This article provides a quick reference to filtering your identities.
Estimated reading time: 2 minutes
To better understand and group your identities, you can filter them by attribute.
- In Red Canary, click Identities.
- Enter attributes in the Identities filter bar, and then hit Return or Enter.
Supported filter attributes
| Attribute | Description | Example |
| Username | The identity's username. | username:testy-mcuserton |
| UID | The identity's unique identifier. | uid:S-1-5-21-1524466345-1983322813-2932557491-500uid:S-1-5-3 |
| Type | The identity type, for example, "endpoint domain account." | type:endpoint_domain_accounttype:endpoint_local_accounttype:endpoint_system_account |
| Logon domain | The logon domain, which is any string in the identity preceded by a double backslash (\\). |
logon_domain:acmecorp |
| Reporting tag | Current "key":"value" reporting tags applied to an identity. |
custom_tag:value"Business Unit":"Headquarters""Business Unit":* (any identity with any value of this tag)"Business Unit":! (any identity without this tag) |
| Latest detection time | The last time when Red Canary identified a threat associated with an identity. | latest_detection_at:2022-03-02.. |
A note on dates and times:
Date filters are specified with a from..tosyntax where eitherfromortocan be unbounded:
2020-01-01..filters for matches on or after (>=)thefromdate..2020-01-01filters for matches on or before (<=)thetodate2020-01-01..2020-01-31filters for matches on or after (>=)thefromdate and on or before (<=) thetodate
Comments
0 comments
Please sign in to leave a comment.