Telemetry Search is a service that indexes all process starts and network connections for the last seven days of usage. Red Canary now includes a Telemetry Search page and bar where you can search for specific telemetry parameters and view the results in a sortable table. The slide out table displays all the data for that particular process.
You can conduct a keyword search in Telemetry Search to find information about process launches and network connections. Using a third-party search (OpenSearch specifically), results are indexed and returned fast and accurately. It also allows you to execute partial searches or use wildcards to find a broader set of related telemetry.
All Telemetry Search results can be exported to a CSV file, giving you the ability to use the data outside of the constraints in the platform.
This tool enhances our existing Shell Activities feature, which enables you to detect process starts that most likely originated in a shell by making it quick and straightforward to pinpoint individual processes. Including all process starts and networks enables you to easily discover and correlate processes to the data Red Canary already provides.
This also gives detection engineers a single page to locate processes and network connections for threat and event analyses.
To assess your Linux EDR telemetry, you can filter by telemetry attributes.
- From the navigation menu, click Telemetry.
- Enter attributes in the Telemetry Search filter bar, and then press Enter or Return.
You can search by 'keyword:value' on any of the allowed filter attributes. Wildcards are supported, permitting you the ability to search for all processes that match the value up to the wildcard.
Note: Text searches are always fuzzy matched unless theres a
For examples, please click here.
Supported filter attributes
|The type of event that occurred, such as a network connection.
|Is Shell Activity
|A boolean that indicates if the process is an interactive shell command.
|The shell where the process was executed.
|The domain of a network connection.
|The IP address used in a network connection.
|The port used in a network connection, such as a local or remote port.
|Local IP Type
|The type of network connection that was made.
|The remote IP address used in a network connection.
|The remote port used in a network connection.
|Indicates if the remote network connection is internal or external.
|Remote IP Type
|The type of remote network connection that was made.
|The type of protocol used in the network connection.
|The direction of the network connection, such as inbound or outbound.
|Hostname used by the endpoint.
|Endpoint operating System
|The endpoint's operating system.
|The unique ID of the endpoint's sensor.
|The endpoint's sensor version.
To filter endpoints by operating system, use the
operating_system: field. You may either type a word after the colon, for example,
operating_system:windows; or multiple words surrounded by double quotes, for example,
operating_system:"Windows 10". This field is not case-sensitive, and will match on specific endpoint operating systems, as well as canonicalized names.
|The date or date range the process occurred at.
|Process command Line
|The command line used by the process.
|Parent process command line
|Command line of a parent process.
|The name of the process.
|Parent process name
|Name of the parent process.
|The path of the process.
|Parent process path
|The path of the parent process.
|The process identification number (PID) used by the process.
|Parent process pid
|The process identification number (PID) used by the parent process.
|The Message Digest 5 (md5) of the process.
|Parent process md5
The Message Digest 5 (md5) of the parent process.
|The sha256 of the process.
|Parent process sha56
|The sha256 of the parent process.
|The working directory of the process.
|The username of the user.
|Login user name
|The username of login user.
|The user identifier (uid) of the user.
|Login user uid
|The user identifier (uid) of the login user.
|The specific docker Container ID holding the endpoint.
|The specific docker Container Pod ID holding the endpoint.
Date filters are specified with a
from..to syntax where either
to can be unbounded:
2020-01-01..filters for matches on or after (>=) the
..2020-01-01filters for matches on or before (<=) the
2020-01-01..2020-01-31filters for matches on or after (>=) the
fromdate and on or before (<=) the
Dates can be specified as iso8601 dates or date-times.
Show only results of a particular event type
To return only network connections you would use the search filter:
To return only process starts you would use the search filter:
Show only shell activities
To return only processes designated as originating in a shell you would use the search filter:
Wild card search for an IP
To find an IP address used in a network connection that are part of a particular network you would use the search filter:
Find all processes running in a container