EDR: Recommended Method to Remove Stale Sensors from the EDR Console
Article ID: 287675
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Carbon Black Hosted EDR (formerly Cb Response Cloud)
Issue/Introduction
Clean up stale assets from the Carbon Black EDR management console.
Environment
- EDR Server: 7.x and higher
Resolution
Once a sensor registers with the EDR server, a Postgres entry is created. The entry should not be removed but can be marked as uninstalled or filtered from the Console's view.
1. Remove sensors that no longer exist.
a. In the Sensors section, place a checkmark next to the sensors that no longer exist.
b. Select the Action dropdown box and select 'Uninstall'.
c. Click 'Ok' to the 'Unintstall Sensors Confirmation' pop-up.
d. The sensors will be hidden from the EDR Console unless the 'Quick Status Filter' > 'Uninstalled' is selected.
2. Remove multiple sensor entries reported as 'Offline' for one endpoint.
For example: VDI is not enabled and a sensor is rebuilt creating multiple entries with the same hostname yet only one is Online. The additional entries that report 'Offline' can be removed.
a. In the Sensors section, place a checkmark next to the entries with the same hostname reporting 'Offline'. (Do not select the sensor entry reporting 'Online'.)
b. Select the Action dropdown box and select 'Uninstall'. The entry reporting 'Online' is expected to remain online and visible.
c. Click 'Ok' to the 'Unintstall Sensors Confirmation' pop-up.
d. The sensors will be hidden from the EDR Console unless the 'Quick Status Filter' > 'Uninstalled' is selected.
3. Temporarily filter out sensors that have been 'Offline' for many days.
a. In the Sensor section, select the 'Filter' button and choose the timeframe of the sensors to display. Possibly filter on EDR node, sensor version, OS, certificates and/or isolation status.
b. Select 'Apply Filters' to save the parameter settings.
1. Remove sensors that no longer exist.
a. In the Sensors section, place a checkmark next to the sensors that no longer exist.
b. Select the Action dropdown box and select 'Uninstall'.
c. Click 'Ok' to the 'Unintstall Sensors Confirmation' pop-up.
d. The sensors will be hidden from the EDR Console unless the 'Quick Status Filter' > 'Uninstalled' is selected.
2. Remove multiple sensor entries reported as 'Offline' for one endpoint.
For example: VDI is not enabled and a sensor is rebuilt creating multiple entries with the same hostname yet only one is Online. The additional entries that report 'Offline' can be removed.
a. In the Sensors section, place a checkmark next to the entries with the same hostname reporting 'Offline'. (Do not select the sensor entry reporting 'Online'.)
b. Select the Action dropdown box and select 'Uninstall'. The entry reporting 'Online' is expected to remain online and visible.
c. Click 'Ok' to the 'Unintstall Sensors Confirmation' pop-up.
d. The sensors will be hidden from the EDR Console unless the 'Quick Status Filter' > 'Uninstalled' is selected.
3. Temporarily filter out sensors that have been 'Offline' for many days.
a. In the Sensor section, select the 'Filter' button and choose the timeframe of the sensors to display. Possibly filter on EDR node, sensor version, OS, certificates and/or isolation status.
b. Select 'Apply Filters' to save the parameter settings.
Additional Information
- It is not recommended to manually update the Postgres tables due to the key dependencies.
Feedback
Yes
No
Powered by
