This article provides a quick reference to filtering your endpoints.
Estimated reading time: 2 minutes
To assess your inventory of systems and take actions on multiple endpoints at once, you can filter endpoints by their attributes.
- In Red Canary, click Endpoints.
- Enter attributes in the Endpoint inventory filter bar, and then hit Enter or Return.
Supported filter attributes
|Hostname||Hostnames the endpoint has held over time.||
|MAC address||MAC addresses the endpoint has used over time.||
|IP address||IP addresses the endpoint has used over time.||
|Operating system||An endpoint's current operating system.||
|End-of-life operating system||A boolean that indicates whether the endpoint's operating system has reached its end of life.||
|Endpoint type||The type of endpoint, for example, "workstation" or "server."||
|Sensor ID||The underlying EDR product's sensor ID.||
|Sensor version||The underlying EDR product's sensor version, as reported by the sensor.||
|Sensor health issues||A boolean that indicates whether the sensor is reporting serious health issues that affect performance.||
|Monitoring status||An endpoint's monitoring status, for example, "unmonitored."||
|Enrolled||A boolean that indicates whether a sensor is active on an endpoint.||
|Isolated||A boolean that indicates whether an endpoint is isolated from its network by the underlying EDR product.||
|First seen time||The time when Red Canary first saw the endpoint via discovery or sensor installation.||
|Decommissioned time||The time when an endpoint was last decommissioned.||
|Latest detection time||The last time when Red Canary identified a threat on an endpoint.||
|Last check-in time||The last time when an endpoint communicated with Red Canary or its EDR platform.||
The endpoint hasn’t communicated with Red Canary (Last Check-In Time) for either two hours for servers or one week for workstations.
Dates are specified using
from..to syntax, where
to are date-times or ISO 8601 dates. You can omit either
to to filter for unbounded times.
To filter endpoints by operating system, use the
operating_system: field. You may either type a word after the colon, for example,
operating_system:windows; or multiple words surrounded by double quotes, for example,
operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.
Exposing External Service UUID
To make it easier to filter endpoints by external service, we exposed the external service UUID in more places. You can now see an external service’s UUID on the
Additionally, we show the UUID of the external service for each endpoint in the
Source column of the results.
Finally, in the filtering for endpoints help menu, click
Learn more about filtering for endpoints.. Next to each external service filter example we show a description of the corresponding external service, rather than just showing the service’s UUID.