Identities are the users who operate on endpoints and other systems in your organization. These users can be humans interacting with your systems or the built-in system and service users that are part of every operating system.
Where do identities come from?
Identities are collected from several data types processed by Red Canary, such as telemetry collected from your endpoints and alerts collected from your other security products.
How are identities classified?
Endpoint identities are classified as either local or domain identities. Identities are classified as domain identities if they contain a domain prefix (domain\\username on Windows) and that domain is not that of a known endpoint’s hostname.
Endpoint identities are also classified as system accounts if they are identities commonly used by operating systems as system accounts—for example, s-1-5-18 (Local System on Windows) or _coreaudiod on macOS.
What tags are automatically applied to identities?
Red Canary automatically applies several tags to identities as they are created and updated:
- Local Account is set to true if the account appears to be a local (non-domain) account.
- Domain Account is set to true if the account appears to be a domain account.
- System Account is set to true if the account appears to be one commonly used by operating systems as system accounts.
Filter identities
To better understand and group your identities, you can filter them by attribute.
- From the navigation menu, click Identities.
- Enter attributes in the Identities filter bar, and then hit Return or Enter.
Supported filter attributes
Attribute | Description | Example |
Username | The identity's username. | username:testy-mcuserton |
UID | The identity's unique identifier. | uid:S-1-5-21-1524466345-1983322813-2932557491-500 uid:S-1-5-3 |
Type | The identity type, for example, "endpoint domain account." | type:endpoint_domain_account type:endpoint_local_account type:endpoint_system_account |
Logon domain | The logon domain, which is any string in the identity preceded by a double backslash (\\ ). |
logon_domain:acmecorp |
Reporting tag | Current "key":"value" reporting tags applied to an identity. |
custom_tag:value "Business Unit":"Headquarters" "Business Unit":* (any identity with any value of this tag)"Business Unit":! (any identity without this tag) |
Latest detection time | The last time when Red Canary identified a threat associated with an identity. | latest_detection_at:2022-03-02.. |
A note on dates and times:
Date filters are specified with a from..to
syntax where eitherfrom
orto
can be unbounded:
2020-01-01..
filters for matches on or after (>=)thefrom
date..2020-01-01
filters for matches on or before (<=)theto
date2020-01-01..2020-01-31
filters for matches on or after (>=)thefrom
date and on or before (<=) theto
date
Comments
0 comments
Please sign in to leave a comment.