EDR: Sensors marked as offline despite checking in normally
Article ID: 286864
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
One or more sensors are marked Offline in the EDR console even though they are checking in regularly.
Environment
- EDR Server: 7.x
Cause
Time is not properly synced between the EDR server(s) and endpoints
Resolution
- Enable NTP across all server nodes and endpoints
- Ensure time is synced across devices
Additional Information
- By default, Sensors will attempt to check into the EDR server every 1 minute.
- By default, the EDR server will mark a sensor as 'Offline' if the endpoint hasn't checked in for 5 minutes.
- If the time difference between devices is more than 5 minutes, then this issue will occur.
- This symptom will not prevent event telemetry from being uploaded to the EDR server
Feedback
Yes
No
Powered by
