Issue
License Count on the Red Canary side doesn't match the License Count on the Carbon Black EDR side. Why is this happening?
Environment
Red Canary
Carbon Black EDR
Cause
This is caused due to a discrepancy in the way that Red Canary classifies an "Active Endpoint" VS. the way that Carbon Black does.
NOTE: Carbon Black considers an endpoint "Active" if it has a Sensor installed on it and it has sent telemetry to the CB Server in the past 60 days. This is by default. NOTE: this default setting can be adjusted on the CB EDR Server back end, but this would need to be done by the EDR Team, and it's not typically recommended.
Red Canary considers an endpoint as "Active" if it has a Sensor installed on it and it has sent telemetry to Red Canary within the Calendar Month. Be careful here, that means "within the last month" (i.e based on calendar days) and this number can vary.
For example: If you log into the Carbon Black EDR Server > Sensors page and you click on the "Activity" column to adjust the order to descending order, you should see the latest Activity Time will be 2 months ago.
Next, login to Red Canary and do a filter search on the Endpoints page. If you just search for any endpoints that have checked in for the past 60 days the numbers should be very close.
For example: if today were January 1st 2023, the filter would look like: last_checkin_time: 2022-10-01..
This will show you how many endpoints have checked in for the past 60 days. Again, this number should be very close to the number of "Active" endpoint listed in Carbon Black.
If we want to see how many endpoints Red Canary considers "Active" we would just need to use a filter to include any endpoints that have checked in for the last calendar month.
For example: if today is January 1st 2023, the filter would look like: last_checkin_time:2022-12-01..
This number should be almost exactly what is showing in the Red Canary "License Usage"
To get more granular with the search, we would need to include timestamps with our filters.
Comments
0 comments
Please sign in to leave a comment.