Issue
Regarding the "Endpoints missing a sensor" filter in Red Canary. Can this be used to identify endpoints in the environment that are active but do not have a sensor installed? What are the parameters and/or limitations of this filter?
Environment
Red Canary
VMware Carbon Black EDR / Cloud
Resolution
For most users, this filter will only find endpoints that have had their sensor uninstalled. For example, Carbon Black will only send Red Canary telemetry for endpoints that have a sensor, so it’s impossible for us to see endpoints that don’t have a sensor except in cases where the Carbon Black sensor has been uninstalled.
Also see Monitoring Sensor Health and Connection to Red Canary
Note: This filter feature will only work with the following EDR providers:
- Cortex XDR
- Microsoft Defender for Endpoint (MDE)
Providers like Cortex and MDE can partially onboard devices like IOT devices, Mobile Devices, and other devices using a network probe. Microsoft uses the Endpoint Manager tool to accomplish this process. Essentially, the probe scans your internal network for devices that may not be onboarded into MDE. The probe imports the device's information, such as hostname and IP, but never installs a sensor on the endpoint. The devices appear as "Can be onboarded” in MDE. These endpoint details will still appear in Red Canary as endpoints because we can pull that metadata in using the Microsoft Security Graph API. Additionally, we can create an entry for them in Red Canary even though these devices don't have a sensor installed.
Comments
0 comments
Please sign in to leave a comment.