Filter and find specific threats in Red Canary.
Estimated reading time: 2 minutes
To group and understand your threats, you can filter them by attribute.
- In Red Canary, click Threats.
- Enter attributes in the Threats filter bar, and then press Enter.
Supported filter attributes
|State||The state of the threat. Valid options are
|Severity||The severity of the threat. Separate multiple values with a vertical bar (
|Classification||Strings indicating the classification and sub-classification of a threat. Separate multiple values with a vertical bar (
|Published at||The publishing date and time.||
|Acknowledged at||The date and time the threat was last acknowledged.||
|Acknowledged by||The email of the user who acknowledged the threat.||
|Last seen at||Filter by the date and time that associated activity was last observed.||
|Hostname||The current hostname of the endpoint associated with the threat.||
A note on dates and times:
Date filters are specified with a
from..to syntax where either
to can be unbounded:
2020-01-01..filters for matches on or after (>=) the
..2020-01-01filters for matches on or before (<=) the
2020-01-01..2020-01-31filters for matches on or after (>=) the
fromdate and on or before (<=) the
To filter endpoints by operating system, use the
operating_system:field. You may either type a word after the colon, for example,
operating_system:windows;or multiple words surrounded by double quotes, for example,
operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.