We would like to be able to query for endpoints that are not sending telemetry with the Red Canary API.
Red Canary API
On your Red Canary Dashboard the number of "Monitored" endpoints is listed. Whenever we discover an endpoint or endpoints that are not sending telemetry, we also display that number on the Dashboard as well. The endpoints that are currently "not sending telemetry" are listed in the red bar just below the number of "Monitored" endpoints.
If you click on that red bar you will be directed to your Red Canary > Endpoints page with the filter string already populated. When you land on the Endpoints page, take note of the filter string listed in the search bar.
For this example, when we clicked on the red bar that shows "1 not sending telemetry" we were presented with the following filter string on the Red Canary > Endpoints page:
You will need to use the "List Endpoints" API query and include the filter_query parameter. The filter_query parameters should mirror the filter string that is shown on your Endpoints page. This will enable you to retrieve a current list of endpoints that are not sending telemetry.
Here are the steps to setup the API query:
- First, open the Red Canary API documentation for reference:
- Open Red Canary and click on your User icon (top right corner of screen)
- Select "API"
- In the Red Canary API documentation, click on "Endpoints" in the left menu bar, then select "List Endpoints." This will display the "List Endpoints" API query parameters.
- The API query will need to use the following format:
- GET /openapi/v3/endpoints
- Example: GET https://mysubdomain.my.redcanary.co/openapi/v3/endpoints
- Next, you will need to setup your API query parameters.
- For this query you will need to use the filter_query parameter
- The value you will use for the filter_query parameter will need to mirror the filter string that was shown on the Endpoints page. You can make some adjustments to the last_checkin_time date and time, but for current and accurate results we recommend using the date for the first day of the week (in this example it was Monday 2021-10-11) and whatever the current time is (Example: last_checkin_time:2021-10-11T18:32:00Z..)
- The complete API query will look like this:
- GET https://mysubdomain.my.redcanary.co/openapi/v3/endpoints?filter_query=state:enrolled is_protected:false last_checkin_time:2021-10-11T18:32:00Z..