This article provides a quick reference to filtering your detection analytics.
To group and understand your detection analytics, you can filter them by attribute.
- From the navigation menu, click Analytics.
- Enter attributes in the Detection Analytics filter bar, and then press Return or Enter.
Supported filter attributes
| Attribute | Description | Example |
| Name | The detection analytic's name. | name:ANY-BLOODHOUND-FILEMOD |
| Description | A string contained in the detection analytic's description. | bloodhound |
| Intelligence Type | The primary type of intelligence used by the detection analytic. | intelligence_type:noneintelligence_type:first_partyintelligence_type:third_partyintelligence_type:publisher_blacklist |
| Attack Technique | A MITRE ATT&CKĀ® technique number that the detection analytic identifies. | attack_technique_id:T1069 |
| Associated Indicators |
An atomic indicator that the detection analytic identifies. Examples include application publisher names and binary hashes. |
f5b3d6ab5971f65c0d0fc7a56c4d014aChengdu Yijia Advertising Co. Ltd. |
| First Detection Time | The first time Red Canary identified a threat in your environment using the detection analytic. | first_detection_at:2022-03-03.. |
| Latest Detection Time | The latest time Red Canary identified a threat in your environment using the detection analytic. | latest_detection_at:2022-03-03.. |
Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.
To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.
Comments
0 comments
Please sign in to leave a comment.