EDR: Is it Possible to Remove Old Endpoint Entries from the Sensor Registrations table?
search cancel

EDR: Is it Possible to Remove Old Endpoint Entries from the Sensor Registrations table?

book

Article ID: 285665

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

Is it possible to remove old endpoint entries from the sensor_registrations table? 

Environment

EDR Console: All Versions

Resolution

This is not supported, if there is a performance reason for needing this please reach out to support before attempting to delete entries on your own.

Additional Information

  • Removing entries from the postgres table can cause the following:
    • Sensor(s) are no longer able to connect if it has the deleted id entry.
    • Loading binary metadata in the binary search page can fail with a 404 if the deleted entry is the first sensor id to see that binary execute in the environment
    • Loading a process analysis page will fail if the sensor id of the event is no longer available for lookup. The events will still be searchable, but not visible for investigation on the analysis page. This is even more evident for those using cold storage if you load up an older cold core that no longer have an associated id. 
Powered by Wolken Software