Filter and find specific threats in Red Canary.
To group and understand your threats, you can filter them by attribute.
- From the navigation menu, click Threats.
- Enter attributes in the Threats filter bar, and then press Enter.
Threat table attributes
| Key | Attribute | Description | Example |
| 1 | Severity | The severity of the threat. Separate multiple values with a vertical bar (|). |
severity:high severity:high|medium |
| 2 | Threat | This is the unique threat ID. | |
| 3 | Classification | Strings indicating the classification and sub-classification of a threat. Separate multiple values with a vertical bar (|). |
classification:"Malicious Software" classification:"Worm"|"Process" |
| 4 | Endpoint | The hostname of the endpoint associated with the threat. | hostname |
| 5 | Identity | The username of the user associated with the threat. | Username |
| 6 | Acknowledged at | The date and time the threat was last acknowledged. | acknowledged_at:2022-02-02.. |
| 7 | Acknowledged by | The email of the user who acknowledged the threat. | acknowledged_by:johndoe@acme.com |
| 8 | Published at | The publishing date and time. | published_at:2022-02-02.. |
| 9 | State | The state of the threat. Valid options are new, acknowledged, remediated, and not_remediated. Separate multiple values with a vertical bar (|). |
state:new state:new|acknowledged state:remediated|not_remediated |
| 10 | Last Seen | Filter by the date and time that associated activity was last observed. | last_seen:2022-02-02.. |
A note on dates and times:
Date filters are specified with a from..to syntax where either from or to can be unbounded:
- 2020-01-01.. filters for matches on or after (>=) the from date
- ..2020-01-01 filters for matches on or before (<=) the to date
- 2020-01-01..2020-01-31 filters for matches on or after (>=) the from date and on or before (<=) the to date
To filter endpoints by operating system, use the operating_system: field. You may either type a word after the colon, for example, operating_system:windows; or multiple words surrounded by double quotes, for example, operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.
Comments
2 comments
Can you do a NOT operation?
I would like to see an example where I can filter out alerts that are not type "Unwanted Software"
Hey @Chuck, there's not a NOT operation, but you can just filter on the top-level Classification categories that you want, excluding Unwanted Software, to show everything but Unwanted Software:
classification:"Malicious Software"|"Suspicious Activity"
Please sign in to leave a comment.