Linux EDR Shell Activities

Linux Endpoint Detection and Response (EDR) Shell Activities is a method for filtering, sorting, and searching commands executed in shells across your workloads.

Shell Activities at a Glance

From the main navigation menu, click Telemetry to access Shell Activities.

Shell Activities extends Linux EDR's existing detection capabilities for threats occurring in shells and associated with specific commands. Linux EDR already collects and alerts on malicious activity happening in shells. The Shell Activities function uses this same command information and reports one month's worth of all commands run in your workloads into a new Red Canary Activities page.

Shell Activities offers a timeline view of each command, alongside information about the user and workload, and the specific command run. You can search and filter by a wide range of metadata, including narrowing results to a specific time range, user, workload, or even arbitrary string or command. 

These activities can also be queried via the use of relative timestamps. For instance, queries can find activity from the present back to a certain number of hours or days, and between two relative time ranges.

Activity from within the last 12 hours

activity_at:-12h

Activity from between 26 hours ago and 24 hours ago

activity_at:-26h..-24h

Activity from the last 3 days

activity_at:-3d

Activity from between 7 days ago and 3 days ago

activity_at:-7d..-3d

Access Shell Activities

The Shell Activities feature is automatically enabled for your existing Red Canary account, and is part of any Linux EDR Enterprise or Managed subscription. 

Access Telemetry Search for additional information.

FAQ

Does this add new detection capabilities to Linux EDR?

Red Canary constantly adds and adjusts detection capabilities, and we already review shell commands for potentially malicious behavior. Shell Activities does not add any new detection capabilities but shows you what we collect for your further review and analysis.

How much data can I search for?

You can search back through one month of commands run in your workloads. Red Canary still archives up to a year of your data, including shell commands run.

What can I sort or filter by in Shell Activities?

You can search or filter by any metadata associated with a command, including time ranges, machine hostnames/ids, commands, strings, and users.

Is information filtered out of Shell Activities?

No, any information entered as part of a command is shown in Shell Activities. However, entering plain text passwords, credentials, or PII and sensitive data in a shell is a generally bad security practice and should be avoided. Most shells log command line arguments to a file on disk, and anything malicious that gets onto a system could scrape your shell history files.

Do I lose Shell Activities data if I decommission a workload?

No, data is preserved in Shell Activities even if you decommission a workload.

I see "no_endpoint" as the hostname for a device. Why?

If a workload is still syncing with Red Canary, we may show "no_endpoint" as the temporary hostname in Shell Activities. The hostname will automatically update once the workload fully checks in with Red Canary.

Does my account have access to this feature?

Yes! Any paid Linux EDR account (Enterprise/Managed) has access to Shell Activities. Shell Activities will not be shown for any devices with a Free license.

Do I need to pay extra for Shell Activities?

No! Shell Activities is included with any paid Linux EDR plan.