EDR: Why did an Alert Fire for an Older Event?
Article ID: 291113
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
Why did an alert fire for an older event?
Environment
- EDR Server: All Versions
- EDR Sensor: All Versions
Resolution
Sensor was not connected to the server between the period of the event and the time the alert was triggered
Additional Information
- The sensor core driver storesĀ up to 12k in memory for events. Events then get rolled to disk during the stop of services. During this, if the memory limit or storage limit are hit, newer events will be dropped.
- Utilize the /var/log/cb/nginx/access.log to check when sensor first started to check in. The following command can help. sensorid can be found in the sensor's details page.
zcat /var/log/cb/nginx/access.log | grep '/<sensorid> '
- Compare the GMT time to firewall logs
Feedback
Yes
No
Powered by
