Environment

• PSC Console: Jan '20 Release (0.52.0)
• PSC Sensor: All Supported Versions
• PSC Console URL: https://defense-prod05.conferdeploy.net (Prod05)
  • CB Defense 
  • CB ThreatHunter
  • CB LiveOps
  • CB ThreatSight

Objective

Resolution

1. Export a list of endpoints from the Console
   1. Log in to Console at Carbon Black Cloud
   2. Navigate to the "Endpoints" page
   3. Make sure no filters are applied
   4. Click "Export" to save a .csv file
   5. Open the file with Excel
   6. Enable the AutoFilter in Excel: Quick start: Filter data by using an AutoFilter
2. Identify sensors that have become Deregistered during the specified time frame
   1. Filter the "status" column to be equal to "DEREGISTERED"
   2. Filter the "deregisteredTime" column using "Custom AutoFilter" ("Text Filters" -> "Custom Filters...") to contain text greater than "2020-02-20-080000" and less than "2020-02-20-120000" (i.e. sensors that have become Deregistered between 8AM and 12PM EST on 02/20/2020)
   3. Sensors that were not expected to become Deregistered during that time window will need to be reinstalled: PSC: How To Reregister Sensors That Have Been Deregistered
3. Identify sensors that may have been affected by a narrow condition that could cause partial deregistration
   1. Filter the "status" column to be equal to "BYPASS" and "REGISTERED" (equivalent to "Active" in the Console)
   2. Filter the "lastContactTime" column using "Custom AutoFilter" ("Text Filters" -> "Custom Filters...") to contain text greater than "2020-02-06-080000" and less than "2020-02-20-120000" (i.e. sensors that are listed as Active and have been checking in successfully in two weeks leading up to but not after 12PM EST on 02/20/2020)
   3. Endpoints that are expected to be online after 12PM EST on 02/20/2020 should be audited and sensor reinstalled where needed: PSC: How To Reregister Sensors That Have Been Deregistered
4. Identify deregistered sensors that may have been deleted from the Console either manually via "Take Action" menu or automatically via "Delete sensors that have been deregistered for…" option
   1. Filter the "status" column to be equal to "BYPASS" and "REGISTERED" (equivalent to "Active" in the Console)
   2. Filter the "lastContactTime" column using "Custom AutoFilter" ("Text Filters" -> "Custom Filters...") to contain text greater than "2020-02-20-120000" (i.e. "known good" sensors that remained Active and continued to check in successfully after 12PM EST on 02/20/2020)
   3. Export a list of endpoints from an internal source such as AD, SCCM, vulnerability scanner or another inventory tool (example:  AD-Powershell for Active Directory Administrators - TechNet Articles - United States (English) - T...)
   4. Compare the two lists (example: Compare two versions of a workbook by using Spreadsheet Compare)
   5. Endpoints from internal source that are expected to be online but not found in the filtered .csv file should be audited and sensor reinstalled where needed: PSC: How To Reregister Sensors That Have Been Deregistered

Additional Notes

• The time presented in the Console and .csv export will be your local browser time; Ensure you convert to Eastern Standard Time for accurate results
• If your PSC login URL is not Carbon Black Cloud then no action is needed
• If you are confident you've identified all endpoints that need sensor reinstalled with steps 2 and 3 then step 4 is not necessary and can be skipped
• Other columns in .csv file such as "policyName", "osVersion", etc. may be used to further narrow down the results
• Filters can be applied on "Endpoints" page prior to exporting to save a filtered .csv file
• The Devices API can be used as an alternative to exporting a .csv file from the "Endpoints" page
• If further help is needed to identify sensors that may have deregistered or getting those reinstalled, please open a Support case

Related Content