This article provides a quick reference to filtering your detection analytics.
Estimated reading time: 2 minutes
To group and understand your detection analytics, you can filter them by attribute.
- In Red Canary, click Analytics.
- Enter attributes in the Detection Analytics filter bar, and then hit Return or Enter.
Supported filter attributes
|Name||The detection analytic's name.||
|Description||A string contained in the detection analytic's description.||
|Intelligence Type||The primary type of intelligence used by the detection analytic.||
|Attack Technique||A MITRE ATT&CK® technique number that the detection analytic identifies.||
An atomic indicator that the detection analytic identifies. Examples include application publisher names and binary hashes.
|First Detection Time||The first time Red Canary identified a detection in your environment using the detection analytic.||
|Latest Detection Time||The latest time Red Canary identified a detection in your environment using the detection analytic.||
Dates are specified using
from..to syntax, where
to are date-times or ISO 8601 dates. You can omit either
to to filter for unbounded times.
To filter endpoints by operating system, use the
operating_system: field. You may either type a word after the colon, for example,
operating_system:windows; or multiple words surrounded by double quotes, for example,
operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.