This article provides a quick reference to filtering and downloading your events.
Estimated reading time: 1 minute
You can filter your events by attribute, and then download a CSV of the results.
- In Red Canary, click Events.
- Enter attributes in the Analyzed events filter bar, and then press Return or Enter.
- Click the download button, and then click Download to CSV (last 1500 events).
Supported filter attributes
|MAC address||A MAC address associated with the event.||
|IP address||An IP address associated with the event.||
|A user on an endpoint associated with the event.||
|A command line, process hash, or filename associated with the event.||
|An MD5 or SHA256 hash associated with the event.||
To filter endpoints by operating system, use the
operating_system: field. You may either type a word after the colon, for example,
operating_system:windows; or multiple words surrounded by double quotes, for example,
operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.
Exposing External Service UUID
To make it easier to filter endpoints by external service, we exposed the external service UUID in more places. You can now see an external service’s UUID on the
Additionally, we show the UUID of the external service for each endpoint in the
Source column of the results.
Finally, in the filtering for endpoints help menu, click
Learn more about filtering for endpoints.. Next to each external service filter example we show a description of the corresponding external service, rather than just showing the service’s UUID.