Use filtering on the Red Canary Endpoints page to bulk decommission a large number of endpoint simultaneously.

Caution: Be very careful when filtering so that you don't inadvertently decommission the wrong endpoints.

Bulk decommission endpoints

In the following directions, we are going to assume that you have already setup a Playbook to auto-decommission endpoints that have not checked in for 59 days. (This means that all endpoints that have yet to hit that 59 day mark will be auto-decommissioned as soon as they hit day 59. However, all the endpoints that have already hit day 59+ will NOT be auto-decommissioned. These are the endpoints that we want to target).

Note: Playbooks are not retroactive, and an auto-decommission playbook will not decommission Endpoints that stopped checking in for X number of days prior to the configuration of the Playbook itself.

For the sake of example, we'll pretend that today is January 1, 2023 (1/1/2023). We'll also assume that you configured your auto-decommission Playbook today (1/1/2023). This means that all endpoints that hit the 59 day mark today (1/1/23) will not be decommissioned. Only endpoints that hit the 59 day mark going forward will be auto-decommissioned.

From the navigation menu, click Endpoints.
In the Endpoint inventory filter field, clear the "state:enrolled" filter, and then enter the following filter:
- last_checkin_time:..2022-11-03 (59 days ago).
  Note: The ".." preceding the date tells Red Canary to look for any endpoint whose "Last Checkin time" was 11/3/22 or before.
Click the magnifying glass icon to apply the filter. Red Canary will find all the endpoints that match the filter.
Click the Select all link to the top-right of the table containing the list of endpoints that match the filter. This will select all of the endpoints in the list.
Click the Decommission button.

The system will decommission all of the endpoints. The amount of time required to do so will depend on how many endpoints were in your list.