Issue
When reviewing Endpoints in Red Canary, the Last Activity column shows a value of "Unknown". What does this value mean?
Environment
Red Canary
Resolution
A value of Unknown in the Last Activity column may indicate that telemetry has never been received by Red Canary or the last time telemetry was received for an endpoint that is reporting that value was prior to June 2021 (two months prior to the activation of the feature).
If an endpoint has recently checked-in but telemetry has not been ingested by Red Canary, please check to see if there are any issues that may be preventing the endpoint from collecting telemetry (i.e. third-party AV preventing sensor from functioning, incompatible sensor version, driver failure, etc).
Sometimes the endpoint that the sensor is installed on may require a reboot or for the agent/sensor service to be restarted in order to correct a sensor health issue.
If on a Mac, system extension (kernel access) and full disk access (ability to see all behavior on endpoint and write that to disk) likely need to be enabled under System Preferences > Security and Privacy.
* Carbon Black Cloud Granting Full Disk Access
If there are no sensor incompatibility issues or a reboot does not correct the issue, please submit a support request via Red Canary Support Center for further assistance.
Additional Helpful Links:
How to check for Telemetry in CrowdStrike
How to Confirm if the Cortex Sensor is Sending Telemetry to the Cortex Server
Endpoint not sending telemetry with status "Can Be Onboarded" in Microsoft Defender for Endpoint
How to verify process and network events are coming into MDE