Environment
- EDR Server: All Versions
- EDR Sensor: All Supported
Objective
- Configured VDI plugin to match SID and Hostname of the endpoint to existing records, ignoring the FQDN when the sensor checks in without an existing sensor_id.
Resolution
- Enable VDI globally by modifying /etc/cb/cb.conf on Master and Minions and set the following as such:
NewRegistrationCallbackModulePath=/usr/share/cb/plugins/default_new_sensor_registration_callback_sid_hostname.py
NewRegistrationCallbackClassName=DefaultNewRegistrationCallback
- Make a copy of the default plugin:
cp /usr/share/cb/plugins/default_new_sensor_registration_callback.py /usr/share/cb/plugins/default_new_sensor_registration_callback_sid_hostname.py
- Edit /usr/share/cb/plugins/default_new_sensor_registration_callback_sid_hostname.py and replace the content with the following:
from cb.sensor.NewRegistrationCallback import NewRegistrationCallback
from cb.db.core_models import SensorRegistration
class DefaultNewRegistrationCallback (NewRegistrationCallback):
@staticmethod
def get_sensor_id(db_session, sensor_reg_request, logger):
sensor_host_name = sensor_reg_request.ComputerId.ComputerName
sensor_dns_name = sensor_reg_request.ComputerId.ComputerDnsName
sensor_sid = sensor_reg_request.ComputerId.ComputerSid
sensor = db_session.query(SensorRegistration).filter(SensorRegistration.computer_sid == sensor_sid).filter(SensorRegistration.computer_name==sensor_host_name).order_by(SensorRegistration.last_checkin_time.desc()).first()
if sensor is not None:
logger.debug("Found sensor id [%d] for hostname [%s @ %s]" % (sensor.id, sensor_host_name, sensor_dns_name))
return sensor.id
else:
logger.debug("Could not find a sensor id for hostname hostname [%s @ %s]" % (sensor_host_name, sensor_dns_name))
return 0
- Restart your standalone server or cluster services to reflect the configuration change.
Related Content
