Troubleshoot UBS functionality in Enterprise EDR
search cancel

Troubleshoot UBS functionality in Enterprise EDR

book

Article ID: 287987

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

How to Troubleshoot UBS Functionality

Environment

  • Carbon Black Enterprise EDR Sensor: All Versions
  • Microsoft Windows: All Supported Versions

Resolution

  1. The RepCLI utility will need to be enabled. 
  2. Show stream of Kernel Requests of detection of execution of binary, to be evaluated for UBS Query 
    repcli streamubs -queries -requests
  3. Show stream of backend responses to issued UBS queries from sensor 
    repcli streamubs -queries -responses
  4. Force queued UBS queries to send immediately. 
    • View pending UBS Queries
    repcli cloud UbsQuery -showpending
    • Force the pending UBS Queries
    repcli cloud UbsQuery -force
  5. Confirm if you have a binary file 
    repcli cloud UbsQuery -file <file_path>
repcli cloud UbsQuery -sha256 <sha256>
  6. Show upload requests from the Sensor (if UBS did not have the file, sensor will start upload) 
    repcli streamubs -uploads -requests
  7. Show the zip path of a file that was uploaded. A json file will be shown if the upload attempts. The field "sensor_status" will be 0 if the upload worked. 
    repscli streamubs -uploads -responses
  8. In the confer.log, search for UbsUploadManager for log entries relate to binary upload operations

Additional Information

Like event uploads, UBS queries execute asynchronously so they are queued until a timer period elapses
Powered by Wolken Software