Environment
- EDR Server: All Supported Versions
- EDR Sensor: All Supported Versions
- Windows OS: All Supported Versions
Symptoms
Single online sensor cannot connect a CBLR (Carbon Black Live Repsonse) session from the EDR console, but others endpoints can.
Cause
In '/var/log/cb/liveresponse/debug.log', you will find messages like:
8/12/21 4:46:46.000 AM
2021-08-12 04:46:46 [46752] <warning> cb.liveresponse.lr_api_blueprint - UnknownSessionException: Session XX not found.
8/12/21 4:46:44.000 AM
2021-08-12 04:46:44 [46752] <warning> cb.liveresponse.engine - Removing session: Session[XX, b'<Hostname>'(<sensorid>), pending]
8/12/21 4:46:44.000 AM
2021-08-12 04:46:44 [46752] <warning> cb.liveresponse.session - Session[XX, b'<Hostname>'(<sensorid>), pending] Timed out waiting for sensor
8/12/21 4:46:39.000 AM
2021-08-12 04:46:39 [46752] <warning> cb.liveresponse.lr_sensor_blueprint - InvalidClientCert: Client certificate either invalid or missing: '<SensorGroupCert>'.
Resolution
The sensor group certificate does not match and the sensor must be uninstalled and reinstalled to put the correct certificates in place.
Related Content
#HostedEDR