Issue
Is it possible to decommission endpoints in bulk?
Environment
Red Canary
Resolution
Red Canary has recently made the API route for decommissioning endpoints available to its users. This action can be performed on a set of endpoints based on their endpoint ID.
https://go.my.redcanary.co/openapi/v3/docs/index.html#tag-Decommission
Note: The endpoint ID is a value that Red Canary assigns to each endpoint for database purposes. This value may not be the same as the sensor ID which is a value that is assigned to an endpoint by the EDR provider.
To determine the endpoint ID for a given endpoint, a user can export a list of endpoints to decommission in Red Canary by using a filter like last_checkin_time and downloading the corresponding CSV file.
In the CSV file, the Red Canary Endpoint URL column contains the endpoint ID values that must be used for this operation.