EDR: Why are some of the intelligence feeds not exportable to airgapped servers?
search cancel

EDR: Why are some of the intelligence feeds not exportable to airgapped servers?

book

Article ID: 285101

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Why are some of the intelligence feeds not exportable to airgapped servers?

Environment

  • EDR server: All supported versions

Resolution

  • This is expected, the feeds listed as not being an exportable feed are installed out of the box, so they would be the same on the airgapped server and no need to export.
  • They are not normal IOC based feeds (md5/sha256 hash, query, ip, domain) but rather specialized alerts that don't get updated. 
  • The feeds require sharing with Alliance, something an air gapped server is not doing.

Additional Information

The following error could be seen when exporting feeds:
cbbanning is not an exportable feed
cbemet is not an exportable feed
cbtamper is not an exportable feed
CbInspection is not an exportable feed
  • cbbanning - Just alerts when a banned hash was seen. Nothing to update
  • cbemet - This feed reports on EMET events observed on the endpoint. Nothing to update
  • cbtamper - Alerts if a sensor has detected a tamper event. Nothing to update
  • cbinspection - No longer available, this was a paid service in the past that has since been decommissioned. 

Cb Reputation Threat feed and NVD feed are not allowed to export by design, as it works by hash sharing and reputation feedback with Alliance, which is not designed for export. Error will be like: 

This feed is customer server specific, and therefore the installation must share Binary Hashes & Metadata with Carbon Black & Partners to take advantage of this feed.