Skip to main content
Red Canary help

Filtering endpoints

  • Updated .

This article provides a quick reference to filtering your endpoints.

Estimated reading time: 2 minutes

To assess your inventory of systems and take actions on multiple endpoints at once, you can filter endpoints by their attributes.

  1. In Red Canary, click Endpoints
  2. Enter attributes in the Endpoint inventory filter bar, and then hit Enter or Return.

mceclip2.png

Supported filter attributes

Attribute Description Example
Hostname Hostnames the endpoint has held over time.

admin-pc
MAC address MAC addresses the endpoint has used over time.

00-14-22-01-23-45
IP address IP addresses the endpoint has used over time.

127.0.0.1
Reporting tag Current "key":"value" reporting tags applied to an endpoint.

"Business Unit":"Headquarters"

"Business Unit":* (any endpoint with any value of this tag)

"Business Unit":! (any endpoint without this tag)
Operating system An endpoint's current operating system.

operating_system:"Windows 7"
End-of-life operating system A boolean that indicates whether the endpoint's operating system has reached its end of life. end_of_life_operating_system:true
Endpoint type The type of endpoint, for example, "workstation" or "server."

endpoint_type:server

endpoint_type:workstation
Sensor ID The underlying EDR product's sensor ID. abcd1234-abcd-1111-2222-4321dcba1234
Sensor version The underlying EDR product's sensor version, as reported by the sensor.

sensor_version:006.002.002.90503
Sensor health issues A boolean that indicates whether the sensor is reporting serious health issues that affect performance.

sensor_reporting_health_issues:true
Monitoring status An endpoint's monitoring status, for example, "unmonitored."

monitoring_status:monitored

monitoring_status:unmonitored
Enrolled A boolean that indicates whether a sensor is active on an endpoint.

enrolled:true
Isolated A boolean that indicates whether an endpoint is isolated from its network by the underlying EDR product.

isolated:true
First seen time The time when Red Canary first saw the endpoint via discovery or sensor installation. first_seen_at:2022-02-01..
Decommissioned time The time when an endpoint was last decommissioned. decommissioned_at:2022-02-01..
Latest detection time The last time when Red Canary identified a threat on an endpoint. latest_detection_at:2022-02-01..
Last check-in time The last time when an endpoint communicated with Red Canary or its EDR platform. last_checkin_time:2022-02-01..
Uncommunicative endpoints Endpoints that no longer communicate with Red Canary or their EDR platforms.

uncommunicative:server

uncommunicative:workstation

Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.

Comments

0 comments

Please sign in to leave a comment.