EDR: Feeds Do not Import Successfully Into an Air-Gapped EDR Container Install
search cancel

EDR: Feeds Do not Import Successfully Into an Air-Gapped EDR Container Install

book

Article ID: 285972

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • There is no error message when attempting to import feeds outside of the container, but the feeds do not show in the UI after importing
  • When attempting to import the feeds from inside the container you receive the following error 
    Importing Threat Intelligence feeds from /root/feeds
Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/requests/models.py", line 971, in json
    return complexjson.loads(self.text, **kwargs)
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/simplejson/__init__.py", line 525, in loads
    return _default_decoder.decode(s)
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/simplejson/decoder.py", line 370, in decode
    obj, end = self.raw_decode(s)
  File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/simplejson/decoder.py", line 400, in raw_decode
    return self.scan_once(s, idx=_w(s, idx).end())
simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0)

Environment

  • Containerized EDR Server:7.8.0
  • Linux: All Supported

Cause

  • The cause of this issue is incorrect information returned by the import API
  • The API looks for feeds in a Postgres feeds table which does not have any data, this then returns an error

Resolution

A workaround for this issue is to import a single feed manually through the Web Console and then the cbfeeds import will work as expected
Powered by Wolken Software