This article provides a quick reference to filtering your detection analytics.
To group and understand your detection analytics, you can filter them by attribute.
- From the navigation menu, click the Analytics dropdown.
- Enter attributes in the Detection Analytics filter bar, and then press Return or Enter.
Supported filter attributes
|The detection analytic's name.
|A string contained in the detection analytic's description.
|The primary type of intelligence used by the detection analytic.
|A MITRE ATT&CK® technique number that the detection analytic identifies.
An atomic indicator that the detection analytic identifies. Examples include application publisher names and binary hashes.
Chengdu Yijia Advertising Co. Ltd.
|First Detection Time
|The first time Red Canary identified a threat in your environment using the detection analytic.
|Latest Detection Time
|The latest time Red Canary identified a threat in your environment using the detection analytic.
Dates are specified using
from..to syntax, where
to are date-times or ISO 8601 dates. You can omit either
to to filter for unbounded times.
To filter endpoints by operating system, use the
operating_system: field. You may either type a word after the colon, for example,
operating_system:windows; or multiple words surrounded by double quotes, for example,
operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.