FAQs

General


Where can I purchase Endpoint Detection and Response (EDR)?

Users can sign up for Endpoint Detection and Response on the EDR screen in the Armor Management Portal (AMP).

I don't see EDR in AMP. Why?

EDR access within AMP is permission based. Users may need to request access from their Armor provider.

How long will it take to get my EDR account provisioned?

Currently, we expect a two week turnaround for provisioning an EDR account with our vendor.

Armor will provision the account on the customer's behalf. Once the licenses are purchased and the account is created, the customer will be informed via the Armor Ticketing System within AMP.

How is the Administrator for EDR determined during sign-up?
Customers can choose an AMP user from accounts within their organization to be given administrator access to the Carbon Black portal. This user must already have an active AMP account and cannot be created during the purchase process.

 

Is there a minimum number of licenses to buy to get signed up w/ EDR?

The initial purchase requirement for EDR is 25 licenses.

In AMP, how will I be able to tell if my endpoint is a desktop or laptop?

To distinguish between desktops and servers in AMP, customers will need to tag assets accordingly during installation and then filter using the appropriate tags in AMP.

 

EDR isn't visible in the Armor Toolbox. Why?

EDR will not show up as an option in the Toolbox until the purchase process has been completed and licenses have been provisioned.

I'm unable to access the Carbon Black portal. Why?
Access to Carbon Black is provided to one EDR Administrator per account and it is possible that your provider has not granted your account access to Carbon Black's portal. If you feel that you should have access, please contact the EDR administrator for your account.

 

What is the expected resource utilization on the Carbon Black Cloud Sensor supporting Endpoint Detection and Response (EDR)?

The lowest resource usage for the cloud sensor in a controlled test environment is less than 1% CPU, less than 1% increase over baseline disk I/O utilization, and less than 3.5 MB data transerred per day. Average cloud sensor resource usage will depend on the environment.

 

What does "Sensor Bypass (Admin Action)" status mean?

In most instances, this means that the KEXT has not been approved on this machine (macOS)

sensor bypass example

Incidents


How will I use EDR?

Detections from EDR will be visible in the Incidents screen of AMP. Incidents will provide a hostname for an asset.

Then what?

The assets can then be found in the Virtual Machines screen of AMP where endpoints will appear with an EDR tag. Users can determine the health of an endpoint from the VM screen.

Where can I view events?

Users can view EDR events in Log Search. You can filter events in a number of ways, specifically by hostname or by event.type. For more information on Log Search, please refer to our documentation.

 

Why am I getting tickets?

Detections do not generate tickets, but Security Incidents do. Tickets could suggest remediation actions regarding events.

Install/Uninstall


How do I get my uninstall code?

Documentation for obtaining your uninstall code is provided here.