You can filter your endpoints to check their status. If you filter by
uncommunicative:serverand see results, this means the server has a Last Check-In Time older than two hours.
The endpoint sync job updates an endpoint’s last check-in time based on what we (Red Canary) get from the source EDR platform. Endpoint sync is a mechanism to help us keep this data 'local' to retrieve it more easily. The endpoint sync job runs approximately every 30 minutes, so the last check-in time could just be delayed syncing. A recently restored endpoint could remain uncommunicative in Red Canary for another 30 minutes. However, it is still actively checking in with the EDR platform.
Note: Check to see if the endpoint has been replaced or upgraded and has a new sensor ID. It may be necessary to decommission the old object if that is the case.
Are other machines actively checking in?
It is likely that there is an issue syncing endpoint data between Red Canary and EDR if no machines show an updated last check-in time.
Is there a second endpoint record for the same online host?
Agents are sometimes reinstalled, resulting in multiple endpoints with the same hostname; one will be online while the other will not. If the endpoint is legitimately not communicating, Red Canary will delve into sensor troubleshooting.
- Is the service running?
- Was the sensor updated and needs a reboot?
Note: If upgrading or reinstalling a sensor on a machine with communication issues is part of your troubleshooting, please make sure you pull sensor diagnostics first. This will capture the sensor logs. A sensor upgrade or reinstall will not preserve existing logs. If the problem persists, having the previous logs and any relevant errors can be helpful. You can share these with us via our Share a File tool.