EDR: Cb Threat Intel Enabled But Not Connected
search cancel

EDR: Cb Threat Intel Enabled But Not Connected

book

Article ID: 285048

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

EDR Console shows error "Cb Threat Intel enabled but not connected"

Environment

  • EDR Console: 5.x and Higher (formerly CB Response)

Cause

Server could be temporarily disconnected from the Cb Alliance server due to networking, proxy or Alliance server traffic congestion.

Resolution

  1. Verify that EDR Alliance Systems are operational: https://status.broadcom.com
  2. If Alliance is reporting as All Systems Operational, then restart EDR services
  3. If still receiving 400/500/600s errors following a service restart
    1. Upload redis errors to the alliance server via the cbpost command:
      • redis-cli -n 1 hgetall AllianceCommStatus > /tmp/comms_troubleshooting-`hostname`_"`date`".txt && /usr/share/cb/cbpost /tmp/comms_troubleshooting*​​​​
    2. Upload PostgreSQL comm errors to our alliance server via the cbpost command:
      • psql -d cb -p 5002 -c "SELECT * FROM allianceclient_comm_history ORDER BY timestamp DESC;" > /tmp/alliancecommhistory.out && /usr/share/cb/cbpost /tmp/alliancecommhistory.out
    3. Run this to make an Alliance connection attempt, if there is an error please post the output to the case:
      • curl --cert /etc/cb/certs/carbonblack-alliance-client.crt --key /etc/cb/certs/carbonblack-alliance-client.key https://api.alliance.carbonblack.com:443/api/v1/feeds/ > /tmp/alliance_comm_test.out && /usr/share/cb/cbpost /tmp/alliance_comm_test.out
  4. Upload Cbdiags to Alliance: CB Response: Generate cbdiag for on-prem server
  5. Update the case when the uploads have been completed

Additional Information

  • Warning: Logs must be collected within 30 minutes of a communication error appearing for relevant information to be collected
  • This curl command verifies that the server doesn't get a certificate issue when connecting to an Alliance Feed
  • Other items such as sensordiag/settings can trigger the red banner even if disabled. These are not related to threat intel feeds, instead it's suggested to run this command specifically to confirm feeds are not the issue. If the response is empty, all feeds are healthy. 
    redis-cli -n 1 hgetall AllianceCommStatus | awk '{getline line2;print $0, line2}' | grep -v 'feed' | grep -v '200'