Filter and find specific threats in Red Canary.
Estimated reading time: 2 minutes
To group and understand your threats, you can filter them by attribute.
- In Red Canary, click Threats.
- Enter attributes in the Threats filter bar, and then press Enter.
Supported filter attributes
Attribute | Description | Example |
State | The state of the threat. Valid options are new , acknowledged , remediated , and not_remediated . Separate multiple values with a vertical bar (| ). |
state:new state:new|acknowledged state:remediated|not_remediated |
Severity | The severity of the threat. Separate multiple values with a vertical bar (| ). |
severity:high severity:high|medium |
Classification | Strings indicating the classification and sub-classification of a threat. Separate multiple values with a vertical bar (| ). |
classification:"Malicious Software" classification:"Worm"|"Process" |
Published at | The publishing date and time. | published_at:2022-02-02.. |
Acknowledged at | The date and time the threat was last acknowledged. | acknowledged_at:2022-02-02.. |
Acknowledged by | The email of the user who acknowledged the threat. | acknowledged_by:johndoe@acme.com |
Last seen at | Filter by the date and time that associated activity was last observed. | last_seen_at:2022-02-02.. |
Hostname | The current hostname of the endpoint associated with the threat. | hostname:admin-pc |
Reporting tag | The "key":"value" reporting tag currently applied to an endpoint associated with the threat. |
endpoint_type:workstation "Business Unit":"Headquarters" "Business Unit":* (any endpoint with any value of this tag)"Business Unit":! (any endpoint without this tag) |
Dates are specified using from..to
syntax, where from
and to
are date-times or ISO 8601 dates. You can omit either from
or to
to filter for unbounded times.
Comments
0 comments
Please sign in to leave a comment.