Carbon Black Cloud: How Many Live Response Sessions Can be Initiated Per Endpoint?
book
Article ID: 287861
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
How many Live Response sessions can be initiated per endpoint?
Environment
Carbon Black Cloud Console: All Versions
Endpoint Standard Sensor: All Supported Versions
Enterprise EDR Sensor: All Supported Versions
Resolution
There can only ever be a single LR session per sensor. If there are two open tabs in the UI that both say connected, they are sharing the same session on the back end.
Additional Information
Live Response sessions have a 15 minute timeout. There are scenarios where the sensor’s LR session can be disrupted and fail to re-establish. This puts LR into a bad state. Attempting to create a “new” session by opening another UI tab will appear to work (sessions are re-used if their data exists on the backend, even though the actual connection to the sensor has been severed), say “connected”, but any attempt to send a command will eventually result in a “remote error”.