Enterprise EDR: How to Troubleshoot UBS Functionality
search cancel

Enterprise EDR: How to Troubleshoot UBS Functionality

book

Article ID: 287987

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to Troubleshoot UBS Functionality

Environment

  • Carbon Black Enterprise EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. The RepCLI utility will need to be enabled. Cb Defense: How to Access RepCLI Utility
  2. Show stream of Kernel Requests of detection of execution of binary, to be evaluated for UBS Query 
    repcli streamubs -queries -requests
    1. Show stream of backend responses to issued UBS queries from sensor 
      repcli streamubs -queries -responses
      1. Force queued UBS queries to send immediately. 
        • View pending UBS Queries
        repcli cloud UbsQuery -showpending
        • Force the pending UBS Queries
        repcli cloud UbsQuery -force
      2. Confirm if you have a binary file 
        repcli cloud UbsQuery -file <file_path>
repcli cloud UbsQuery -sha256 <sha256>
        1. Show upload requests from the Sensor (if UBS did not have the file, sensor will start upload) 
          repcli streamubs -uploads -requests
          1. Show the zip path of a file that was uploaded. A json file will be shown if the upload attempts. The field "sensor_status" will be 0 if the upload worked. 
            repscli streamubs -uploads -responses
            1. In the confer.log, search for UbsUploadManager for log entries relate to binary upload operations

            Additional Information

            Like event uploads, UBS queries execute asynchronously so they are queued until a timer period elapses
            Powered by Wolken Software