This article provides a quick reference to filtering your identities.
Estimated reading time: 2 minutes
To better understand and group your identities, you can filter them by attribute.
- In Red Canary, click Identities.
- Enter attributes in the Identities filter bar, and then hit Return or Enter.
Supported filter attributes
Attribute | Description | Example |
Username | The identity's username. | username:testy-mcuserton |
UID | The identity's unique identifier. | uid:S-1-5-21-1524466345-1983322813-2932557491-500 uid:S-1-5-3 |
Type | The identity type, for example, "endpoint domain account." | type:endpoint_domain_account type:endpoint_local_account type:endpoint_system_account |
Logon domain | The logon domain, which is any string in the identity preceded by a double backslash (\\ ). |
logon_domain:acmecorp |
Reporting tag | Current "key":"value" reporting tags applied to an identity. |
custom_tag:value "Business Unit":"Headquarters" "Business Unit":* (any identity with any value of this tag)"Business Unit":! (any identity without this tag) |
Latest detection time | The last time when Red Canary identified a threat associated with an identity. | latest_detection_at:2022-03-02.. |
Dates are specified using from..to
syntax, where from
and to
are date-times or ISO 8601 dates. You can omit either from
or to
to filter for unbounded times.
Comments
0 comments
Please sign in to leave a comment.