This article provides a quick reference to filtering your identities.
Estimated reading time: 2 minutes
To better understand and group your identities, you can filter them by attribute.
- In Red Canary, click Identities.
- Enter attributes in the Identities filter bar, and then hit Return or Enter.
Supported filter attributes
| Attribute | Description | Example |
| Username | The identity's username. | username:testy-mcuserton |
| UID | The identity's unique identifier. | uid:S-1-5-21-1524466345-1983322813-2932557491-500uid:S-1-5-3 |
| Type | The identity type, for example, "endpoint domain account." | type:endpoint_domain_accounttype:endpoint_local_accounttype:endpoint_system_account |
| Logon domain | The logon domain, which is any string in the identity preceded by a double backslash (\\). |
logon_domain:acmecorp |
| Reporting tag | Current "key":"value" reporting tags applied to an identity. |
custom_tag:value"Business Unit":"Headquarters""Business Unit":* (any identity with any value of this tag)"Business Unit":! (any identity without this tag) |
| Latest detection time | The last time when Red Canary identified a threat associated with an identity. | latest_detection_at:2022-03-02.. |
Dates are specified using from..to syntax, where from and to are date-times or ISO 8601 dates. You can omit either from or to to filter for unbounded times.
Comments
0 comments
Please sign in to leave a comment.