logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Syslog Binary Watchlist hit reporting multiple Sensor Groups

Syslog Binary Watchlist hit reporting multiple Sensor Groups

Version

This solution applies to all Carbon Black versions.

Topic

When a Binary Watchlist hit is observed, multiple Sensor Groups are reported in the resulting Syslog event. Some of the Sensor Group(s) may appear to be misleading.

Q/A

Why is a Syslog event reporting a "Default Group" Sensor Group when I have zero hosts that belong to this Group?

Carbon Black reports all of the Sensor Group(s) that this binary has been observed in. For example with zero Sensors in the Default Group and a Syslog event reports the Default Group, it means that at one point this particular binary was observed on a  host that at one point existed in the Default Group. This is functioning as designed.

Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
No ratings
Article Information
Author:
akramer
Creation Date:
‎06-19-2015
Views:
497
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.