This document answers some of the most commonly asked questions regarding what happens when a sensor is offline, whether it is considered On-Premises (On-Prem) or Off-Premises (Off-Prem) as far as your organization is concerned.
How often is data uploaded from a Cb Defense Sensor to the cloud?
The Cb Defense Sensor checks in with the Cb Defense cloud periodically (on a 5-minute recurring basis timed on the local machine from either the installation of the sensor or the last device reboot) to upload event data. Therefore, Event and Alert information visible in the console should not be considered to be real-time.
What impact does being On-Prem or Off-Prem have on the uploading of data? If our organization has workstations which are taken for travel purposes or working from home, and intermittently connect to our corporate network via VPN or similar, will data or logs only be uploaded or will the sensors only check-in when connected to the corporate network?
The device being On-Prem or Off-Prem should not have an impact on the uploading of data as long as the sensor is able to connect to the Cb Defense Cloud. If the device is offline for an extended period of time, the following applies:
The sensor continues collecting data when the endpoint is offline (no internet connectivity) and that data is stored in a local database.
The sensor will store up to 100MB of data locally. This may correspond to anything from a few hours to several days-worth of events, depending on how much activity is observed on the endpoint by the sensor.
Once connectivity to the cloud is re-established, the sensor will upload locally-cached events starting with the oldest one and working toward the current date and time. This means it may take a while for the most recent events to show up in the dashboard, depending on how long the device was offline and how much cached data it has to upload.
Only the most recent events will be used by Cb Defense Analytics, which runs in the cloud, to form Alerts.
Any events older than 3 days (if any) will not be used to form Alert(s), but if these events are still available on the sensor, they will be uploaded and visible on the Investigate page. This is part of a performance optimization mechanism currently in the product.
Does any sort of "open" internet connection (i.e., at home or in a hotel) constitute connectivity to the cloud? Are there additional requirements or caveats (i.e., ethernet/WiFi, connection to original network adapter at time of installation, etc.)?
The requirements for connectivity are listed in Cb Defense: Firewall and Proxy Settings for Sensor Communications. To sum those up, the sensor needs to be able to connect to the Cb Defense Cloud on TCP port 443 (or alternate TCP port 54443). If those requirements are met, the sensor should be able to report back to the cloud when Off-Prem the same as it does while On-Prem. There are no other restrictions or limitations based on the specific wired or wireless connection. You also do not need to connect to the same network adapter that was used during the initial installation or the most recent On-Prem connection.
If you are seeing that some of your sensors are not reporting to the cloud while Off-Prem, our Support team would be happy to help troubleshoot such issues. Keep the device in question online and the sensor installed, so our Support team can grab sensor logs from it via the Cb Defense Cloud. Those will be needed for investigation. Please Create a Case in The Community and include the following information for Support to review:
Hostname or ID of the device in question; If you have multiple that exhibit same symptoms, please pick one to troubleshoot with.
Date and approximate time interval when the device was On-Prem and reporting events most recently.
Date and approximate time interval when the device was Off-Prem and not reporting events most recently.