EDR: Feeds Do not Import Successfully Into an Air-Gapped EDR Container Install
book
Article ID: 285972
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- There is no error message when attempting to import feeds outside of the container, but the feeds do not show in the UI after importing
- When attempting to import the feeds from inside the container you receive the following error
Importing Threat Intelligence feeds from /root/feeds
Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/requests/models.py", line 971, in json
return complexjson.loads(self.text, **kwargs)
File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/simplejson/__init__.py", line 525, in loads
return _default_decoder.decode(s)
File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/simplejson/decoder.py", line 370, in decode
obj, end = self.raw_decode(s)
File "/usr/share/cb/virtualenv/lib/python3.10/site-packages/simplejson/decoder.py", line 400, in raw_decode
return self.scan_once(s, idx=_w(s, idx).end())
simplejson.errors.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
Environment
- Containerized EDR Server:7.8.0
- Linux: All Supported
Cause
- The cause of this issue is incorrect information returned by the import API
- The API looks for feeds in a Postgres feeds table which does not have any data, this then returns an error
Resolution
A workaround for this issue is to import a single feed manually through the Web Console and then the cbfeeds import will work as expected
Feedback
thumb_up
Yes
thumb_down
No