Environment
Objective
Identify sensors that may have become Deregistered on Thursday, February 20th, 2020 between 8AM and 12PM EST
Resolution
- Export a list of endpoints from the Console
- Log in to Console at Carbon Black Cloud
- Navigate to the "Endpoints" page
- Make sure no filters are applied
- Click "Export" to save a .csv file
- Open the file with Excel
- Enable the AutoFilter in Excel: Quick start: Filter data by using an AutoFilter
- Identify sensors that have become Deregistered during the specified time frame
- Filter the "status" column to be equal to "DEREGISTERED"
- Filter the "deregisteredTime" column using "Custom AutoFilter" ("Text Filters" -> "Custom Filters...") to contain text greater than "2020-02-20-080000" and less than "2020-02-20-120000" (i.e. sensors that have become Deregistered between 8AM and 12PM EST on 02/20/2020)
- Sensors that were not expected to become Deregistered during that time window will need to be reinstalled: PSC: How To Reregister Sensors That Have Been Deregistered
- Identify sensors that may have been affected by a narrow condition that could cause partial deregistration
- Filter the "status" column to be equal to "BYPASS" and "REGISTERED" (equivalent to "Active" in the Console)
- Filter the "lastContactTime" column using "Custom AutoFilter" ("Text Filters" -> "Custom Filters...") to contain text greater than "2020-02-06-080000" and less than "2020-02-20-120000" (i.e. sensors that are listed as Active and have been checking in successfully in two weeks leading up to but not after 12PM EST on 02/20/2020)
- Endpoints that are expected to be online after 12PM EST on 02/20/2020 should be audited and sensor reinstalled where needed: PSC: How To Reregister Sensors That Have Been Deregistered
- Identify deregistered sensors that may have been deleted from the Console either manually via "Take Action" menu or automatically via "Delete sensors that have been deregistered for…" option
- Filter the "status" column to be equal to "BYPASS" and "REGISTERED" (equivalent to "Active" in the Console)
- Filter the "lastContactTime" column using "Custom AutoFilter" ("Text Filters" -> "Custom Filters...") to contain text greater than "2020-02-20-120000" (i.e. "known good" sensors that remained Active and continued to check in successfully after 12PM EST on 02/20/2020)
- Export a list of endpoints from an internal source such as AD, SCCM, vulnerability scanner or another inventory tool (example:
AD-Powershell for Active Directory Administrators - TechNet Articles - United States (English) - T...)
- Compare the two lists (example: Compare two versions of a workbook by using Spreadsheet Compare)
- Endpoints from internal source that are expected to be online but not found in the filtered .csv file should be audited and sensor reinstalled where needed: PSC: How To Reregister Sensors That Have Been Deregistered
Additional Notes
- The time presented in the Console and .csv export will be your local browser time; Ensure you convert to Eastern Standard Time for accurate results
- If your PSC login URL is not Carbon Black Cloud then no action is needed
- If you are confident you've identified all endpoints that need sensor reinstalled with steps 2 and 3 then step 4 is not necessary and can be skipped
- Other columns in .csv file such as "policyName", "osVersion", etc. may be used to further narrow down the results
- Filters can be applied on "Endpoints" page prior to exporting to save a filtered .csv file
- The Devices API can be used as an alternative to exporting a .csv file from the "Endpoints" page
- If further help is needed to identify sensors that may have deregistered or getting those reinstalled, please open a Support case
Related Content