ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Troubleshooting error message: "Aborted importing policies. Error occured while serializing JSON object ..." while importing EDR Deny and Allow Lists

book

Article ID: 226844

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

If a user imports an improperly formatted JSON file containing multiple DENY or ALLOW policies, the following error message appears.

Image 1 - Import Error for the DENY policy

 

Cause

Possible causes are:

      • Improper nesting of "braces" {  }
      • Improper nesting "brackets" [  ]
      • Missing or too many "commas", etc
      • Improper tags used - uncorrected versions of the EDR may use "blacklist" or "whitelist" instead of the updated "Allow list" or "Deny list" tags

 

Environment

All 4.x EDR versions.

Resolution

Manually enter a few EDR Deny or Allow list policies in the EDR.  Then, export your the JSON policy to determine if your JSON file contains a "blacklist" or "whitelist" tags.

See example below.

 

Additional Information

Improperly formatted JSON example (See Image 1 above for resulting error)

                               JSON Code Snippet

"policy": {
        "deny list": [
            {
                "target_value": "10.100.200.30",
                "target_type": "ip"
            },
            {
                "target_value": "badc0ffeedeadbeefbadc0ffeedeadbe",
                "target_type": "md5"
            },
            {
                "target_value": "badc0ffeedeadbeefbadc0ffeedeadbebadc0ffeedeadbeefbadc0ffeedeadbe",
                "target_type": "sha256",
                "target_file_size": 42433
            },
            {
                "target_value": "baddomain.com/index.html",
                "target_type": "url"
            },
            {
                "target_value": "test.info",
                "target_type": "domain"
            }
        ],
        "allow list": [
            {
                "target_value": "10.100.200.34",
                "target_type": "ip"
            },
            {
                "target_value": "badc0ffeedeadbeefbadc0ffeedeadbebadc0ffeedeadbeefbadc0ffeedeadbe",
                "target_type": "sha256"
            },
            {
                "target_value": "apple.com/store",
                "target_type": "url"
            },
            {
                "target_value": "goodplace.com",
                "target_type": "domain"
            }
        ]

             Note:   This policy code snippet may exist in our documentation.

In the above code snippet, the policy has the following issues:

1)  the older "blacklist" and "whitelist" tags are not used

2)  omitted a single open brace  {  at the beginning of the file.

3)  Omitted two (2) closing braces  } at the bottom of the file.

The corrections are highlighted in RED below:

 

Attachments