使用 API 创建 Elastic Defend 策略
Elastic Stack Serverless Security
除了通过 Elastic Security UI 配置 Elastic Defend 策略之外,您还可以通过 API 创建和自定义 Elastic Defend 策略。这是一个包含 Fleet API 的三步过程。您可以重复步骤 2 和 3,以便对 Elastic Defend 策略进行更多修改。
要求
您必须拥有Elastic Defend 策略管理:全部 权限才能配置集成策略。
进行以下 API 调用以创建新的代理策略,您将在其中添加 Elastic Defend 集成。将 <KIBANA-VERSION> 替换为您的 Kibana 版本。
curl --user <username>:<password> --request POST \ --url 'https://<kibana-url>:5601/api/fleet/agent_policies' \
-H 'Accept: */*' \
-H 'Accept-Language: en-US,en;q=0.9' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/json' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'kbn-version: <KIBANA-VERSION>' \
-d \
'
{
"name": "My Policy Name",
"description": "",
"namespace": "default",
"inactivity_timeout": 1209600
}'
<KIBANA-VERSION>需要替换
记下您在响应中收到的 <POLICY-ID>。您将在步骤 2 中使用它来添加 Elastic Defend。
单击以显示示例响应
{
"item": {
"id": "<POLICY-ID>",
"name": "My Policy Name",
"description": "",
"namespace": "default",
"inactivity_timeout": 1209600,
"is_protected": false,
"status": "active",
"is_managed": false,
"revision": 1,
"updated_at": "2023-07-24T18:35:00.233Z",
"updated_by": "elastic",
"schema_version": "1.1.1"
}
}
- 步骤 2 中需要
<POLICY-ID>
接下来,进行以下调用,将 Elastic Defend 集成添加到您在步骤 1 中创建的策略。
替换这些值
- 将
<KIBANA-VERSION>替换为您的 Kibana 版本。 - 将
<POLICY-ID>替换为您在步骤 1 中收到的代理策略 ID。 - 将
<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>替换为最新的 Elastic Defend 程序包版本(例如,8.9.1)。要查找它,请导航到导航菜单中的 集成 或使用 全局搜索字段,然后选择 Elastic Defend。
这会将 Elastic Defend 集成添加到具有默认设置的代理策略。
curl --user <username>:<password> --request POST \ --url 'https://<kibana-url>:5601/api/fleet/package_policies' \
-H 'Accept: */*' \
-H 'Accept-Language: en-US,en;q=0.9' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/json' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'kbn-version: <KIBANA-VERSION>' \
-d \
'
{
"name": "Protect",
"description": "",
"namespace": "default",
"policy_id": "<POLICY-ID>",
"enabled": true,
"inputs": [
{
"enabled": true,
"streams": [],
"type": "ENDPOINT_INTEGRATION_CONFIG",
"config": {
"_config": {
"value": {
"type": "endpoint",
"endpointConfig": {
"preset": "EDRComplete"
}
}
}
}
}
],
"package": {
"name": "endpoint",
"title": "Elastic Defend",
"version": "<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>"
}
}'
<KIBANA-VERSION>需要替换<POLICY-ID>需要替换<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>需要替换
记下您在响应中收到的 <PACKAGE-POLICY-ID>。这指的是 Elastic Defend 策略,您将在步骤 3 中使用它。
单击以显示示例响应
{
"item": {
"id": "<PACKAGE-POLICY-ID>",
"version": "WzMwOTcsMV0=",
"name": "Protect",
"namespace": "default",
"description": "",
"package": {
"name": "endpoint",
"title": "Elastic Defend",
"version": "8.5.0"
},
"enabled": true,
"policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a",
"inputs": [
{
"type": "endpoint",
"enabled": true,
"streams": [],
"config": {
"integration_config": {
"value": {
"type": "endpoint",
"endpointConfig": {
"preset": "EDRComplete"
}
}
},
"artifact_manifest": {
"value": {
"manifest_version": "1.0.2",
"schema_version": "v1",
"artifacts": {
"endpoint-exceptionlist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-exceptionlist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-exceptionlist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-trustlist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-trustlist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-trustlist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-eventfilterlist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-eventfilterlist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-eventfilterlist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-hostisolationexceptionlist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-hostisolationexceptionlist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-hostisolationexceptionlist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-blocklist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-blocklist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-blocklist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
}
}
}
},
"policy": {
"value": {
"windows": {
"events": {
"dll_and_driver_load": true,
"dns": true,
"file": true,
"network": true,
"process": true,
"registry": true,
"security": true
},
"malware": {
"mode": "prevent",
"blocklist": true
},
"ransomware": {
"mode": "prevent",
"supported": true
},
"memory_protection": {
"mode": "prevent",
"supported": true
},
"behavior_protection": {
"mode": "prevent",
"supported": true
},
"popup": {
"malware": {
"message": "",
"enabled": true
},
"ransomware": {
"message": "",
"enabled": true
},
"memory_protection": {
"message": "",
"enabled": true
},
"behavior_protection": {
"message": "",
"enabled": true
}
},
"logging": {
"file": "info"
},
"antivirus_registration": {
"enabled": false
},
"attack_surface_reduction": {
"credential_hardening": {
"enabled": true
}
}
},
"mac": {
"events": {
"process": true,
"file": true,
"network": true
},
"malware": {
"mode": "prevent",
"blocklist": true
},
"behavior_protection": {
"mode": "prevent",
"supported": true
},
"memory_protection": {
"mode": "prevent",
"supported": true
},
"popup": {
"malware": {
"message": "",
"enabled": true
},
"behavior_protection": {
"message": "",
"enabled": true
},
"memory_protection": {
"message": "",
"enabled": true
}
},
"logging": {
"file": "info"
}
},
"linux": {
"events": {
"process": true,
"file": true,
"network": true,
"session_data": false,
"tty_io": false
},
"malware": {
"mode": "prevent",
"blocklist": true
},
"behavior_protection": {
"mode": "prevent",
"supported": true
},
"memory_protection": {
"mode": "prevent",
"supported": true
},
"popup": {
"malware": {
"message": "",
"enabled": true
},
"behavior_protection": {
"message": "",
"enabled": true
},
"memory_protection": {
"message": "",
"enabled": true
}
},
"logging": {
"file": "info"
}
}
}
}
}
}
],
"revision": 1,
"created_at": "2023-04-06T15:53:14.020Z",
"created_by": "elastic",
"updated_at": "2023-04-06T15:53:14.020Z",
"updated_by": "elastic"
}
}
- 步骤 3 中需要
<PACKAGE-POLICY-ID>
您在步骤 2 中收到的响应代表了新 Elastic Defend 集成的默认配置。您需要修改默认配置,然后进行另一个 API 调用以保存您自定义的策略设置。
从您在步骤 2 中收到的响应中,复制顶级
item对象中的内容。从该内容中,删除以下字段
"id": "<PACKAGE-POLICY-ID>", "revision": 1, "created_at": "2023-04-06T15:53:14.020Z", "created_by": "elastic", "updated_at": "2023-04-06T15:53:14.020Z", "updated_by": "elastic"对
policy对象进行任何更改,以自定义 Elastic Defend 配置。
将生成的 JSON 对象包含在以下调用中,以保存您自定义的 Elastic Defend 策略。替换这些值
- 将
<PACKAGE-POLICY-ID>替换为您在步骤 2 中收到的 Elastic Defend 策略 ID。 - 将
<KIBANA-VERSION>替换为您的 Kibana 版本。 - 将
<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>替换为最新的 Elastic Defend 程序包版本(例如,8.9.1)。要查找它,请导航到导航菜单中的 集成 或使用 全局搜索字段,然后选择 Elastic Defend。
curl --user <username>:<password> --request PUT \ --url 'https://<kibana-url>:5601/api/fleet/package_policies/<PACKAGE-POLICY-ID>' \
-H 'Accept: */*' \
-H 'Accept-Language: en-US,en;q=0.9' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/json' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'kbn-version: <KIBANA-VERSION>' \
-d \
'
{
"version": "WzMwOTcsMV0=",
"name": "Protect",
"namespace": "default",
"description": "",
"package": {
"name": "endpoint",
"title": "Elastic Defend",
"version": "<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>"
},
"enabled": true,
"policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a",
"inputs": [
{
"type": "endpoint",
"enabled": true,
"streams": [],
"config": {
"integration_config": {
"value": {
"type": "endpoint",
"endpointConfig": {
"preset": "EDRComplete"
}
}
},
"artifact_manifest": {
"value": {
"manifest_version": "1.0.2",
"schema_version": "v1",
"artifacts": {
"endpoint-exceptionlist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-exceptionlist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-exceptionlist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-trustlist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-trustlist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-trustlist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-eventfilterlist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-eventfilterlist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-eventfilterlist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-hostisolationexceptionlist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-hostisolationexceptionlist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-hostisolationexceptionlist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-blocklist-macos-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-blocklist-windows-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
},
"endpoint-blocklist-linux-v1": {
"encryption_algorithm": "none",
"decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"decoded_size": 14,
"encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
"encoded_size": 22,
"relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
"compression_algorithm": "zlib"
}
}
}
},
"policy": {
"value": {
"windows": {
"events": {
"dll_and_driver_load": true,
"dns": true,
"file": true,
"network": true,
"process": true,
"registry": true,
"security": true
},
"malware": {
"mode": "prevent",
"blocklist": true
},
"ransomware": {
"mode": "prevent",
"supported": true
},
"memory_protection": {
"mode": "prevent",
"supported": true
},
"behavior_protection": {
"mode": "prevent",
"supported": true
},
"popup": {
"malware": {
"message": "",
"enabled": true
},
"ransomware": {
"message": "",
"enabled": true
},
"memory_protection": {
"message": "",
"enabled": true
},
"behavior_protection": {
"message": "",
"enabled": true
}
},
"logging": {
"file": "info"
},
"antivirus_registration": {
"enabled": false
},
"attack_surface_reduction": {
"credential_hardening": {
"enabled": true
}
}
},
"mac": {
"events": {
"process": true,
"file": true,
"network": true
},
"malware": {
"mode": "prevent",
"blocklist": true
},
"behavior_protection": {
"mode": "prevent",
"supported": true
},
"memory_protection": {
"mode": "prevent",
"supported": true
},
"popup": {
"malware": {
"message": "",
"enabled": true
},
"behavior_protection": {
"message": "",
"enabled": true
},
"memory_protection": {
"message": "",
"enabled": true
}
},
"logging": {
"file": "info"
}
},
"linux": {
"events": {
"process": true,
"file": true,
"network": true,
"session_data": false,
"tty_io": false
},
"malware": {
"mode": "prevent",
"blocklist": true
},
"behavior_protection": {
"mode": "prevent",
"supported": true
},
"memory_protection": {
"mode": "prevent",
"supported": true
},
"popup": {
"malware": {
"message": "",
"enabled": true
},
"behavior_protection": {
"message": "",
"enabled": true
},
"memory_protection": {
"message": "",
"enabled": true
}
},
"logging": {
"file": "info"
}
}
}
}
}
}
]
}'
<PACKAGE-POLICY-ID>需要替换<KIBANA-VERSION>需要替换<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>需要替换