Filter and find specific threats in Red Canary.
Estimated reading time: 2 minutes
To group and understand your threats, you can filter them by attribute.
- In Red Canary, click Threats.
- Enter attributes in the Threats filter bar, and then press Enter.
Supported filter attributes
| Attribute | Description | Example |
| State | The state of the threat. Valid options are new, acknowledged, remediated, and not_remediated. Separate multiple values with a vertical bar (|). |
state:newstate:new|acknowledgedstate:remediated|not_remediated |
| Severity | The severity of the threat. Separate multiple values with a vertical bar (|). |
severity:highseverity:high|medium |
| Classification | Strings indicating the classification and sub-classification of a threat. Separate multiple values with a vertical bar (|). |
classification:"Malicious Software"classification:"Worm"|"Process" |
| Published at | The publishing date and time. | published_at:2022-02-02.. |
| Acknowledged at | The date and time the threat was last acknowledged. | acknowledged_at:2022-02-02.. |
| Acknowledged by | The email of the user who acknowledged the threat. | acknowledged_by:johndoe@acme.com |
| Last seen at | Filter by the date and time that associated activity was last observed. | last_seen_at:2022-02-02.. |
| Hostname | The current hostname of the endpoint associated with the threat. | hostname:admin-pc |
| Reporting tag | The "key":"value" reporting tag currently applied to an endpoint associated with the threat. |
endpoint_type:workstation"Business Unit":"Headquarters""Business Unit":* (any endpoint with any value of this tag)"Business Unit":! (any endpoint without this tag) |
A note on dates and times:
Date filters are specified with a from..to syntax where either from or to can be unbounded:
2020-01-01..filters for matches on or after (>=) thefromdate..2020-01-01filters for matches on or before (<=) thetodate2020-01-01..2020-01-31filters for matches on or after (>=) thefromdate and on or before (<=) thetodate
To filter endpoints by operating system, use theoperating_system:field. You may either type a word after the colon, for example,operating_system:windows;or multiple words surrounded by double quotes, for example,operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.
Comments
0 comments
Please sign in to leave a comment.