New Policy Service API Release
Posted on April 25, 2022
Overview
Policies are a group of rules and sensor settings that determine preventative behavior. Each endpoint sensor, or sensor group, is assigned to a policy.
With the Policy Service API, you can now manage your Policies for endpoints and workloads with a single CUSTOM API key. This will allow more granular permission controls when creating API keys to manage Policies. This iteration of the Policies API also aligns many field names with those used elsewhere in the product. Policy Service API will serve as the primary API to manage policies in the Carbon Black Cloud going forward.
Requirements
- At least one Carbon Black Cloud product
- Carbon Black Cloud Endpoint Standard to use preventative policy rules
For standalone Enterprise EDR customers, policy rule options are limited
Predefined Policies
Each organization in the Carbon Black Cloud will contain a set of predefined policies to provide a template to define custom policies. You can assign sensors to these policies, change the policy settings, or duplicate the settings to create a new policy. You cannot delete predefined policies.
Policy | Description | Note |
---|---|---|
Standard | Blocks known and suspected malware, and prevents risky operations like memory scraping and code injections. Newly deployed sensors are assigned this policy by default. It is the recommended starting point for new deployments. | Review and refine the Standard policy rules to avoid unnecessary blocks or false positives that are triggered by in-house or custom software applications, which may have reputations that the Carbon Black Cloud does not recognize. |
Monitored | Monitors endpoint application activity and logs events to the Dashboard. This policy has no preventive capabilities. | Use the data that this policy provides to evaluate policy rule implementation needs. |
Advanced | Extends the capabilities of the Standard policy. It blocks operations from system utilizing, and prevents from riskier behaviors that are more likely to be false positives. | Use a phased roll-out approach to implement any new or Advanced policy rules. We recommend assigning Advanced policies to a group of pilot endpoints, and watching for false positives or blocks on legitimate software before rolling them out to more endpoints. |