Issue
I would like to execute a query on the Endpoints page to disregard any system that has already been decommissioned. What would that syntax look like?
Environment
Red Canary
Endpoints
Resolution
A user can apply the "state:enrolled" filter to the beginning of their query to get the desired results.
For example: "state:enrolled isolated:false operating_system:"Windows 7" last_checkin_time:..2021-12-01"
The above query would return endpoints that are running Windows 7 as the operating system, are currently not isolated, not reporting as decommissioned, and have checked in on or before December 1, 2021.
The "state:enrolled" filter is the key part of the syntax as this will return results for endpoints that have a sensor installed.