CWP Shell Activities
Red Canary is proud to announce CWP Shell Activities, a new way to filter, sort, and search through all commands run in shells across your workloads.
Shell Activities at a Glance
Shell Activities can be found in your CWP portal under the Activities page.
Shell Activities builds on existing detection capabilities in CWP that look at threats taking place in shells and associated with specific commands. CWP already collects and alerts on malicious activity happening in shells. The new Shell Activities function takes this same command information and reports 1 month of all commands run in your workloads into a new Activities page of the portal.
Shell Activities offers a timeline view of each command, alongside information about the user and workload and the specific command run. You can search and filter by a wide range of metadata, including narrowing results to a specific time range, user, workload, or even arbitrary string or command.
These activities can also be queried via the use of relative timestamps. For instance, queries can find activity from the present back to a certain number of hours or days, and between two relative time ranges.
Activity from within the last 12 hours
Activity from between 26 hours ago and 24 hours ago
Activity from the last 3 days
Activity from between 7 days ago and 3 days ago
How to Access
The Shell Activities feature is automatically enabled for your existing CWP portal, and is part of any CWP Enterprise or Managed subscription.
Frequently Asked Questions
Q: Does this add new detection capabilities to CWP?
A: Red Canary constantly adds and adjusts detection capabilities, and we already review all shell commands for potentially malicious behavior. Shell Activities does not add any new detection capabilities, but instead shows you what we collect for your further review and analysis.
Q: How much data can I search?
A: You can search back through 1 month of commands run in your workloads. Red Canary still archives up to a year of your data, including shell commands run.
Q: What can I sort or filter by in Shell Activities?
A: You can search or filter by any metadata associated with a command, including time ranges, machine hostnames/ids, commands, strings, and users.
Q: Is information filtered out of Shell Activities?
A: No - any information entered as part of a command is shown in Shell Activities. However, entering plain text passwords, credentials, or PII and sensitive data in a shell is a generally bad security practice and should be avoided. Most shells log command line arguments to a file on disk, and anything malicious that gets onto a system could scrape your shell history files.
Q: If I decommission a workload, do I lose Shell Activities data?
A: No, data is preserved in Shell Activities even if you decommission a workload.
Q: I see "no_endpoint" as the hostname for a device. Why?
A: If a workload is still syncing with Red Canary, we may show "no_endpoint" as the temporary hostname in Shell Activities. The hostname will be automatically updated once the workload fully checks in with Red Canary.
Q: Does my account have access to this feature?
A: Yes! Any paid CWP account (Enterprise/Managed) has access to Shell Activities. Shell Activities will not be shown for any devices with a Free license.
Q: Do I need to pay extra for Shell Activities?
A: No! Shell Activities is included with any paid CWP plan.