EDR: The Same Endpoint has Multiple Sensor Ids
search cancel

EDR: The Same Endpoint has Multiple Sensor Ids

book

Article ID: 287624

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response) Carbon Black Hosted EDR (formerly Cb Response Cloud)

Issue/Introduction

  • In the Sensor section of the EDR console, a search for a given computer name results in multiple entries.  There should only be one.
  • Postgres sensor_registration table contains multiple entries for the same endpoint (hostname, mac address, etc) with different sensor IDs.

Environment

  • EDR Server: 7.8.0

Cause

In some cases, EDR is not processing the incoming events properly, leaving the DNS_name field blank.  If VDI is enabled to check hostname + DNS_name, then an event with a blank DNS_name field is seen as a new sensor and registered.
 

Resolution

Until the sensor data processing is fixed, deselect the DNS_name option in the EDR console VDI settings.   ( User > Settings > VDI Settings > DNS Name )

Additional Information

  • EDR was designed to assign one  sensor id per endpoint to uniquely identify that endpoint.
  • VDI was designed to allow virtual machines to roll back/forward to snapshots and still be identified as the same endpoint.
Powered by Wolken Software