Our team would like to inquire about the process of decommissioning endpoints. Is this something that is done automatically or does it have to be a manual effort by someone on the team?
In addition, what is the criteria for Red Canary detecting if a sensor is decommissioned or not? Is this something we can receive more alerts on, and is it something our team should be looking out for?
Any user with the Admin role can manually decommission endpoints. See Decommissioning endpoints.
As long as sensor software remains installed, an Admin can reinstate a decommissioned endpoint and resume sending telemetry to Red Canary. For further visibility, you can set up automation to alert users when a decommissioned endpoint comes back online.
1. In the Automate page, create a new trigger to check when a decommissioned endpoint's status changes to "online."
Note: additional conditions can be added to include/exclude certain endpoints.
2. Create a playbook that executes from the trigger. As an example, this playbook sends an email to specified recipients stating that the endpoint should be reviewed and brought back online if necessary: