EDR: api/v1/process Returns Local Address Instead of Remote
Article ID: 287885
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When using api/v1/process, the netconns are returning the local ip instead of the remote IP
Environment
- EDR Console: All Versions
Cause
This is expected behavior based on the direction of the network connection
Resolution
api/v1/process will only return one directions network information. Field 5 holds the direction, if this is "true" it's an outbound connection and v1 will return the remote IP and port. If it is "false", v1 will return the local IP and port.
To see both local and remote IP and ports, utilze api/v2/process or higher instead.
To see both local and remote IP and ports, utilze api/v2/process or higher instead.
Additional Information
Documentation at the time of this article lists the fields as "Remote". This is incorrect and a bug ticket has been filed to update the documentation
Feedback
Yes
No
Powered by
