Environment
Carbon Black Cloud Console: All Supported Versions
Question
What determines if a machine is "on-prem" versus "off-prem" when investigating a device?
Answer
Additional Notes
- If the device has *.company.com registered on the Network Adapter or any relevant fqdn defined, this is a valid condition for the device to be recognized as on-prem. If the device also is connected to the Company network and the Sensor can ping one or more of the defined IP Addresses in Reachable Hosts, then it is also a condition that defines the device as on-prem. One or both of the conditions have to be met for the device to be considered on-prem. If neither condition is met, the machine is off-prem.
- The below statement in Reachable Hosts is a broad statement based on RFC 1918 as these IP ranges were originally defined as reserved IP Addresses. The concern here is that if you have a home user that has 172.X.X.X defined on their home network and the IP Address matches what is defined in Reachable Hosts as a reachable host, then the Sensor would be incorrectly reporting as on-prem.
"A reachable host should be the IP address or FQDN for a host that can only be reached when the device is on-prem. A good example would be the name of your internal DNS server. Private IP addresses (10.x.x.x, 172.x.x.x, etc.) are not allowed."
- This can potentially be an issue with any IP range. If a home network or remote network device has a matching condition in Reachable Hosts, there is the potential for this condition to be met and the Sensor to report that it is on-prem when it is really off-prem.
Related Content
