From 5b76dfe576492cfb09aead5ba8af99f933410735 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 21 Aug 2023 11:31:11 +0100 Subject: [PATCH] Create an Elastic Defend policy through API (#3661) (#3759) * Create an Elastic Defend policy through API * Updates after TW feedback * Updates after TW feedback * Updates curl formatting and removes superfluous fields * Adds requirements * Apply suggestions from code review Co-authored-by: Joe Peeples --------- Co-authored-by: natasha-moore-elastic Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> (cherry picked from commit d95e2800f2b9c0036de7494d1c387d1062b260ef) Co-authored-by: Joe Peeples --- .../configure-integration-policy.asciidoc | 2 + .../create-defend-policy-api.asciidoc | 819 ++++++++++++++++++ docs/getting-started/index.asciidoc | 1 + 3 files changed, 822 insertions(+) create mode 100644 docs/getting-started/create-defend-policy-api.asciidoc diff --git a/docs/getting-started/configure-integration-policy.asciidoc b/docs/getting-started/configure-integration-policy.asciidoc index 354ec1df9e..8e781352fc 100644 --- a/docs/getting-started/configure-integration-policy.asciidoc +++ b/docs/getting-started/configure-integration-policy.asciidoc @@ -15,6 +15,8 @@ You can also create multiple {elastic-defend} integration policies to maintain u You must have the *{elastic-defend} Policy Management : All* <> to configure an integration policy. -- +TIP: In addition to configuring an {elastic-defend} policy through the {elastic-sec} UI, you can create and customize an {elastic-defend} policy <>. + To configure an integration policy: 1. In the {security-app}, go to **Manage** -> **Policies** to view the **Policies** page. diff --git a/docs/getting-started/create-defend-policy-api.asciidoc b/docs/getting-started/create-defend-policy-api.asciidoc new file mode 100644 index 0000000000..95a7bb4e1d --- /dev/null +++ b/docs/getting-started/create-defend-policy-api.asciidoc @@ -0,0 +1,819 @@ +[[create-defend-policy-api]] += Create an {elastic-defend} policy using API + +:frontmatter-description: Create and customize an {elastic-defend} policy through the API. +:frontmatter-tags-products: [security, defend] +:frontmatter-tags-content-type: [how-to] +:frontmatter-tags-user-goals: [manage] + +In addition to <> through the {elastic-sec} UI, you can create and customize an {elastic-defend} policy through the API. This is a three-step process involving the {fleet-guide}/fleet-api-docs.html[{fleet} API]. You can repeat steps 2 and 3 to make more modifications to the {elastic-defend} policy. + +.Requirements +[sidebar] +-- +You must have the *{elastic-defend} Policy Management: All* <> to configure an integration policy. +-- + +[discrete] +[[create-agent-policy]] +== Step 1: Create an agent policy + +Make the following API call to create a new agent policy where you will add your {elastic-defend} integration. Replace `` with your version of {kib}. + +[source,console] +---- +curl --user : --request POST \ + --url 'https://:5601/api/fleet/agent_policies' \ + -H 'Accept: */*' \ + -H 'Accept-Language: en-US,en;q=0.9' \ + -H 'Connection: keep-alive' \ + -H 'Content-Type: application/json' \ + -H 'Sec-Fetch-Dest: empty' \ + -H 'Sec-Fetch-Mode: cors' \ + -H 'Sec-Fetch-Site: same-origin' \ + -H 'kbn-version: ' \ <1> + -d \ +' +{ + "name": "My Policy Name", + "description": "", + "namespace": "default", + "inactivity_timeout": 1209600 +}' +---- +<1> `` to be replaced + +Make a note of the `` you receive in the response. You will use this in step 2 to add {elastic-defend}. + +.Click to display example response +[%collapsible] +==== +[source, json] +---- +{ + "item": { + "id": "", <1> + "name": "My Policy Name", + "description": "", + "namespace": "default", + "inactivity_timeout": 1209600, + "is_protected": false, + "status": "active", + "is_managed": false, + "revision": 1, + "updated_at": "2023-07-24T18:35:00.233Z", + "updated_by": "elastic", + "schema_version": "1.1.1" + } +} +---- +<1> `` needed in step 2 +==== + +[discrete] +[[add-defend-integration]] +== Step 2: Add the {elastic-defend} integration + +Next, make the following call to add the {elastic-defend} integration to the policy that you created in step 1. + +Replace these values: + +. `` with your version of {kib}. +. `` with the agent policy ID you received in step 1. +. `` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, go to **Management** -> **Integrations** and select *{elastic-defend}*. + +This adds the {elastic-defend} integration to your agent policy with the default settings. + +[source,console] +---- +curl --user : --request POST \ + --url 'https://:5601/api/fleet/package_policies' \ + -H 'Accept: */*' \ + -H 'Accept-Language: en-US,en;q=0.9' \ + -H 'Connection: keep-alive' \ + -H 'Content-Type: application/json' \ + -H 'Sec-Fetch-Dest: empty' \ + -H 'Sec-Fetch-Mode: cors' \ + -H 'Sec-Fetch-Site: same-origin' \ + -H 'kbn-version: ' \ <1> + -d \ +' +{ + "name": "Protect", + "description": "", + "namespace": "default", + "policy_id": "", <2> + "enabled": true, + "inputs": [ + { + "enabled": true, + "streams": [], + "type": "ENDPOINT_INTEGRATION_CONFIG", + "config": { + "_config": { + "value": { + "type": "endpoint", + "endpointConfig": { + "preset": "EDRComplete" + } + } + } + } + } + ], + "package": { + "name": "endpoint", + "title": "Elastic Defend", + "version": "" <3> + } +}' +---- +<1> `` to be replaced +<2> `` to be replaced +<3> `` to be replaced + +Make a note of the `` you receive in the response. This refers to the {elastic-defend} policy and you will use it in step 3. + +.Click to display example response +[%collapsible] +==== +[source, json] +---- +{ + "item": { + "id": "", <1> + "version": "WzMwOTcsMV0=", + "name": "Protect", + "namespace": "default", + "description": "", + "package": { + "name": "endpoint", + "title": "Elastic Defend", + "version": "8.5.0" + }, + "enabled": true, + "policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a", + "inputs": [ + { + "type": "endpoint", + "enabled": true, + "streams": [], + "config": { + "integration_config": { + "value": { + "type": "endpoint", + "endpointConfig": { + "preset": "EDRComplete" + } + } + }, + "artifact_manifest": { + "value": { + "manifest_version": "1.0.2", + "schema_version": "v1", + "artifacts": { + "endpoint-exceptionlist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-exceptionlist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-exceptionlist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-trustlist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-trustlist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-trustlist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-eventfilterlist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-eventfilterlist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-eventfilterlist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-hostisolationexceptionlist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-hostisolationexceptionlist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-hostisolationexceptionlist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-blocklist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-blocklist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-blocklist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + } + } + } + }, + "policy": { + "value": { + "windows": { + "events": { + "dll_and_driver_load": true, + "dns": true, + "file": true, + "network": true, + "process": true, + "registry": true, + "security": true + }, + "malware": { + "mode": "prevent", + "blocklist": true + }, + "ransomware": { + "mode": "prevent", + "supported": true + }, + "memory_protection": { + "mode": "prevent", + "supported": true + }, + "behavior_protection": { + "mode": "prevent", + "supported": true + }, + "popup": { + "malware": { + "message": "", + "enabled": true + }, + "ransomware": { + "message": "", + "enabled": true + }, + "memory_protection": { + "message": "", + "enabled": true + }, + "behavior_protection": { + "message": "", + "enabled": true + } + }, + "logging": { + "file": "info" + }, + "antivirus_registration": { + "enabled": false + }, + "attack_surface_reduction": { + "credential_hardening": { + "enabled": true + } + } + }, + "mac": { + "events": { + "process": true, + "file": true, + "network": true + }, + "malware": { + "mode": "prevent", + "blocklist": true + }, + "behavior_protection": { + "mode": "prevent", + "supported": true + }, + "memory_protection": { + "mode": "prevent", + "supported": true + }, + "popup": { + "malware": { + "message": "", + "enabled": true + }, + "behavior_protection": { + "message": "", + "enabled": true + }, + "memory_protection": { + "message": "", + "enabled": true + } + }, + "logging": { + "file": "info" + } + }, + "linux": { + "events": { + "process": true, + "file": true, + "network": true, + "session_data": false, + "tty_io": false + }, + "malware": { + "mode": "prevent", + "blocklist": true + }, + "behavior_protection": { + "mode": "prevent", + "supported": true + }, + "memory_protection": { + "mode": "prevent", + "supported": true + }, + "popup": { + "malware": { + "message": "", + "enabled": true + }, + "behavior_protection": { + "message": "", + "enabled": true + }, + "memory_protection": { + "message": "", + "enabled": true + } + }, + "logging": { + "file": "info" + } + } + } + } + } + } + ], + "revision": 1, + "created_at": "2023-04-06T15:53:14.020Z", + "created_by": "elastic", + "updated_at": "2023-04-06T15:53:14.020Z", + "updated_by": "elastic" + } +} +---- +<1> `` needed in step 3 +==== + +[discrete] +[[customize-policy-settings]] +== Step 3: Customize and save the {elastic-defend} policy settings + +The response you received in step 2 represents the default configuration of your new {elastic-defend} integration. You'll need to modify the default configuration, then make another API call to save your customized policy settings. + +[discrete] +[[modify-configuration]] +=== Modify the configuration + +. From the response you received in step 2, copy the content within the top level `item` object. +. From that content, remove the following fields: ++ +[source, json] +---- +"id": "", +"revision": 1, +"created_at": "2023-04-06T15:53:14.020Z", +"created_by": "elastic", +"updated_at": "2023-04-06T15:53:14.020Z", +"updated_by": "elastic" +---- +. Make any changes to the `policy` object to customize the {elastic-defend} configuration. + +[discrete] +[[save-customized-policy]] +=== Save your customized policy settings + +Include the resulting JSON object in the following call to save your customized {elastic-defend} policy. Replace these values: + +. `` with the {elastic-defend} policy ID you received in step 2. +. `` with your version of {kib}. +. `` with the latest {elastic-defend} package version (for example, `8.9.1`). To find it, go to **Management** -> **Integrations** and select *{elastic-defend}*. + +[source,console] +---- +curl --user : --request PUT \ + --url 'https://:5601/api/fleet/package_policies/' \ <1> + -H 'Accept: */*' \ + -H 'Accept-Language: en-US,en;q=0.9' \ + -H 'Connection: keep-alive' \ + -H 'Content-Type: application/json' \ + -H 'Sec-Fetch-Dest: empty' \ + -H 'Sec-Fetch-Mode: cors' \ + -H 'Sec-Fetch-Site: same-origin' \ + -H 'kbn-version: ' \ <2> + -d \ +' +{ + "version": "WzMwOTcsMV0=", + "name": "Protect", + "namespace": "default", + "description": "", + "package": { + "name": "endpoint", + "title": "Elastic Defend", + "version": "" <3> + }, + "enabled": true, + "policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a", + "inputs": [ + { + "type": "endpoint", + "enabled": true, + "streams": [], + "config": { + "integration_config": { + "value": { + "type": "endpoint", + "endpointConfig": { + "preset": "EDRComplete" + } + } + }, + "artifact_manifest": { + "value": { + "manifest_version": "1.0.2", + "schema_version": "v1", + "artifacts": { + "endpoint-exceptionlist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-exceptionlist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-exceptionlist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-trustlist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-trustlist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-trustlist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-eventfilterlist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-eventfilterlist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-eventfilterlist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-hostisolationexceptionlist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-hostisolationexceptionlist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-hostisolationexceptionlist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-blocklist-macos-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-blocklist-windows-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + }, + "endpoint-blocklist-linux-v1": { + "encryption_algorithm": "none", + "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "decoded_size": 14, + "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", + "encoded_size": 22, + "relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", + "compression_algorithm": "zlib" + } + } + } + }, + "policy": { + "value": { + "windows": { + "events": { + "dll_and_driver_load": true, + "dns": true, + "file": true, + "network": true, + "process": true, + "registry": true, + "security": true + }, + "malware": { + "mode": "prevent", + "blocklist": true + }, + "ransomware": { + "mode": "prevent", + "supported": true + }, + "memory_protection": { + "mode": "prevent", + "supported": true + }, + "behavior_protection": { + "mode": "prevent", + "supported": true + }, + "popup": { + "malware": { + "message": "", + "enabled": true + }, + "ransomware": { + "message": "", + "enabled": true + }, + "memory_protection": { + "message": "", + "enabled": true + }, + "behavior_protection": { + "message": "", + "enabled": true + } + }, + "logging": { + "file": "info" + }, + "antivirus_registration": { + "enabled": false + }, + "attack_surface_reduction": { + "credential_hardening": { + "enabled": true + } + } + }, + "mac": { + "events": { + "process": true, + "file": true, + "network": true + }, + "malware": { + "mode": "prevent", + "blocklist": true + }, + "behavior_protection": { + "mode": "prevent", + "supported": true + }, + "memory_protection": { + "mode": "prevent", + "supported": true + }, + "popup": { + "malware": { + "message": "", + "enabled": true + }, + "behavior_protection": { + "message": "", + "enabled": true + }, + "memory_protection": { + "message": "", + "enabled": true + } + }, + "logging": { + "file": "info" + } + }, + "linux": { + "events": { + "process": true, + "file": true, + "network": true, + "session_data": false, + "tty_io": false + }, + "malware": { + "mode": "prevent", + "blocklist": true + }, + "behavior_protection": { + "mode": "prevent", + "supported": true + }, + "memory_protection": { + "mode": "prevent", + "supported": true + }, + "popup": { + "malware": { + "message": "", + "enabled": true + }, + "behavior_protection": { + "message": "", + "enabled": true + }, + "memory_protection": { + "message": "", + "enabled": true + } + }, + "logging": { + "file": "info" + } + } + } + } + } + } + ] +}' +---- +<1> `` to be replaced +<2> `` to be replaced +<3> `` to be replaced diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc index aea96737cf..c8589eba6b 100644 --- a/docs/getting-started/index.asciidoc +++ b/docs/getting-started/index.asciidoc @@ -25,6 +25,7 @@ include::configure-integration-policy.asciidoc[leveloffset=+1] include::endpoint-diagnostic-data.asciidoc[leveloffset=+2] include::self-healing-rollback.asciidoc[leveloffset=+2] include::linux-file-monitoring.asciidoc[leveloffset=+2] +include::create-defend-policy-api.asciidoc[leveloffset=+2] include::threat-intel-integrations.asciidoc[leveloffset=+1] include::advanced-setting.asciidoc[leveloffset=+1] include::uninstall-endpoint.asciidoc[leveloffset=+1]