logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

EDR: The Same Endpoint has Multiple Sensor Ids

EDR: The Same Endpoint has Multiple Sensor Ids

Environment

  • EDR Server: 7.8.0

Symptoms

  • In the Sensor section of the EDR console, a search for a given computer name results in multiple entries.  There should only be one.
  • Postgres sensor_registration table contains multiple entries for the same endpoint (hostname, mac address, etc) with different sensor IDs.

Cause

In some cases, EDR is not processing the incoming events properly, leaving the DNS_name field blank.  If VDI is enabled to check hostname + DNS_name, then an event with a blank DNS_name field is seen as a new sensor and registered.
 

Resolution

Until the sensor data processing is fixed, deselect the DNS_name option in the EDR console VDI settings.   ( User > Settings > VDI Settings > DNS Name )

Additional Notes

  • EDR was designed to assign one  sensor id per endpoint to uniquely identify that endpoint.
  • VDI was designed to allow virtual machines to roll back/forward to snapshots and still be identified as the same endpoint.

Related Content


Labels (2)
Labels:
Was this article helpful? Yes No
No ratings
Article Information
Author:
CB_Support
Creation Date:
‎11-27-2023
Views:
136
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.