PSC: How To Identify Sensors That May Have Deregistered
search cancel

PSC: How To Identify Sensors That May Have Deregistered

book

Article ID: 285525

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Identify sensors that may have become Deregistered on Thursday, February 20th, 2020 between 8AM and 12PM EST

Environment

Resolution

  1. Export a list of endpoints from the Console
    1. Log in to Console at https://defense-prod05.conferdeploy.net
    2. Navigate to the "Endpoints" page
    3. Make sure no filters are applied
    4. Click "Export" to save a .csv file
    5. Open the file with Excel
    6. Enable the AutoFilter in Excel: https://support.office.com/en-us/article/quick-start-filter-data-by-using-an-autofilter-08647e19-11d1-42f6-b376-27b932e186e0
  2. Identify sensors that have become Deregistered during the specified time frame
    1. Filter the "status" column to be equal to "DEREGISTERED"
    2. Filter the "deregisteredTime" column using "Custom AutoFilter" ("Text Filters" -> "Custom Filters...") to contain text greater than "2020-02-20-080000" and less than "2020-02-20-120000" (i.e. sensors that have become Deregistered between 8AM and 12PM EST on 02/20/2020)
    3. Sensors that were not expected to become Deregistered during that time window will need to be reinstalled: https://community.carbonblack.com/t5/Knowledge-Base/PSC-How-to-Reregister-Sensors-That-Have-Been-Deregistered/ta-p/86426
  3. Identify sensors that may have been affected by a narrow condition that could cause partial deregistration
    1. Filter the "status" column to be equal to "BYPASS" and "REGISTERED" (equivalent to "Active" in the Console)
    2. Filter the "lastContactTime" column using "Custom AutoFilter" ("Text Filters" -> "Custom Filters...") to contain text greater than "2020-02-06-080000" and less than "2020-02-20-120000" (i.e. sensors that are listed as Active and have been checking in successfully in two weeks leading up to but not after 12PM EST on 02/20/2020)
    3. Endpoints that are expected to be online after 12PM EST on 02/20/2020 should be audited and sensor reinstalled where needed: https://community.carbonblack.com/t5/Knowledge-Base/PSC-How-to-Reregister-Sensors-That-Have-Been-Deregistered/ta-p/86426
  4. Identify deregistered sensors that may have been deleted from the Console either manually via "Take Action" menu or automatically via "Delete sensors that have been deregistered for…" option
    1. Filter the "status" column to be equal to "BYPASS" and "REGISTERED" (equivalent to "Active" in the Console)
    2. Filter the "lastContactTime" column using "Custom AutoFilter" ("Text Filters" -> "Custom Filters...") to contain text greater than "2020-02-20-120000" (i.e. "known good" sensors that remained Active and continued to check in successfully after 12PM EST on 02/20/2020)
    3. Export a list of endpoints from an internal source such as AD, SCCM, vulnerability scanner or another inventory tool (example: https://social.technet.microsoft.com/wiki/contents/articles/5819.ad-powershell-for-active-directory-administrators.aspx)
    4. Compare the two lists (example: https://support.office.com/en-us/article/compare-two-versions-of-a-workbook-by-using-spreadsheet-compare-0e1627fd-ce14-4c33-9ab1-8ea82c6a5a7e)
    5. Endpoints from internal source that are expected to be online but not found in the filtered .csv file should be audited and sensor reinstalled where needed: https://community.carbonblack.com/t5/Knowledge-Base/PSC-How-to-Reregister-Sensors-That-Have-Been-Deregistered/ta-p/86426

Additional Information

  • The time presented in the Console and .csv export will be your local browser time; Ensure you convert to Eastern Standard Time for accurate results
  • If your PSC login URL is not https://defense-prod05.conferdeploy.net then no action is needed
  • If you are confident you've identified all endpoints that need sensor reinstalled with steps 2 and 3 then step 4 is not necessary and can be skipped
  • Other columns in .csv file such as "policyName", "osVersion", etc. may be used to further narrow down the results
  • Filters can be applied on "Endpoints" page prior to exporting to save a filtered .csv file
  • The Devices API can be used as an alternative to exporting a .csv file from the "Endpoints" page
  • If further help is needed to identify sensors that may have deregistered or getting those reinstalled, please open a Support case
Powered by Wolken Software