Identities are the users who operate on endpoints and other systems in your organization. These users can be humans interacting with your systems or the built-in system and service users that are part of every operating system.
Where do identities come from?
Identities are collected from several data types processed by Red Canary, such as telemetry collected from your endpoints and alerts collected from your other security products.
How are identities classified?
Endpoint identities are classified as either local or domain identities. Identities are classified as domain identities if they contain a domain prefix (domain\\username on Windows) and that domain is not that of a known endpoint’s hostname.
Endpoint identities are also classified as system accounts if they are identities commonly used by operating systems as system accounts—for example, s-1-5-18 (Local System on Windows) or _coreaudiod on macOS.
What tags are automatically applied to identities?
Red Canary automatically applies several tags to identities as they are created and updated:
- Local Account is set to true if the account appears to be a local (non-domain) account.
- Domain Account is set to true if the account appears to be a domain account.
- System Account is set to true if the account appears to be one commonly used by operating systems as system accounts.
Filter identities
To better understand and group your identities, you can filter them by attribute.
- From the navigation menu, click Identities.
- Enter attributes in the Identities filter bar, and then hit Return or Enter.
Supported filter attributes
| Attribute | Description | Example |
| Username | The identity's username. | username:testy-mcuserton |
| UID | The identity's unique identifier. | uid:S-1-5-21-1524466345-1983322813-2932557491-500uid:S-1-5-3 |
| Type | The identity type, for example, "endpoint domain account." | type:endpoint_domain_accounttype:endpoint_local_accounttype:endpoint_system_account |
| Logon domain | The logon domain, which is any string in the identity preceded by a double backslash (\\). |
logon_domain:acmecorp |
| Reporting tag | Current "key":"value" reporting tags applied to an identity. |
custom_tag:value"Business Unit":"Headquarters""Business Unit":* (any identity with any value of this tag)"Business Unit":! (any identity without this tag) |
| Latest detection time | The last time when Red Canary identified a threat associated with an identity. | latest_detection_at:2022-03-02.. |
A note on dates and times:
Date filters are specified with a from..tosyntax where eitherfromortocan be unbounded:
2020-01-01..filters for matches on or after (>=)thefromdate..2020-01-01filters for matches on or before (<=)thetodate2020-01-01..2020-01-31filters for matches on or after (>=)thefromdate and on or before (<=) thetodate
Comments
0 comments
Please sign in to leave a comment.