Skip to main content
Red Canary help

Filter endpoints

  • Updated .

This article provides a quick reference to filtering your endpoints.

Estimated reading time: 2 minutes

To assess your inventory of systems and take actions on multiple endpoints at once, you can filter endpoints by their attributes.

  1. In Red Canary, click Endpoints
  2. Enter attributes in the Endpoint inventory filter bar, and then hit Enter or Return.

Supported filter attributes

Attribute Description Example
Hostname Hostnames the endpoint has held over time.

admin-pc
MAC address MAC addresses the endpoint has used over time.

00-14-22-01-23-45
IP address IP addresses the endpoint has used over time.

127.0.0.1
Reporting tag Current "key":"value" reporting tags applied to an endpoint.

"Business Unit":"Headquarters"

"Business Unit":* (any endpoint with any value of this tag)

"Business Unit":! (any endpoint without this tag)
Operating system An endpoint's current operating system.

operating_system:"Windows 7"
End-of-life operating system A boolean that indicates whether the endpoint's operating system has reached its end of life. end_of_life_operating_system:true
Endpoint type The type of endpoint, for example, "workstation" or "server."

endpoint_type:server

endpoint_type:workstation
Sensor ID The underlying EDR product's sensor ID. abcd1234-abcd-1111-2222-4321dcba1234
Sensor version The underlying EDR product's sensor version, as reported by the sensor.

sensor_version:006.002.002.90503
Sensor health issues A boolean that indicates whether the sensor is reporting serious health issues that affect performance.

sensor_reporting_health_issues:true
Monitoring status An endpoint's monitoring status, for example, "unmonitored."

monitoring_status:monitored

monitoring_status:unmonitored
Enrolled A boolean that indicates whether a sensor is active on an endpoint.

enrolled:true
Isolated A boolean that indicates whether an endpoint is isolated from its network by the underlying EDR product.

isolated:true
First seen time The time when Red Canary first saw the endpoint via discovery or sensor installation. first_seen_at:2022-02-01..
Decommissioned time The time when an endpoint was last decommissioned. decommissioned_at:2022-02-01..
Latest detection time The last time when Red Canary identified a threat on an endpoint. latest_detection_at:2022-02-01..
Last check-in time The last time when an endpoint communicated with Red Canary or its EDR platform. last_checkin_time:2022-02-01..
Uncommunicative endpoints

The endpoint hasn’t communicated with Red Canary (Last Check-In Time) for either two hours for servers or one week for workstations.

uncommunicative:server

uncommunicative:workstation

 

Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.

To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10"This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.

Exposing External Service UUID

To make it easier to filter endpoints by external service, we exposed the external service UUID in more places.  You can now see an external service’s UUID on the /account/external_services/* pages.

Additionally, we show the UUID of the external service for each endpoint in the Source column of the results. 

Endpoint Source.jpg

Finally, in the filtering for endpoints help menu, click Learn more about filtering for endpoints.. Next to each external service filter example we show a description of the corresponding external service, rather than just showing the service’s UUID.

Screen Shot 2022-08-26 at 10.58.59 AM.png

Comments

0 comments

Please sign in to leave a comment.