Endpoints are the computing devices used throughout your organization. Software sensors deployed to those endpoints collect detailed telemetry about what is happening on those systems at the operating system level and transmit it to Red Canary for analysis.
Your endpoints are the most critical assets to protect from adversaries because:
- For most organizations, they are where important data resides or is accessed.
- They are the systems that vulnerable users use every day.
Red Canary’s endpoint page allows you to filter your endpoints by many attributes, including several pre-built filters for common use cases, such as recently enrolled endpoints, isolated endpoints, and endpoints running end-of-life operating systems.
Where do endpoints come from?
Endpoints are identified through several Red Canary processes. They can be:
- Collected from your EDR/EPP platforms
- Discovered in your cloud accounts
- Identified when processing alerts from your security products
Whenever Red Canary has enough information to conclude that endpoint information from multiple sources refers to the same endpoint, all of that information is automatically merged together.
How are endpoints classified?
Endpoints can be classified in several ways:
- Endpoints are enrolled if they have an EDR/EPP sensor installed.
- Endpoints are protected if:
- they have an EDR/EPP sensor installed on them.
- the sensor has sent telemetry within 3 hours of the last checkin time.
- that sensor is configured to send telemetry to Red Canary (not in any form of safe mode or reduced functionality mode).
- that endpoint is not configured to be unmonitored by Red Canary for licensing/usage purposes.
- Endpoints are decommissioned when you no longer expect to monitor them and you want to remove them from most reports, emails, and other views.
What tags are automatically applied to endpoints?
Red Canary automatically applies a number of tags to endpoints as they are created and updated. Learn more about tagging endpoints for context and reporting.
What information is retained about endpoints?
Unlike most security platforms that retain only the hostname or IP addresses last used by an endpoint, Red Canary stores each change to those data points, which is critical for investigating security incidents.
Are endpoints still monitored and protected if they are decommissioned?
Yes. In case you decommission an endpoint that ends up coming back online later, those endpoints are still monitored for threats.