EDR: How to import/export feeds to an airgapped EDR instance?
Article ID: 285946
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How can we export and import feeds into an airgapped EDR instance?
Environment
- EDR: All Supported
Resolution
- In the 7.5.0 EDR the /usr/share/cb/cbfeed_airgap script was implemented:
usage: cbfeed_airgap [-h] [-v] [-p EDR_PORT] {import,export} ...
VMware Carbon Black EDR feed import/export utility for air-gapped systems
positional arguments:
{import,export} Commands
import Import feeds from disk
export Export feeds to disk
optional arguments:
-h, --help show this help message and exit
-v, --verbose Provide more detailed output
-p EDR_PORT, --port EDR_PORT
EDR port (default: 443)
- Much like other EDR airgapped functions, this item will require a networked EDR instance to pull the appropriate feeds.
- To export feeds:
/usr/share/cb/cbfeed_airgap export
- To export feeds with custom UI port 8443
Example: /usr/share/cb/cbfeed_airgap -p 8443 export
- Transfer feeds directory over to airgapped machine (export directory default: /tmp/cbfeeds_airgap)
- To import feeds:
/usr/share/cb/cbfeed_airgap import -f /tmp/cbfeeds_airgap/
Feedback
Yes
No
Powered by
