Missing

Depending on your EDR vendor, the endpoint may be:

  • Carbon Black Response: offline but not considered shutdown or suspended
  • Carbon Black Cloud: inactive or pending
  • MDR for Infrastructure: not checking in with Red Canary within the past hour
  • CrowdStrike Falcon: offline
  • Endgame: unmonitored
  • Microsoft: unable to send data

Endpoint metadata

In addition to various statuses, Red Canary collects metadata to provide activity history of an endpoint.

Field Definition
First Seen Time

This is the first time Red Canary learned that the endpoint exists. This can happen through endpoint discovery, sensor enrollment, or when identified in an alert via a configured Alert Source.  

Note: This doesn’t reflect the first time that Red Canary received data from the endpoint.
Last Check In Time

This is the last time the endpoint sync observed the endpoint. 

Note: Receiving telemetry from the endpoint doesn’t count as a check in.
Last Activity

This is the last time the endpoint sync received telemetry from the endpoint.
Decommissioned Time

This is the date the endpoint was decommissioned and no longer monitored by Red Canary.
Last Detection Time

This is the last time the endpoint was involved in a Red Canary detection.
Is Protected?

If true, the endpoint is checking in and sending telemetry to Red Canary.


If false, the endpoint is unhealthy or hasn’t checked in for three hours.

Related articles

Comments

0 comments

Please sign in to leave a comment.