Policy Service API
Overview
Policies are where users go to manage their security posture in their organization. Choose one of VMware Carbon Black’s predefined policies as a starting point, and tune its default prevention settings as you see fit in your environment. Often times, users may need to add exceptions for special programs in their environment that perform anomalous behavior. Similarly, users may want to explicitly block certain programs from executing in their environment. Users can leverage the Policies API to achieve all types of policy and sensor setting adjustments.
Key Features
- Create or modify policies
- Manage prevention rules on existing policies
- Adjust sensor settings
Use Cases
- Add Blocking and Isolation or Permission rules to prevent ransomware-like behavior
- Adjust the frequency and intensity of signature updates and the local scanner
- Modify certain sensor behaviors via the sensor settings
Note: To enable USB Device blocking for a policy see Device Control Blocks
Requirements
- At least one Carbon Black Cloud product
- Carbon Black Cloud Endpoint Standard to use preventative policy rules
Authentication
Determine whether you use Carbon Black Cloud or VMware Cloud Services Platform to manage identity and authorization, or see the Carbon Black Cloud API Access Guide for complete instructions.Carbon Black Cloud Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with Role-Based Access Control; All APIs and Services authenticate via API Keys. To access the data in Carbon Black Cloud via API, you must set up a key with the correct permissions for the calls you want to make and pass it in the HTTP Headers.
Environment
Available on majority of environments; Use the Carbon Black Cloud Console URL, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- Policy: {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/
Access Level
Before you create your API Key, you need to create a "Custom" Access Level including each category:
- Policies > Policies > org.policies, allow permission to
CREATE, READ, UPDATE, DELETE
API Key
When creating your API Key, use the Access Level Type of "Custom" and select the Access Level you created. Details on constructing and passing the API Key in your requests are available here.
Cloud Services Platform Managed Identity and Authentication
Customize your access to the Carbon Black Cloud APIs with OAuth Access Control; API access is controlled using OAuth apps or User API Tokens. This is currently limited to the UK Point of Presence and AWS GovCloud (US).
Environment
Available on
Prod UK and AWS GovCloud (US). Full list of environments is available here; Use the Carbon Black Cloud Console URL from Cloud Services Platform, as described here.
API Route
Replace the {cbc-hostname} and {org_key} with the URL of your Environment and the org_key for your specific Org.
- Policy: {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/
Access Level
Before you create your OAuth App, you need to create a custom Role with the following permissions under IDENTITY & ACCESS MANAGEMENT > Roles > VMware Carbon Black Cloud:
- _API.Policies:org.Policies, allow permission to
CREATE, READ, UPDATE AND DELETE
API Authentication
The Cloud Services Platform supports several authentication options, Access Token, API Token, and for backward compatibility, X-Auth-Token. To learn about the differences or how to use the authentication methods see the Authentication Guide.
API Calls
Policies
Create Policy
Create a new policy for protecting endpoints and workloads.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.policies |
CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Policies:org.Policies:create |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Requests
POST {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies
Request Body
{
"name": "<string>",
"org_key": "<string>",
"priority_level": "<string>",
"position": <long>,
"is_system": <boolean>,
"description": "<string>",
"auto_deregister_inactive_vdi_interval_ms": <long>,
"auto_delete_known_bad_hashes_delay": <long>,
"av_settings": {
"avira_protection_cloud": {
"enabled": <boolean>,
"max_exe_delay": <long>,
"max_file_size": <long>,
"risk_level": <long>
},
"on_access_scan": {
"enabled": <boolean>,
"mode": "<string>"
},
"on_demand_scan": {
"enabled": <boolean>,
"profile": "<string>",
"schedule": {
"days": [ "<string>" ],
"start_hour": <long>,
"range_hours": <long>,
"recovery_scan_if_missed": <boolean>
},
"scan_usb": "<string>",
"scan_cd_dvd": "<string>"
},
"signature_update": {
"enabled": <boolean>,
"schedule": {
"full_interval_hours": <long>,
"initial_random_delay_hours": <long>,
"interval_hours": <long>
}
},
"update_servers": {
"servers_override": [ "<string>" ],
"servers_for_onsite_devices": [
{
"server": "<string>",
"preferred": <boolean>
}
],
"servers_for_offsite_devices": [ "<string>" ]
}
},
"rules": [
{
"id": <long>,
"required": <boolean>,
"action": "<string>",
"application": {
"type": "<string>",
"value": "<string>"
},
"operation": "<string>"
}
],
"directory_action_rules": [
{
"file_upload": <boolean>,
"protection": <boolean>,
"path": "<string>"
}
],
"sensor_settings": [
{
"name": "<string>",
"value": "<string>"
}
],
"managed_detection_response_permissions": {
"policy_modification": <boolean>,
"quarantine": <boolean>
},
"version": <long>,
"message": "<string>",
"rapid_configs": [ "<string>" ]
}Body Schema
See Policy Fields
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/policyservice/v1/orgs/ABCD1234/policies
Request Body
{
"id": 4920125,
"name": "Standard",
"org_key": "ABCD1234",
"priority_level": "MEDIUM",
"position": -1,
"is_system": true,
"description": "Prevents known malware and reduces false positives. Used as the default policy for all new sensors, unless sensor group criteria is met.",
"auto_deregister_inactive_vdi_interval_ms": 0,
"auto_delete_known_bad_hashes_delay": null,
"av_settings": {
"avira_protection_cloud": {
"enabled": false,
"max_exe_delay": 45,
"max_file_size": 4,
"risk_level": 4
},
"on_access_scan": {
"enabled": true,
"mode": "NORMAL"
},
"on_demand_scan": {
"enabled": true,
"profile": "NORMAL",
"schedule": {
"days": null,
"start_hour": 0,
"range_hours": 0,
"recovery_scan_if_missed": true
},
"scan_usb": "AUTOSCAN",
"scan_cd_dvd": "AUTOSCAN"
},
"signature_update": {
"enabled": true,
"schedule": {
"full_interval_hours": 0,
"initial_random_delay_hours": 4,
"interval_hours": 4
}
},
"update_servers": {
"servers_override": [],
"servers_for_onsite_devices": [
{
"server": "http://updates2.cdc.carbonblack.io/update2",
"preferred": false
}
],
"servers_for_offsite_devices": [
"http://updates2.cdc.carbonblack.io/update2"
]
}
},
"rules": [
{
"id": 1,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "KNOWN_MALWARE"
},
"operation": "RUN"
},
{
"id": 2,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "COMPANY_BLACK_LIST"
},
"operation": "RUN"
}
],
"directory_action_rules": [],
"sensor_settings": [
{
"name": "ALLOW_UNINSTALL",
"value": "true"
}
],
"managed_detection_response_permissions": {
"policy_modification": true,
"quarantine": true
},
"version": null,
"message": null,
"rapid_configs": []
}Response
{
"id": 4920125,
"name": "Standard",
"org_key": "ABCD1234",
"priority_level": "MEDIUM",
"position": -1,
"is_system": true,
"description": "Prevents known malware and reduces false positives. Used as the default policy for all new sensors, unless sensor group criteria is met.",
"auto_deregister_inactive_vdi_interval_ms": 0,
"auto_delete_known_bad_hashes_delay": null,
"av_settings": {
"avira_protection_cloud": {
"enabled": false,
"max_exe_delay": 45,
"max_file_size": 4,
"risk_level": 4
},
"on_access_scan": {
"enabled": true,
"mode": "NORMAL"
},
"on_demand_scan": {
"enabled": true,
"profile": "NORMAL",
"schedule": {
"days": null,
"start_hour": 0,
"range_hours": 0,
"recovery_scan_if_missed": true
},
"scan_usb": "AUTOSCAN",
"scan_cd_dvd": "AUTOSCAN"
},
"signature_update": {
"enabled": true,
"schedule": {
"full_interval_hours": 0,
"initial_random_delay_hours": 4,
"interval_hours": 4
}
},
"update_servers": {
"servers_override": [],
"servers_for_onsite_devices": [
{
"server": "http://updates2.cdc.carbonblack.io/update2",
"preferred": false
}
],
"servers_for_offsite_devices": [ "http://updates2.cdc.carbonblack.io/update2" ]
}
},
"rules": [
{
"id": 1,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "KNOWN_MALWARE"
},
"operation": "RUN"
},
{
"id": 2,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "COMPANY_BLACK_LIST"
},
"operation": "RUN"
}
],
"directory_action_rules": [],
"sensor_settings": [
{
"name": "ALLOW_UNINSTALL",
"value": "true"
}
],
"managed_detection_response_permissions": {
"policy_modification": true,
"quarantine": true
},
"version": null,
"message": null,
"rapid_configs": []
}Get Policy Summaries
Get an overview of the policies available in the organization
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.policies |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Policies:org.Policies:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Requests
GET {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/summary
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense.conferdeploy.net/policyservice/v1/orgs/ABCD1234/policies/summary
Response
{
"policies": [
{
"id": 4920125,
"is_system": true,
"name": "Standard",
"description": "Prevents known malware and reduces false positives. Used as the default policy for all new sensors, unless sensor group criteria is met.",
"priority_level": "MEDIUM",
"position": -1,
"num_devices": 0
}
]
}Get Policy Details
Get a policy’s details by id
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.policies |
READ |
Majority of environments |
| VMware Cloud Services Platform | _API.Policies:org.Policies:read |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Requests
GET {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/{policy_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
GET https://defense.conferdeploy.net/policyservice/v1/orgs/ABCD1234/policies/4920125
Response
{
"id": 4920125,
"name": "Standard",
"org_key": "ABCD1234",
"priority_level": "MEDIUM",
"position": -1,
"is_system": true,
"description": "Prevents known malware and reduces false positives. Used as the default policy for all new sensors, unless sensor group criteria is met.",
"auto_deregister_inactive_vdi_interval_ms": 0,
"auto_delete_known_bad_hashes_delay": null,
"av_settings": {
"avira_protection_cloud": {
"enabled": false,
"max_exe_delay": 45,
"max_file_size": 4,
"risk_level": 4
},
"on_access_scan": {
"enabled": true,
"mode": "NORMAL"
},
"on_demand_scan": {
"enabled": true,
"profile": "NORMAL",
"schedule": {
"days": null,
"start_hour": 0,
"range_hours": 0,
"recovery_scan_if_missed": true
},
"scan_usb": "AUTOSCAN",
"scan_cd_dvd": "AUTOSCAN"
},
"signature_update": {
"enabled": true,
"schedule": {
"full_interval_hours": 0,
"initial_random_delay_hours": 4,
"interval_hours": 4
}
},
"update_servers": {
"servers_override": [],
"servers_for_onsite_devices": [
{
"server": "http://updates2.cdc.carbonblack.io/update2",
"preferred": false
}
],
"servers_for_offsite_devices": [ "http://updates2.cdc.carbonblack.io/update2" ]
}
},
"rules": [
{
"id": 1,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "KNOWN_MALWARE"
},
"operation": "RUN"
},
{
"id": 2,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "COMPANY_BLACK_LIST"
},
"operation": "RUN"
}
],
"directory_action_rules": [],
"sensor_settings": [
{
"name": "ALLOW_UNINSTALL",
"value": "true"
}
],
"managed_detection_response_permissions": {
"policy_modification": true,
"quarantine": true
},
"version": null,
"message": null,
"rapid_configs": []
}Update Policy
Modify an existing policy
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.policies |
UPDATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Policies:org.Policies:update |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Requests
PUT {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/{policy_id}
Request Body
{
"id": <long>,
"name": "<string",
"org_key": "<string>",
"priority_level": "<string>",
"position": <long>,
"is_system": <boolean>,
"description": "<string>",
"auto_deregister_inactive_vdi_interval_ms": <long>,
"auto_delete_known_bad_hashes_delay": <long>,
"av_settings": {
"avira_protection_cloud": {
"enabled": <boolean>,
"max_exe_delay": <long>,
"max_file_size": <long>,
"risk_level": <long>
},
"on_access_scan": {
"enabled": <boolean>,
"mode": "<string>"
},
"on_demand_scan": {
"enabled": <boolean>,
"profile": "<string>",
"schedule": {
"days": [ "<string>" ],
"start_hour": <long>,
"range_hours": <long>,
"recovery_scan_if_missed": <boolean>
},
"scan_usb": "<string>",
"scan_cd_dvd": "<string>"
},
"signature_update": {
"enabled": <boolean>,
"schedule": {
"full_interval_hours": <long>,
"initial_random_delay_hours": <long>,
"interval_hours": <long>
}
},
"update_servers": {
"servers_override": [ "<string>" ],
"servers_for_onsite_devices": [
{
"server": "<string>",
"preferred": <boolean>
}
],
"servers_for_offsite_devices": [ "<string>" ]
}
},
"rules": [
{
"id": <long>,
"required": <boolean>,
"action": "<string>",
"application": {
"type": "<string>",
"value": "<string>"
},
"operation": "<string>"
}
],
"directory_action_rules": [
{
"file_upload": <boolean>,
"protection": <boolean>,
"path": "<string>"
}
],
"sensor_settings": [
{
"name": "<string>",
"value": "<string>"
}
],
"managed_detection_response_permissions": {
"policy_modification": <boolean>,
"quarantine": <boolean>
},
"version": <long>,
"message": "<string>",
"rapid_configs": [ "<string>" ]
}Body Schema
See Policy Fields
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
PUT https://defense.conferdeploy.net/policyservice/v1/orgs/ABCD1234/policies/4920125
Request Body
{
"id": 4920125,
"name": "Standard",
"org_key": "ABCD1234",
"priority_level": "MEDIUM",
"position": -1,
"is_system": true,
"description": "Prevents known malware and reduces false positives. Used as the default policy for all new sensors, unless sensor group criteria is met.",
"auto_deregister_inactive_vdi_interval_ms": 0,
"auto_delete_known_bad_hashes_delay": null,
"av_settings": {
"avira_protection_cloud": {
"enabled": false,
"max_exe_delay": 45,
"max_file_size": 4,
"risk_level": 4
},
"on_access_scan": {
"enabled": true,
"mode": "NORMAL"
},
"on_demand_scan": {
"enabled": true,
"profile": "NORMAL",
"schedule": {
"days": null,
"start_hour": 0,
"range_hours": 0,
"recovery_scan_if_missed": true
},
"scan_usb": "AUTOSCAN",
"scan_cd_dvd": "AUTOSCAN"
},
"signature_update": {
"enabled": true,
"schedule": {
"full_interval_hours": 0,
"initial_random_delay_hours": 4,
"interval_hours": 4
}
},
"update_servers": {
"servers_override": [],
"servers_for_onsite_devices": [
{
"server": "http://updates2.cdc.carbonblack.io/update2",
"preferred": false
}
],
"servers_for_offsite_devices": [ "http://updates2.cdc.carbonblack.io/update2" ]
}
},
"rules": [
{
"id": 1,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "KNOWN_MALWARE"
},
"operation": "RUN"
},
{
"id": 2,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "COMPANY_BLACK_LIST"
},
"operation": "RUN"
}
],
"directory_action_rules": [],
"sensor_settings": [
{
"name": "ALLOW_UNINSTALL",
"value": "true"
}
],
"managed_detection_response_permissions": {
"policy_modification": true,
"quarantine": true
},
"version": null,
"message": null,
"rapid_configs": []
}Response
{
"id": 4920125,
"name": "Standard",
"org_key": "ABCD1234",
"priority_level": "MEDIUM",
"position": -1,
"is_system": true,
"description": "Prevents known malware and reduces false positives. Used as the default policy for all new sensors, unless sensor group criteria is met.",
"auto_deregister_inactive_vdi_interval_ms": 0,
"auto_delete_known_bad_hashes_delay": null,
"av_settings": {
"avira_protection_cloud": {
"enabled": false,
"max_exe_delay": 45,
"max_file_size": 4,
"risk_level": 4
},
"on_access_scan": {
"enabled": true,
"mode": "NORMAL"
},
"on_demand_scan": {
"enabled": true,
"profile": "NORMAL",
"schedule": {
"days": null,
"start_hour": 0,
"range_hours": 0,
"recovery_scan_if_missed": true
},
"scan_usb": "AUTOSCAN",
"scan_cd_dvd": "AUTOSCAN"
},
"signature_update": {
"enabled": true,
"schedule": {
"full_interval_hours": 0,
"initial_random_delay_hours": 4,
"interval_hours": 4
}
},
"update_servers": {
"servers_override": [],
"servers_for_onsite_devices": [
{
"server": "http://updates2.cdc.carbonblack.io/update2",
"preferred": false
}
],
"servers_for_offsite_devices": [ "http://updates2.cdc.carbonblack.io/update2" ]
}
},
"rules": [
{
"id": 1,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "KNOWN_MALWARE"
},
"operation": "RUN"
},
{
"id": 2,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "COMPANY_BLACK_LIST"
},
"operation": "RUN"
}
],
"directory_action_rules": [],
"sensor_settings": [
{
"name": "ALLOW_UNINSTALL",
"value": "true"
}
],
"managed_detection_response_permissions": {
"policy_modification": true,
"quarantine": true
},
"version": null,
"message": null,
"rapid_configs": []
}Delete Policy
Delete an existing policy.
Note: You cannot delete predefined policies.
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.policies |
DELETE |
Majority of environments |
| VMware Cloud Services Platform | _API.Policies:org.Policies:delete |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Requests
DELETE {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/{policy_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successfully deleted policy | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
DELETE https://defense.conferdeploy.net/policyservice/v1/orgs/ABCD1234/policies/4920125
Response
No ContentRules
Add Policy Rule
Create a new permission or prevention rule in a policy
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.policies |
UPDATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Policies:org.Policies:update |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Requests
POST {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/{policy_id}/rules
Request Body
{
"required": <boolean>,
"action": "<string>",
"application": {
"type": "<string>",
"value": "<string>"
},
"operation": "<string>"
}Body Schema
See Rule Fields
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/policyservice/v1/orgs/ABCD1234/policies/4920125/rules
Request Body
{
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "SUSPECT_MALWARE"
},
"operation": "RUN"
}Response
{
"id": 3,
"required": false,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "SUSPECT_MALWARE"
},
"operation": "RUN"
}Update Policy Rule
Update an existing permission or prevention rule in a policy
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.policies |
UPDATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Policies:org.Policies:update |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Requests
PUT {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/{policy_id}/rules/{rule_id}
Request Body
{
"id": <long>,
"required": <boolean>,
"action": "<string>",
"application": {
"type": "<string>",
"value": "<string>"
},
"operation": "<string>"
}Body Schema
See Rule Fields
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
PUT https://defense.conferdeploy.net/policyservice/v1/orgs/ABCD1234/policies/4920125/rules/3
Request Body
{
"id": 3,
"required": false,
"action": "DENY",
"application": {
"type": "REPUTATION",
"value": "SUSPECT_MALWARE"
},
"operation": "RUN"
}Response
{
"id": 3,
"required": false,
"action": "DENY",
"application": {
"type": "REPUTATION",
"value": "SUSPECT_MALWARE"
},
"operation": "RUN"
}Delete Policy Rule
Delete an existing permission or prevention rule in a policy
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.policies |
UPDATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Policies:org.Policies:update |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Requests
DELETE {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/{policy_id}/rules/{rule_id}
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 204 | Successfully deleted policy rule | application/json | View example response below |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
DELETE https://defense.conferdeploy.net/policyservice/v1/orgs/ABCD1234/policies/4920125/rules/3
Response
No ContentBulk Modify Policy Rules
Copy or modify a permission or prevention rule into multiple policies
RBAC Permissions Required
| Identity Manager | Permission (.notation name) | Operation(s) | Environment |
|---|---|---|---|
| Carbon Black Cloud | org.policies |
CREATE |
Majority of environments |
| VMware Cloud Services Platform | _API.Policies:org.Policies:create |
N/A - included in permission name | Prod UK and AWS GovCloud (US) |
Requests
POST {cbc-hostname}/policyservice/v1/orgs/{org_key}/policies/rules/changes
Request Body
{
"target_policy_ids": [
<long>
],
"conflict_resolution_mode": "<string>",
"changes": [
{
"old_rule": {
"required": <boolean>,
"action": "<string>",
"application": {
"type": "<string>",
"value": "<string>"
},
"operation": "<string>"
},
"new_rule": {
"required": <boolean>,
"action": "<string>",
"application": {
"type": "<string>",
"value": "<string>"
},
"operation": "<string>"
}
}
]
}Body Schema
| Field | Definition | Data Type | Values |
|---|---|---|---|
target_policy_ids |
Destination policies for the rule change | Array | |
conflict_resolution_mode |
The mechanism to resolve if there is a conflict | String | DRY_RUN, ABORT, TAKE_NEW, KEEP_OLD |
changes |
The rules to copy or replace | Array | Changes - see below |
Changes:
| Field | Definition | Data Type | Values |
|---|---|---|---|
old_rule |
The old rule that will be removed or replaced | Object | Rule |
new_rule |
The new rule that will be added | Object | Rule |
resolution |
Response Only The resolution that was performed | String | DRY_RUN, ABORT, TAKE_NEW, KEEP_OLD |
state |
Response Only The difference in state between the old and new rule | String | APPLIED, CONFLICT, SAFE_TO_APPLY, SAME |
Response
| Code | Description | Content-Type | Content |
|---|---|---|---|
| 200 | Successful Request | application/json | View example response below |
| 400 | The JSON body was malformed, or some part of the JSON body included an invalid value | N/A | N/A |
| 401 | Unauthorized | N/A | N/A |
| 403 | Forbidden | N/A | N/A |
| 404 | Not found | N/A | N/A |
| 500 | Internal Server Error | N/A | N/A |
Example
Request
POST https://defense.conferdeploy.net/policyservice/v1/orgs/ABCD1234/policies/rules/changes
Request Body
{
"target_policy_ids": [
6527
],
"conflict_resolution_mode": "TAKE_NEW",
"changes": [
{
"new_rule": {
"required": true,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "KNOWN_MALWARE"
},
"operation": "RUN"
}
}
]
}Response
{
"target_policy_ids": [
6527
],
"conflict_resolution_mode": "TAKE_NEW",
"changes": [
{
"new_rule": {
"id": 0,
"required": true,
"action": "TERMINATE",
"application": {
"type": "REPUTATION",
"value": "KNOWN_MALWARE"
},
"operation": "RUN"
},
"policy_id": 6527,
"state": "APPLIED",
"resolution": "TAKE_NEW"
}
],
"failed_policy_ids": [],
"num_applied": 1,
"num_conflicts": 0,
"success": true
}Fields
Policy
| Field | Definition | Data Type | Values |
|---|---|---|---|
id |
The policy identifier | Long | |
name |
Defined name for the policy | String | |
org_key |
The organization key associated with the console instance | String | |
priority_level |
The priority level designated for policy | String | LOW, MEDIUM, HIGH, MISSION_CRITICAL |
is_system |
Indicates that the policy was created by VMware | Boolean | |
description |
The description of the policy | String | |
auto_deregister_inactive_vdi_interval_ms |
The time in milliseconds to wait after a VDI is inactive before setting the VDI to a DEREGISTERED state |
Long | |
auto_delete_known_bad_hashes_delay |
Enables the Carbon Black Cloud to automatically delete known malware after a specified time in milliseconds | Long | |
av_settings |
Anti-Virus settings for endpoints and workloads assigned to the policy | Object | AV Settings |
rules |
Permission or prevention rules to allow and log behavior, bypass a path entirely, remove impediments for software developers' workstations, or deny/terminate processes and applications based on a blocked or isolated operation. | Array | Rule |
directory_action_rules |
Rules to deny or allow the deployed sensors to send uploads from specific paths | Array | Directory Action Rules |
sensor_settings |
Settings to configure sensor behavior and capabilities | Array | Sensor Settings |
managed_detection_response_permissions |
Permissions for Managed Detection and Response analysts to perform remediations on endpoints and workloads assigned to the policy | Object | Managed Detection and Response Permissions |
version |
Version of the policy | Long | |
rapid_configs |
Coming Soon | Object | See Rapid Configs |
AV Settings
| Field | Definition | Data Type | Values |
|---|---|---|---|
avira_protection_cloud |
Third-party partner settings for unknown reputation binary analysis | Object | Avira Protection Cloud |
on_access_scan |
Local scan settings | Object | On Access Scan |
on_demand_scan |
Background scan settings | Object | On Demand Scan |
signature_update |
Signature pack update settings | Object | Signature Update |
update_servers |
Servers for updating signatures | Object | Update Servers |
Avira Protection Cloud
| Field | Definition | Data Type | Values |
|---|---|---|---|
enabled |
Whether unknown reputation binary analysis is enabled | Boolean | |
max_exe_delay |
CSR only* Time before sending unknown binary for analysis in seconds | Long | Min: 2
Max: 500 |
max_file_size |
CSR only Maximum file size to send for analysis in MB | Long | Min: 15
Max: 100 |
risk_level |
CSR only Risk level to send for analysis | Long | Min: 0
Max: 7 |
On Access Scan
| Field | Definition | Data Type | Values |
|---|---|---|---|
enabled |
Whether local scan is enabled | Boolean | |
mode |
The local scan mode for new files or all files | String | NORMAL, AGGRESSIVE |
On Demand Scan
| Field | Definition | Data Type | Values |
|---|---|---|---|
enabled |
Whether background scan is enabled | Boolean | |
profile |
The background scan mode which limits the maximum number of files scanned per minute. AGGRESSIVE will have CPU, memory and disk I/O impacts |
String | NORMAL, AGGRESSIVE |
schedule |
The schedule for when the one time background scan will be performed | Object | |
scan_usb |
Whether USB devices are scanned | String | AUTOSCAN, DISABLED |
scan_cd_dvd |
Whether a CD or DVD is scanned | String | AUTOSCAN, DISABLED |
Signature Update
| Field | Definition | Data Type | Values |
|---|---|---|---|
enabled |
Whether signature updates is enabled | boolean | |
schedule |
The schedule to update signatures | Object | |
Update Servers
| Field | Definition | Data Type | Values |
|---|---|---|---|
servers_override |
CSR only Update servers to override offsite/onsite settings | Array | Default: ["http://updates2.cdc.carbonblack.io/update2"] |
servers_for_onsite_devices |
Update servers for internal devices | Array | |
servers_for_offsite_devices |
Update servers for offsite devices | Array |
Rule
| Field | Definition | Data Type | Values |
|---|---|---|---|
id |
The identifier of the rule | Long | |
required |
Not used | Boolean | |
action |
The action the sensor will take when an application attempts to perform the selected operation | String | IGNORE,
ALLOW,
TERMINATE_PROCESS,
TERMINATE_THREAD,
TERMINATE,
DENY |
application |
The path, signature or reputation of the application | Object | NAME_PATH, SIGNED_BY, REPUTATION
Reputations: ADAPTIVE_WHITE_LIST,
ADWARE,
COMMON_WHITE_LIST,
COMPANY_BLACK_LIST,
COMPANY_WHITE_LIST,
HEURISTIC,
IGNORE,
KNOWN_MALWARE,
LOCAL_WHITE,
NOT_LISTED,
PUP,
RESOLVING,
SUSPECT_MALWARE,
TRUSTED_WHITE_LIST |
operation |
The type of behavior an application is performing | String | BYPASS_ALL,
BYPASS_API,
INVOKE_SCRIPT,
INVOKE_SYSAPP,
POL_INVOKE_NOT_TRUSTED,
INVOKE_CMD_INTERPRETER,
RANSOM,
NETWORK,
PROCESS_ISOLATION,
CODE_INJECTION,
MEMORY_SCRAPE,
RUN_INMEMORY_CODE,
ESCALATE,
RUN |
Directory Action Rules
| Field | Definition | Data Type | Values |
|---|---|---|---|
file_upload |
Allow the deployed sensor to upload from path | Boolean | |
protection |
Deny the deployed sensor from uploading at path | Boolean | |
path |
The path to a file or directory | String | Wildcards supported: *, **, ? |
Sensor Settings
| Field | Definition | Data Type | Values |
|---|---|---|---|
name |
Name of the sensor setting | String | |
value |
Value for the sensor setting | String |
Supported Settings:
| Name | Description | Value |
|---|---|---|
SHOW_UI |
Whether the sensor should show UI | "true", "false" |
ALLOW_UNINSTALL |
Whether the user can uninstall the sensor | "true", "false" |
ALLOW_UPLOAD |
Deprecated | |
QUARANTINE_DEVICE |
Whether the endpoint or workload should be quarantined or not | "true", "false" |
ENABLE_FORENSICS |
Whether to enable forensics on the endpoint or workload | "true", "false" |
LOGGING_LEVEL |
Set the logging level to debug | "true", "false" |
QUARANTINE_DEVICE_MESSAGE |
Message to display to the user when a endpoint or workload is quarantined | String
Default: "Device has been quarantined by your computer administrator." |
ENABLE_THREAT_SHARING |
Enable threat sharing for the policy | "true", "false" |
SET_SENSOR_MODE |
Set the sensor mode as passive or active etc | Active "0",
Passive "1" |
SENSOR_RESET |
Sensor Reset | No Reset "0",
Reset Database "1" |
BLOCK_REMOVABLE_MEDIA |
Block use of removable media on the endpoint or workload | "true", "false" |
POLICY_ACTION_OVERRIDE |
Allow user to override policy actions | "true", "false" |
BACKGROUND_SCAN |
Whether to perform background scan or not | "true", "false" |
RATE_LIMIT |
Rate limit for the sensor in KB/hr | String |
QUEUE_SIZE |
Queue size for the sensor in MB | String |
DROP_CONNECTION_TIME |
Drop connection time in minutes | String |
CONNECTION_LIMIT |
Number of connections / hr | String |
LEARNING_MODE |
Learning mode time in hours | String |
SET_AV_MODE |
Not used | |
SCAN_NETWORK_DRIVE |
Whether to scan network drives | "true", "false" |
BYPASS_AFTER_RESTART_MINS |
Number of minutes to keep sensor in bypass after restart | String |
BYPASS_AFTER_LOGIN_MINS |
Number of minutes to keep sensor in bypass after login | String |
HELP_MESSAGE |
Help message displays on sensor ui | String |
SHOW_FULL_UI |
Show full sensor UI | "true", "false" |
SCAN_EXECUTE_ON_NETWORK_DRIVE |
Can execute on network drives | "true", "false" |
DELAY_EXECUTE |
Delay execute for cloud after local scan | "true", "false" |
ALLOW_INLINE_BLOCKING |
Pause binary execution for access decision | "true", "false" |
PRESERVE_SYSTEM_MEMORY_SCAN |
Preserve system memory for scan | "true", "false" |
HASH_MD5 |
Whether to calculate MD5 hash | "true", "false" |
SCAN_LARGE_FILE_READ |
Whether the sensor should scan large files | "true", "false" |
SECURITY_CENTER_OPT |
Security Center Opt In | "true", "false" |
CB_LIVE_RESPONSE |
Whether Live Response is enabled | "true", "false" |
UNINSTALL_CODE |
Whether an uninstall code is needed for sensor uninstall | "true", "false" |
ALLOW_EXPEDITED_SCAN |
Permit expedited (higher priority resulting in more CPU usage) background scans | "true", "false" |
UBS_OPT_IN |
Whether the sensor is allowed to upload binaries to the Unified Binary Store | "true", "false" |
DISABLE_MALWARE_SERVICES |
Disable services before start up that are known as being malware | "true", "false" |
Managed Detection and Response Permissions
| Field | Definition | Data Type | Values |
|---|---|---|---|
policy_modification |
Allow MDR team to modify the policy | Boolean | Default: false |
quarantine |
Allow MDR team to quarantine endpoints and workloads associated with the policy | Boolean | Default: false |
Rapid Configs
A Rapid Config is a new type of setting within policy that allows users to make adjustments to Carbon Black-defined rules. The first Rapid Configs that will be released are called Core Prevention and will expose controls for existing dynamic preventions developed by our Threat Analysis Unit. Modifications can include toggling between “Alert Only” and “Block and Alert” on a per-operating system basis when the configuration applies to multiple operating systems. In a future release, Rapid Configs will support process exceptions and other types of user modifications.
Coming Soon