EDR: Sensors no longer send data with 403 response on back-end
search cancel

EDR: Sensors no longer send data with 403 response on back-end

book

Article ID: 289544

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • Sensor requests to the server receive 403 HTTP responses
  • Sensor group does not have a backend URL set
  • datastore/debug.log shows thousands of "MISMATCHED client SSL cert" warnings

Environment

  • EDR Server: 6.X

Cause

The sensor was moved to a group without a backend server URL which prevents it from receiving the new group certificate

Resolution

  1. Update the backend server URL in the group
  2. Restart services to clear back-end group caches
  3. The next time the sensor performs a /checkin request, it will get the new group certificate

Additional Information

  • Sensor checkins can be forced either with a reboot of the endpoint or running the command:
    • sc control carbonblack 200
  • Moving the sensor back to the previous group will also allow the sensor to submit data
Powered by Wolken Software