Create an Elastic Defend policy using API
editCreate an Elastic Defend policy using API
editIn addition to configuring an Elastic Defend policy through the Elastic Security UI, you can create and customize an Elastic Defend policy through the API. This is a three-step process involving the Fleet API. You can repeat steps 2 and 3 to make more modifications to the Elastic Defend policy.
Step 1: Create an agent policy
editMake the following API call to create a new agent policy where you will add your Elastic Defend integration. Replace <KIBANA-VERSION>
with your version of Kibana.
curl --user <username>:<password> --request POST \ --url 'https://<kibana-url>:5601/api/fleet/agent_policies' \ -H 'Accept: */*' \ -H 'Accept-Language: en-US,en;q=0.9' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/json' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Site: same-origin' \ -H 'kbn-version: <KIBANA-VERSION>' \ -d \ ' { "name": "My Policy Name", "description": "", "namespace": "default", "inactivity_timeout": 1209600 }'
Make a note of the <POLICY-ID>
you receive in the response. You will use this in step 2 to add Elastic Defend.
Click to display example response
{ "item": { "id": "<POLICY-ID>", "name": "My Policy Name", "description": "", "namespace": "default", "inactivity_timeout": 1209600, "is_protected": false, "status": "active", "is_managed": false, "revision": 1, "updated_at": "2023-07-24T18:35:00.233Z", "updated_by": "elastic", "schema_version": "1.1.1" } }
Step 2: Add the Elastic Defend integration
editNext, make the following call to add the Elastic Defend integration to the policy that you created in step 1.
Replace these values:
-
<KIBANA-VERSION>
with your version of Kibana. -
<POLICY-ID>
with the agent policy ID you received in step 1. -
<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>
with the latest Elastic Defend package version (for example,8.9.1
). To find it, go to Management → Integrations and select Elastic Defend.
This adds the Elastic Defend integration to your agent policy with the default settings.
curl --user <username>:<password> --request POST \ --url 'https://<kibana-url>:5601/api/fleet/package_policies' \ -H 'Accept: */*' \ -H 'Accept-Language: en-US,en;q=0.9' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/json' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Site: same-origin' \ -H 'kbn-version: <KIBANA-VERSION>' \ -d \ ' { "name": "Protect", "description": "", "namespace": "default", "policy_id": "<POLICY-ID>", "enabled": true, "inputs": [ { "enabled": true, "streams": [], "type": "ENDPOINT_INTEGRATION_CONFIG", "config": { "_config": { "value": { "type": "endpoint", "endpointConfig": { "preset": "EDRComplete" } } } } } ], "package": { "name": "endpoint", "title": "Elastic Defend", "version": "<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>" } }'
|
|
|
|
|
Make a note of the <PACKAGE-POLICY-ID>
you receive in the response. This refers to the Elastic Defend policy and you will use it in step 3.
Click to display example response
{ "item": { "id": "<PACKAGE-POLICY-ID>", "version": "WzMwOTcsMV0=", "name": "Protect", "namespace": "default", "description": "", "package": { "name": "endpoint", "title": "Elastic Defend", "version": "8.5.0" }, "enabled": true, "policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a", "inputs": [ { "type": "endpoint", "enabled": true, "streams": [], "config": { "integration_config": { "value": { "type": "endpoint", "endpointConfig": { "preset": "EDRComplete" } } }, "artifact_manifest": { "value": { "manifest_version": "1.0.2", "schema_version": "v1", "artifacts": { "endpoint-exceptionlist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-exceptionlist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-exceptionlist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-trustlist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-trustlist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-trustlist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-eventfilterlist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-eventfilterlist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-eventfilterlist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-hostisolationexceptionlist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-hostisolationexceptionlist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-hostisolationexceptionlist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-blocklist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-blocklist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-blocklist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" } } } }, "policy": { "value": { "windows": { "events": { "dll_and_driver_load": true, "dns": true, "file": true, "network": true, "process": true, "registry": true, "security": true }, "malware": { "mode": "prevent", "blocklist": true }, "ransomware": { "mode": "prevent", "supported": true }, "memory_protection": { "mode": "prevent", "supported": true }, "behavior_protection": { "mode": "prevent", "supported": true }, "popup": { "malware": { "message": "", "enabled": true }, "ransomware": { "message": "", "enabled": true }, "memory_protection": { "message": "", "enabled": true }, "behavior_protection": { "message": "", "enabled": true } }, "logging": { "file": "info" }, "antivirus_registration": { "enabled": false }, "attack_surface_reduction": { "credential_hardening": { "enabled": true } } }, "mac": { "events": { "process": true, "file": true, "network": true }, "malware": { "mode": "prevent", "blocklist": true }, "behavior_protection": { "mode": "prevent", "supported": true }, "memory_protection": { "mode": "prevent", "supported": true }, "popup": { "malware": { "message": "", "enabled": true }, "behavior_protection": { "message": "", "enabled": true }, "memory_protection": { "message": "", "enabled": true } }, "logging": { "file": "info" } }, "linux": { "events": { "process": true, "file": true, "network": true, "session_data": false, "tty_io": false }, "malware": { "mode": "prevent", "blocklist": true }, "behavior_protection": { "mode": "prevent", "supported": true }, "memory_protection": { "mode": "prevent", "supported": true }, "popup": { "malware": { "message": "", "enabled": true }, "behavior_protection": { "message": "", "enabled": true }, "memory_protection": { "message": "", "enabled": true } }, "logging": { "file": "info" } } } } } } ], "revision": 1, "created_at": "2023-04-06T15:53:14.020Z", "created_by": "elastic", "updated_at": "2023-04-06T15:53:14.020Z", "updated_by": "elastic" } }
Step 3: Customize and save the Elastic Defend policy settings
editThe response you received in step 2 represents the default configuration of your new Elastic Defend integration. You’ll need to modify the default configuration, then make another API call to save your customized policy settings.
Modify the configuration
edit-
From the response you received in step 2, copy the content within the top level
item
object. -
From that content, remove the following fields:
"id": "<PACKAGE-POLICY-ID>", "revision": 1, "created_at": "2023-04-06T15:53:14.020Z", "created_by": "elastic", "updated_at": "2023-04-06T15:53:14.020Z", "updated_by": "elastic"
-
Make any changes to the
policy
object to customize the Elastic Defend configuration.
Save your customized policy settings
editInclude the resulting JSON object in the following call to save your customized Elastic Defend policy. Replace these values:
-
<PACKAGE-POLICY-ID>
with the Elastic Defend policy ID you received in step 2. -
<KIBANA-VERSION>
with your version of Kibana. -
<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>
with the latest Elastic Defend package version (for example,8.9.1
). To find it, go to Management → Integrations and select Elastic Defend.
curl --user <username>:<password> --request PUT \ --url 'https://<kibana-url>:5601/api/fleet/package_policies/<PACKAGE-POLICY-ID>' \ -H 'Accept: */*' \ -H 'Accept-Language: en-US,en;q=0.9' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/json' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Site: same-origin' \ -H 'kbn-version: <KIBANA-VERSION>' \ -d \ ' { "version": "WzMwOTcsMV0=", "name": "Protect", "namespace": "default", "description": "", "package": { "name": "endpoint", "title": "Elastic Defend", "version": "<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>" }, "enabled": true, "policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a", "inputs": [ { "type": "endpoint", "enabled": true, "streams": [], "config": { "integration_config": { "value": { "type": "endpoint", "endpointConfig": { "preset": "EDRComplete" } } }, "artifact_manifest": { "value": { "manifest_version": "1.0.2", "schema_version": "v1", "artifacts": { "endpoint-exceptionlist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-exceptionlist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-exceptionlist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-trustlist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-trustlist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-trustlist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-eventfilterlist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-eventfilterlist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-eventfilterlist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-hostisolationexceptionlist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-hostisolationexceptionlist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-hostisolationexceptionlist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-blocklist-macos-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-blocklist-windows-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" }, "endpoint-blocklist-linux-v1": { "encryption_algorithm": "none", "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "decoded_size": 14, "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda", "encoded_size": 22, "relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658", "compression_algorithm": "zlib" } } } }, "policy": { "value": { "windows": { "events": { "dll_and_driver_load": true, "dns": true, "file": true, "network": true, "process": true, "registry": true, "security": true }, "malware": { "mode": "prevent", "blocklist": true }, "ransomware": { "mode": "prevent", "supported": true }, "memory_protection": { "mode": "prevent", "supported": true }, "behavior_protection": { "mode": "prevent", "supported": true }, "popup": { "malware": { "message": "", "enabled": true }, "ransomware": { "message": "", "enabled": true }, "memory_protection": { "message": "", "enabled": true }, "behavior_protection": { "message": "", "enabled": true } }, "logging": { "file": "info" }, "antivirus_registration": { "enabled": false }, "attack_surface_reduction": { "credential_hardening": { "enabled": true } } }, "mac": { "events": { "process": true, "file": true, "network": true }, "malware": { "mode": "prevent", "blocklist": true }, "behavior_protection": { "mode": "prevent", "supported": true }, "memory_protection": { "mode": "prevent", "supported": true }, "popup": { "malware": { "message": "", "enabled": true }, "behavior_protection": { "message": "", "enabled": true }, "memory_protection": { "message": "", "enabled": true } }, "logging": { "file": "info" } }, "linux": { "events": { "process": true, "file": true, "network": true, "session_data": false, "tty_io": false }, "malware": { "mode": "prevent", "blocklist": true }, "behavior_protection": { "mode": "prevent", "supported": true }, "memory_protection": { "mode": "prevent", "supported": true }, "popup": { "malware": { "message": "", "enabled": true }, "behavior_protection": { "message": "", "enabled": true }, "memory_protection": { "message": "", "enabled": true } }, "logging": { "file": "info" } } } } } } ] }'