Identities are the users who operate on endpoints and other systems in your organization. These users can be humans interacting with your systems or the built-in system and service users that are part of every operating system.
Where do identities come from?
Identities are collected from several data types processed by Red Canary, such as telemetry collected from your endpoints and alerts collected from your other security products.
How are identities classified?
Endpoint identities are classified as either local or domain identities. Identities are classified as domain identities if they contain a domain prefix (domain\\username on Windows) and that domain is not that of a known endpoint’s hostname.
Endpoint identities are also classified as system accounts if they are identities commonly used by operating systems as system accounts—for example, s-1-5-18 (Local System on Windows) or _coreaudiod on macOS.
What tags are automatically applied to identities?
Red Canary automatically applies several tags to identities as they are created and updated:
- Local Account is set to true if the account appears to be a local (non-domain) account.
- Domain Account is set to true if the account appears to be a domain account.
- System Account is set to true if the account appears to be one commonly used by operating systems as system accounts.
To better understand and group your identities, you can filter them by attribute.
- From the navigation menu, click Identities.
- Enter attributes in the Identities filter bar, and then hit Return or Enter.
Supported filter attributes
|Username||The identity's username.||
|UID||The identity's unique identifier.||
|Type||The identity type, for example, "endpoint domain account."||
|Logon domain||The logon domain, which is any string in the identity preceded by a double backslash (
|Latest detection time||The last time when Red Canary identified a threat associated with an identity.||
A note on dates and times:
Date filters are specified with a
from..tosyntax where either
tocan be unbounded:
2020-01-01..filters for matches on or after (>=)the
..2020-01-01filters for matches on or before (<=)the
2020-01-01..2020-01-31filters for matches on or after (>=)the
fromdate and on or before (<=) the
Please sign in to leave a comment.