Issue
What is the difference between status:online and monitoring_status:monitored for endpoints? What is the time frame criteria for each?
Resolution
monitoring_status is a field that comes directly from the EDR platform. It’s the EDR platform telling Red Canary that they’re monitoring (or not) the endpoint.
Red Canary doesn’t have a status attribute, but does use the state attribute, for instance: state:online . This one returns true if the endpoint has checked in within the last hour.