使用 API 创建 Elastic Defend 策略

编辑

除了通过 Elastic Security UI 配置 Elastic Defend 策略 之外,您还可以通过 API 创建和自定义 Elastic Defend 策略。这是一个包含 Fleet API 的三个步骤的过程。您可以重复步骤 2 和 3 对 Elastic Defend 策略进行更多修改。

步骤 1:创建代理策略

编辑

进行以下 API 调用以创建一个新的代理策略,您将在其中添加您的 Elastic Defend 集成。将 <KIBANA-VERSION> 替换为您 Kibana 的版本。

curl --user <username>:<password> --request POST \
  --url 'https://<kibana-url>:5601/api/fleet/agent_policies' \
  -H 'Accept: */*' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/json' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'kbn-version: <KIBANA-VERSION>' \ 
  -d \
'
{
  "name": "My Policy Name",
  "description": "",
  "namespace": "default",
  "inactivity_timeout": 1209600
}'

<KIBANA-VERSION> 需要替换

记下您在响应中收到的 <POLICY-ID>。您将在步骤 2 中使用它来添加 Elastic Defend。

点击显示示例响应
{
  "item": {
    "id": "<POLICY-ID>", 
    "name": "My Policy Name",
    "description": "",
    "namespace": "default",
    "inactivity_timeout": 1209600,
    "is_protected": false,
    "status": "active",
    "is_managed": false,
    "revision": 1,
    "updated_at": "2023-07-24T18:35:00.233Z",
    "updated_by": "elastic",
    "schema_version": "1.1.1"
  }
}

<POLICY-ID> 在步骤 2 中需要

步骤 2:添加 Elastic Defend 集成

编辑

接下来,进行以下调用以将 Elastic Defend 集成添加到您在步骤 1 中创建的策略。

替换这些值

  1. <KIBANA-VERSION> 替换为您 Kibana 的版本。
  2. <POLICY-ID> 替换为您在步骤 1 中收到的代理策略 ID。
  3. <LATEST-ELASTIC-DEFEND-PACKAGE-VERSION> 替换为最新的 Elastic Defend 软件包版本(例如,8.9.1)。要查找它,请在导航菜单中导航到 集成 或使用 全局搜索字段,然后选择 Elastic Defend

这会将 Elastic Defend 集成添加到您的代理策略中,并使用默认设置。

curl --user <username>:<password> --request POST \
  --url 'https://<kibana-url>:5601/api/fleet/package_policies' \
  -H 'Accept: */*' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/json' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'kbn-version: <KIBANA-VERSION>' \ 
  -d \
'
{
  "name": "Protect",
  "description": "",
  "namespace": "default",
  "policy_id": "<POLICY-ID>", 
  "enabled": true,
  "inputs": [
    {
      "enabled": true,
      "streams": [],
      "type": "ENDPOINT_INTEGRATION_CONFIG",
      "config": {
        "_config": {
          "value": {
            "type": "endpoint",
            "endpointConfig": {
              "preset": "EDRComplete"
            }
          }
        }
      }
    }
  ],
  "package": {
    "name": "endpoint",
    "title": "Elastic Defend",
    "version": "<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>" 
  }
}'

<KIBANA-VERSION> 需要替换

<POLICY-ID> 需要替换

<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION> 需要替换

记下您在响应中收到的 <PACKAGE-POLICY-ID>。这指的是 Elastic Defend 策略,您将在步骤 3 中使用它。

点击显示示例响应
{
  "item": {
    "id": "<PACKAGE-POLICY-ID>", 
    "version": "WzMwOTcsMV0=",
    "name": "Protect",
    "namespace": "default",
    "description": "",
    "package": {
      "name": "endpoint",
      "title": "Elastic Defend",
      "version": "8.5.0"
    },
    "enabled": true,
    "policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a",
    "inputs": [
      {
        "type": "endpoint",
        "enabled": true,
        "streams": [],
        "config": {
          "integration_config": {
            "value": {
              "type": "endpoint",
              "endpointConfig": {
                "preset": "EDRComplete"
              }
            }
          },
          "artifact_manifest": {
            "value": {
              "manifest_version": "1.0.2",
              "schema_version": "v1",
              "artifacts": {
                "endpoint-exceptionlist-macos-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-exceptionlist-windows-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-exceptionlist-linux-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-trustlist-macos-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-trustlist-windows-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-trustlist-linux-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-eventfilterlist-macos-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-eventfilterlist-windows-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-eventfilterlist-linux-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-hostisolationexceptionlist-macos-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-hostisolationexceptionlist-windows-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-hostisolationexceptionlist-linux-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-blocklist-macos-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-blocklist-windows-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                },
                "endpoint-blocklist-linux-v1": {
                  "encryption_algorithm": "none",
                  "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "decoded_size": 14,
                  "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                  "encoded_size": 22,
                  "relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                  "compression_algorithm": "zlib"
                }
              }
            }
          },
          "policy": {
            "value": {
              "windows": {
                "events": {
                  "dll_and_driver_load": true,
                  "dns": true,
                  "file": true,
                  "network": true,
                  "process": true,
                  "registry": true,
                  "security": true
                },
                "malware": {
                  "mode": "prevent",
                  "blocklist": true
                },
                "ransomware": {
                  "mode": "prevent",
                  "supported": true
                },
                "memory_protection": {
                  "mode": "prevent",
                  "supported": true
                },
                "behavior_protection": {
                  "mode": "prevent",
                  "supported": true
                },
                "popup": {
                  "malware": {
                    "message": "",
                    "enabled": true
                  },
                  "ransomware": {
                    "message": "",
                    "enabled": true
                  },
                  "memory_protection": {
                    "message": "",
                    "enabled": true
                  },
                  "behavior_protection": {
                    "message": "",
                    "enabled": true
                  }
                },
                "logging": {
                  "file": "info"
                },
                "antivirus_registration": {
                  "enabled": false
                },
                "attack_surface_reduction": {
                  "credential_hardening": {
                    "enabled": true
                  }
                }
              },
              "mac": {
                "events": {
                  "process": true,
                  "file": true,
                  "network": true
                },
                "malware": {
                  "mode": "prevent",
                  "blocklist": true
                },
                "behavior_protection": {
                  "mode": "prevent",
                  "supported": true
                },
                "memory_protection": {
                  "mode": "prevent",
                  "supported": true
                },
                "popup": {
                  "malware": {
                    "message": "",
                    "enabled": true
                  },
                  "behavior_protection": {
                    "message": "",
                    "enabled": true
                  },
                  "memory_protection": {
                    "message": "",
                    "enabled": true
                  }
                },
                "logging": {
                  "file": "info"
                }
              },
              "linux": {
                "events": {
                  "process": true,
                  "file": true,
                  "network": true,
                  "session_data": false,
                  "tty_io": false
                },
                "malware": {
                  "mode": "prevent",
                  "blocklist": true
                },
                "behavior_protection": {
                  "mode": "prevent",
                  "supported": true
                },
                "memory_protection": {
                  "mode": "prevent",
                  "supported": true
                },
                "popup": {
                  "malware": {
                    "message": "",
                    "enabled": true
                  },
                  "behavior_protection": {
                    "message": "",
                    "enabled": true
                  },
                  "memory_protection": {
                    "message": "",
                    "enabled": true
                  }
                },
                "logging": {
                  "file": "info"
                }
              }
            }
          }
        }
      }
    ],
    "revision": 1,
    "created_at": "2023-04-06T15:53:14.020Z",
    "created_by": "elastic",
    "updated_at": "2023-04-06T15:53:14.020Z",
    "updated_by": "elastic"
  }
}

<PACKAGE-POLICY-ID> 在步骤 3 中需要

步骤 3:自定义和保存 Elastic Defend 策略设置

编辑

您在步骤 2 中收到的响应表示新 Elastic Defend 集成的默认配置。您需要修改默认配置,然后进行另一个 API 调用以保存您的自定义策略设置。

修改配置
编辑
  1. 从您在步骤 2 中收到的响应中,复制顶级 item 对象中的内容。
  2. 从该内容中,删除以下字段

    "id": "<PACKAGE-POLICY-ID>",
    "revision": 1,
    "created_at": "2023-04-06T15:53:14.020Z",
    "created_by": "elastic",
    "updated_at": "2023-04-06T15:53:14.020Z",
    "updated_by": "elastic"
  3. policy 对象进行任何更改以自定义 Elastic Defend 配置。
保存您的自定义策略设置
编辑

在以下调用中包含生成的 JSON 对象以保存您的自定义 Elastic Defend 策略。替换这些值

  1. <PACKAGE-POLICY-ID> 替换为您在步骤 2 中收到的 Elastic Defend 策略 ID。
  2. <KIBANA-VERSION> 替换为您 Kibana 的版本。
  3. <LATEST-ELASTIC-DEFEND-PACKAGE-VERSION> 替换为最新的 Elastic Defend 软件包版本(例如,8.9.1)。要查找它,请在导航菜单中导航到 集成 或使用 全局搜索字段,然后选择 Elastic Defend
curl --user <username>:<password> --request PUT \
  --url 'https://<kibana-url>:5601/api/fleet/package_policies/<PACKAGE-POLICY-ID>' \ 
  -H 'Accept: */*' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/json' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'kbn-version: <KIBANA-VERSION>' \ 
  -d \
'
{
  "version": "WzMwOTcsMV0=",
  "name": "Protect",
  "namespace": "default",
  "description": "",
  "package": {
    "name": "endpoint",
    "title": "Elastic Defend",
    "version": "<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION>" 
  },
  "enabled": true,
  "policy_id": "b4be0860-d492-11ed-a59c-3ffbbd16325a",
  "inputs": [
    {
      "type": "endpoint",
      "enabled": true,
      "streams": [],
      "config": {
        "integration_config": {
          "value": {
            "type": "endpoint",
            "endpointConfig": {
              "preset": "EDRComplete"
            }
          }
        },
        "artifact_manifest": {
          "value": {
            "manifest_version": "1.0.2",
            "schema_version": "v1",
            "artifacts": {
              "endpoint-exceptionlist-macos-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-exceptionlist-windows-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-exceptionlist-linux-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-trustlist-macos-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-trustlist-windows-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-trustlist-linux-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-eventfilterlist-macos-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-eventfilterlist-windows-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-eventfilterlist-linux-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-hostisolationexceptionlist-macos-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-hostisolationexceptionlist-windows-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-hostisolationexceptionlist-linux-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-blocklist-macos-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-blocklist-windows-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              },
              "endpoint-blocklist-linux-v1": {
                "encryption_algorithm": "none",
                "decoded_sha256": "d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "decoded_size": 14,
                "encoded_sha256": "f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                "encoded_size": 22,
                "relative_url": "/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                "compression_algorithm": "zlib"
              }
            }
          }
        },
        "policy": {
          "value": {
            "windows": {
              "events": {
                "dll_and_driver_load": true,
                "dns": true,
                "file": true,
                "network": true,
                "process": true,
                "registry": true,
                "security": true
              },
              "malware": {
                "mode": "prevent",
                "blocklist": true
              },
              "ransomware": {
                "mode": "prevent",
                "supported": true
              },
              "memory_protection": {
                "mode": "prevent",
                "supported": true
              },
              "behavior_protection": {
                "mode": "prevent",
                "supported": true
              },
              "popup": {
                "malware": {
                  "message": "",
                  "enabled": true
                },
                "ransomware": {
                  "message": "",
                  "enabled": true
                },
                "memory_protection": {
                  "message": "",
                  "enabled": true
                },
                "behavior_protection": {
                  "message": "",
                  "enabled": true
                }
              },
              "logging": {
                "file": "info"
              },
              "antivirus_registration": {
                "enabled": false
              },
              "attack_surface_reduction": {
                "credential_hardening": {
                  "enabled": true
                }
              }
            },
            "mac": {
              "events": {
                "process": true,
                "file": true,
                "network": true
              },
              "malware": {
                "mode": "prevent",
                "blocklist": true
              },
              "behavior_protection": {
                "mode": "prevent",
                "supported": true
              },
              "memory_protection": {
                "mode": "prevent",
                "supported": true
              },
              "popup": {
                "malware": {
                  "message": "",
                  "enabled": true
                },
                "behavior_protection": {
                  "message": "",
                  "enabled": true
                },
                "memory_protection": {
                  "message": "",
                  "enabled": true
                }
              },
              "logging": {
                "file": "info"
              }
            },
            "linux": {
              "events": {
                "process": true,
                "file": true,
                "network": true,
                "session_data": false,
                "tty_io": false
              },
              "malware": {
                "mode": "prevent",
                "blocklist": true
              },
              "behavior_protection": {
                "mode": "prevent",
                "supported": true
              },
              "memory_protection": {
                "mode": "prevent",
                "supported": true
              },
              "popup": {
                "malware": {
                  "message": "",
                  "enabled": true
                },
                "behavior_protection": {
                  "message": "",
                  "enabled": true
                },
                "memory_protection": {
                  "message": "",
                  "enabled": true
                }
              },
              "logging": {
                "file": "info"
              }
            }
          }
        }
      }
    }
  ]
}'

<PACKAGE-POLICY-ID> 需要替换

<KIBANA-VERSION> 需要替换

<LATEST-ELASTIC-DEFEND-PACKAGE-VERSION> 需要替换