Skip to main content
Go to Red Canary Documentation
Red Canary Support

FAQ for Decommissioning in Red Canary

  • Updated .

Issue

Frequently asked questions regarding the effects and specifics of decommissioning endpoints in Red Canary Portal.

Environment

Red Canary Portal

Resolution

Table of Contents

What is the impact of decommissioning an endpoint?

Decommissioned endpoints are removed from lists of uncommunicative servers and workstations in your daily email reports.  It also updates certain endpoint record fields, like state:decommissioned and decommissioned:true, that can be useful as query filters in Endpoint page searches or trigger conditions in Red Canary Automation.

When should endpoints be decommissioned?

Endpoints should generally be decommissioned in Red Canary when monitoring and reporting of an endpoint is no longer required, such as a server removed from service or deactivated machine.  Aside from endpoint lifecycle management, there may be other real-world scenarios that call for the use of decommissioning, like addressing duplicated endpoint records.

Why decommission endpoints at all?

Maintaining an accurate endpoint inventory through the use of decommissioning is important to ensure the accuracy and usefulness of Red Canary reporting, asset filtering, and automation.  See Best Practices for Managing Endpoints in Red Canary for more information.

Who can decommission in Red Canary?

Any end user in your subdomain with the Admin or Responder role assigned can take the decommission action, either through the Portal or REST API.  See Understand and Assign Roles for more information.  Red Canary Support is unable to decommission endpoints on your behalf.

Are decommissioned endpoints and associated data deleted from Red Canary Portal?

No, decommissioning doesn’t delete the endpoint from Red Canary, even if the sensor is uninstalled, and the endpoint record will still be accessible from the Endpoints page.  Use the state:decommissioned filter on the Endpoint page to display all decommissioned endpoints.  Endpoint records and associated data, like alerts or threats, are retained or purged from the Portal according to Red Canary's data retention policy.

Does decommissioning in Red Canary uninstall the EDR software from the endpoint?

No (with one exception), the decommission process does not uninstall the third-party sensor or send any commands back to the source EDR platform.  Decommissioning is a process that stays entirely within the Red Canary ecosystem.  Only if the endpoint record originated from an active Carbon Black EDR server is an option available to uninstall the sensor software when decommissioning an endpoint.

Can I automate the decommissioning process?

Yes, Red Canary Automation can be leverage to automatically decommission endpoints based on Last Checkin timestamp.  The REST API can also be used to decommission endpoints in bulk.

What if a decommissioned endpoint later resumes sending data to Red Canary?

If the sensor software is still installed and a decommissioned sensor comes back online and resumes sending telemetry to Red Canary (indicated by Last Activity timestamp), the data would be monitored for threatening activity.  As best practice, endpoints sending data to Red Canary should be reinstated.

Can I automate the recommissioning process?

Yes, the automation described in this guide can be used to automatically reinstate decommissioned endpoints that later resume sending telemetry.

Can Red Canary publish threats for decommissioned endpoints?

Yes, Red Canary can still publish threats for decommissioned endpoints, if threatening activity is identified from the telemetry.

Tags

decommission endpoints explained, decommission FAQ, how does decommissioning work in Red Canary, explain decommissioning, decommission details, reinstate FAQ, reinstating in Red Canary, decommission Q&A, decommission API, reinstate API, does decommission uninstall

Comments

0 comments

Please sign in to leave a comment.