Difference between monitoring_status and state:online for endpoints

Issue

What is the difference between status:online and monitoring_status:monitored for endpoints? What is the time frame criteria for each?

Resolution

monitoring_status is a field that comes directly from the EDR platform. It’s the EDR platform telling Red Canary that they’re monitoring (or not) the endpoint. 

Red Canary doesn’t have a status attribute, but does use the state attribute, for instance: state:online . This one returns true if the endpoint has checked in within the last hour.