Export Sensor Metadata

You can gather configuration information for multiple sensors across multiple Detection servers by exporting the information to a CSV file.

Retrieve the CSV file

To export sensor information to a CSV file:

  1. In the System > Sensors screen, check the box next to the sensors whose information you want to export. Click the top checkbox to select all sensors except archived sensors.

    As needed, you can use the filters feature to narrow down the list of sensors.

  2. Click Actions and select Export to CSV.

    Export Sensor CSV

The CSV file containing the sensor details downloads to your machine.

Sensor metadata columns

The sensors CSV file is organized as a table. Each row represents an individual sensor and each column represents configuration information about each sensor. The same metadata is also displayed in the columns of System > Sensors screen.

The table below describes each metadata column.

Note

There are small differences between how data is displayed in the UI and in the CSV (for example, CPU usage is displayed as a percentage in the UI and as a decimal value in the CSV). The example values in the table below reflect the CSV display.

Field

Description

Example values

Sensor ID

Concatenation of the Detection server ID and sensor PylumID

5b472a712d0ecdfc5b472a7: PYLUMCLIENT_CYBER_564D6A45-1988-35CF-0152-A05DBD60B987B987

PylumID

Sensor identifier

PYLUMCLIENT_CYBER_564D6A45- 1988-35CF-0152-A05DBD60B987

GUID

GUID of the sensor

761fdb262d7e4460904b6432ca4b3105

FQDN

Fully qualified domain name of the machine

cyber.cyber.local

Machine name

Name of the machine

cyber

Internal IP address

IP address of the machine as it appears to the internal network

123.45.67.89

External IP address

External IP address of the machine as it appears across the internet

123.45.67.89

Firewall control

The Personal firewall control modes

Advanced

Site

Site name as defined in the Cybereason UI

Default

Site ID

The ID of the site the sensor is assigned to, if you are using Registration servers and have sites set up.

0

Anti-Ransomware mode

The Anti-Ransomware mode

Disabled

App Control mode

App Control mode

Not installed

Isolated

If the machine is isolated. Values are:

  • TRUE

  • FALSE

FALSE

Disconnection time

The last time the sensor connected to the server before disconnecting. Notes:

  • This CSV field corresponds to the ‘Last seen’ column in the Cybereason UI Sensors screen. However, the ‘Last seen’ UI column is populated only for sensors that are currently Offline.

  • This CSV field may differ from ‘the ‘Last pylumID message update time’ if the sensor is currently online but was disconnected in the past. This is because the ‘Disconnection time’ value is only updated when a sensor disconnects.

16/12/2019 09:34:02

Last pylumID message update time

The last time the sensor communicated with the server.

16/12/2019 09:34:02

Sensor status

Connection state for the sensor. Values are:

  • Online - The sensor is connected to the Detection server.

  • Offline - The sensor is not connected to the Detection server.

  • Stale - The sensor has been disconnected from the Detection server for an extended period of time.

  • Archived - The sensor is disconnected from the Detection server and has been archived.

Online

Service status

Main Cybereason service activity. Values are:

  • Up - The main service is running on the endpoint.

  • Down - The main service is inactive.

Note: Service status is always ‘Down’ when sensor status is ‘Offline’.

Up

Last status action

The last manual action. Values are:

  • Archive

  • Unarchive

None

Archived or unarchived comment

The comment entered during the last archive/unarchive action

Archiving sensor

Sensor archived by user

The user who performed the last archive/unarchive action

admin

Server name

The Detection server name

t1

Server ID

The Detection server ID

5b472a712d0ecdfc5b472a7

Server IP

The Detection server IP

987.65.43.21

OS

The OS of the machine

Linux

OS version

The OS version of the machine

CentOS Linux 7

Data collection

Collection state of the sensor. Values are:

  • Enabled - The sensor actively collects data and transmits it to the server.

  • Suspended - The sensor has shut down automatically and has stopped collecting data for a period of time.

  • Disabled - The sensor’s data collection has been disabled.

  • Advanced - Data collection is enabled and an advanced collection is enabled (e.g. DPI, non-exe file collection)

Enabled

Sensor version

Version of the Cybereason sensor

18.0.0

Console version

Version of the console

18

First seen

The first time the sensor went online

47:52.0

Uptime

Amount of time since the sensor has been started/restarted

20d 16:15:28

CPU usage

The average CPU usage of the sensor in the last minute. The number displayed is the global CPU usage on the machine across all cores.

0.008333194

Memory usage

The memory usage in bytes

48537600

Outdated

Is the sensor version outdated? Values are:

  • TRUE

  • FALSE

FALSE

Signature mode

The Anti-Malware > Signatures mode

Disabled

Signature mode origin

The source of the Anti-Malware > Signatures mode

Set by Policy

Last signature update

The last time the Anti-Malware > Signatures database was updated

16/12/2019 09:34:02

Signature DB version

The version number of the Anti-Malware > Signatures database

80094

PowerShell mode

The PowerShell protection mode

Disabled

Remote Shell Status

The status of the Remote Shell feature. Values are:

  • Disabled

  • Enabled

Disabled

Anti-Malware mode

The Anti-Malware mode

Disabled

Anti-Malware mode origin

The source of the Anti-Malware mode

Set by Policy

Last full scan

The last time a full scan was performed on the machine. Values are:

  • Date and time of the last full scan.

  • ‘In progress’ if a full scan is in progress.

  • ‘Not performed’ if a full scan was not yet performed.

16/12/2019 09:34:02

Last quick scan

The last time a quick scan was performed on the machine. Values are:

  • Date and time of the last quick scan.

  • ‘In progress’ if a quick scan is in progress.

  • ‘Not performed’ if a quick scan was not yet performed.

16/12/2019 09:34:02

Organization

The organization name

Internal

Proxy address

The proxy address if there is a proxy

192.168.1.100

Last prevention error

The last prevention error

null

Last exit reason

The last sensor failure status

Stop request received from pylum

Actions in progress

Number of actions sent to sensor that are in progress or pending

0

Pending actions

A list of the pending actions

null

Last upgrade result

The status of the last sensor upgrade. Values are:

  • None

  • InProgress

  • Succeeded

  • AlreadyUpdated

AlreadyUpdated

Department

Department associated with the sensor

IT

Device control

The Device control modes

Disabled

Location

A user-defined string representing the geographic or organizational location of the device the sensor is installed on.

UK

Critical Asset

Notes whether or not the sensor is considered a critical asset. Values are:

  • TRUE - sensor is considered a critical asset.

  • FALSE - sensor is not considered a critical asset.

TRUE

Device Type

User-defined string representing the type of device the sensor is installed on.

Server

Exploit protection mode

The Exploit protection mode

Enabled

Custom tags

Tags associated with the sensor

demo-sensor

AI detect mode

The Anti-Malware > AI detect mode

Aggressive

AI detect mode origin

The source of the Anti-Malware > AI detect mode

Set by Policy

AI prevent mode

The Anti-Malware > AI prevent mode

Aggressive

AI prevent mode origin

The source of the Anti-Malware > AI prevent mode

Set by Policy

Assigned Policy

Name of the policy assigned to the sensor. Value will be ‘Default’ if assigned to the Default policy, and ‘Legacy’ for sensors not upgraded to 19.1+

Default

Policy ID

Policy ID for the sensor’s assigned policy.

e8394fd922sd

Policy Last Update

Values are:

  • Date and time of the last time a user modified the policy.

  • Empty if no policy is assigned to the sensor.

16/12/2019 09:34:02

Compliance

Notes whether or not the sensor is compliant with its assigned policy. Values are:

  • TRUE - The sensor’s security settings match those of its assigned policy (i.e. does not contain additional overrides).

  • FALSE - The sensor’s security settings are different than those specified in its assigned policy (for example, a sensor whose Anti-Malware settings was overridden using the System > Sensors screen).

TRUE

Deleted by

The Cybereason user that removed the sensor from the Sensors screen

user@myserver.com

Deleted date

The date someone removed the sensor from the Sensors screen.

16/12/2019 09:34:02