When I open one of our threats and click on the hostname that is associated with it, I am presented with a completely different hostname on the Endpoint details page in Red Canary.
Red Canary + VMware Carbon Black Cloud
This is typically an indication that there's a problem with the Sensor installation on the Endpoint.
If you click on the associated hostname inside of a threat, it should take you to that Endpoint details page for that host. The hostnames that are displayed on the threat and in the Endpoint details page should be the same.
If the hostnames are different, there are a few things you can do to investigate this:
- First, when you are taken to the Endpoint details page after clicking on the hostname inside the Detection, take note of the hostname that is listed.
- Open your Carbon Black Cloud console
- Open the Inventory > Endpoints page
- Search for the hostname that was listed in the Endpoints details page in Red Canary.
- Click on the arrow next to the hostname of the Endpoint.
- Take note of the Device ID that is listed below the Endpoint hostname.
- Open the Investigate page
- Enter the Device ID in the search bar at the top with the following syntax:
- When the Device details populate on the side bar, check the "Devices" box. (NOTE: if you only see a single hostname listed in the "Devices" box, then this device is only associated with a single hostname).
- If you see a list of multiple hostnames, this is an indication that there is a problem with the Sensor installation on the Endpoint. A single Device ID should only be associated with a single hostname and vis versa.
At this point we know there's something wrong with the Sensor installation. The Device ID for an Endpoint should only be associated with 1 hostname. You should verify if the Sensor is installed in a VDI environment. If so, then you'll need to make sure your VDI Sensor installation meets all of the VMware VDI installation requirements. Please refer to the following VMware article regarding VMware Carbon Black Cloud VDI Requirements.
If your VDI installation meets all of the VDI requirements, then you'll need to escalate your troubleshooting to Carbon Black Support. The next thing to do is collect a Sensor diagnostic from the affected endpoint. How this is done depends on the operating system of the endpoint.
- Here are the instructions regarding How to Collect Sensor Diagnostics Locally On macOS Endpoints
- Here are the instructions regarding How To Collect Sensor Diagnostics Locally On Windows Endpoints