Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: Cb Threat Intel Enabled But Not Connected

EDR: Cb Threat Intel Enabled But Not Connected

Environment

  • EDR Console: 5.x and Higher (formerly CB Response)

Symptoms

EDR Console shows error "Cb Threat Intel enabled but not connected"

Cause

Server could be temporarily disconnected from the Cb Alliance server due to networking, proxy or Alliance server traffic congestion.

Resolution

  1. Verify that EDR Alliance Systems are operational: https://status.carbonblack.com
  2. If Alliance is reporting as All Systems Operational, then restart EDR services
  3. If still receiving 400/500/600s errors following a service restart
    1. Upload redis errors to the alliance server via the cbpost command:
      • redis-cli -n 1 hgetall AllianceCommStatus > /tmp/comms_troubleshooting-`hostname`_"`date`".txt && /usr/share/cb/cbpost /tmp/comms_troubleshooting*
    2. Upload PostgreSQL comm errors to our alliance server via the cbpost command:
      • psql -d cb -p 5002 -c "SELECT * FROM allianceclient_comm_history ORDER BY timestamp DESC;" > /tmp/alliancecommhistory.out && /usr/share/cb/cbpost /tmp/alliancecommhistory.out
    3. Run this to make an Alliance connection attempt, if there is an error please post the output to the case:
      • curl --cert /etc/cb/certs/carbonblack-alliance-client.crt --key /etc/cb/certs/carbonblack-alliance-client.key https://api.alliance.carbonblack.com:443/api/v1/feeds/ > /tmp/alliance_comm_test.out && /usr/share/cb/cbpost /tmp/alliance_comm_test.out
  4. Upload Cbdiags to Alliance: CB Response: Generate cbdiag for on-prem server
  5. Update the case when the uploads have been completed

Additional Notes

  • Warning: Logs must be collected within 30 minutes of a communication error appearing for relevant information to be collected
  • This curl command verifies that the server doesn't get a certificate issue when connecting to an Alliance Feed
  • Other items such as sensordiag/settings can trigger the red banner even if disabled. These are not related to threat intel feeds, instead it's suggested to run this command specifically to confirm feeds are not the issue. If the response is empty, all feeds are healthy. 
    redis-cli -n 1 hgetall AllianceCommStatus | awk '{getline line2;print $0, line2}' | grep -v 'feed' | grep -v '200'

Related Content


Labels (1)
Tags (2)
Was this article helpful? Yes No
100% helpful (3/3)
Article Information
Author:
Creation Date:
‎11-21-2018
Views:
5467
Contributors