Defend API integration

alextg · April 6, 2023, 7:13am

Hi,
I would like to create a customized Elastic Defend Integration via API, unfortunately such integration doesn't have the Preview API request as other integrations. I'm able to create the integration with the default values (see below), but I would like to customize it even further. Does anyone have the full API request for the Defend integration?

data = {
        "policy_id": agent_policy_id,
        "package": {
            "name": "endpoint",
            "version": "8.5.0"
        },
        "name": default_endpoint,
        "description": "",
        "namespace": namespace,
    }

I have tried getting the use the output from the Elastic Console using the command GET kbn:/api/fleet/agent_policies/<POLICY_ID>, but I get the below error

{'statusCode': 400, 'error': 'Bad Request', 'message': '[request body]: types that failed validation:\n- [request body.0.inputs]: expected value of type [array] but got [Object]\n- [request body.1.inputs.config.policy]: definition for this key is missing'}

This is the code I'm using which trigger the above error.
defend_int

Kevin_Logan · April 6, 2023, 4:44pm

Hi @alextg thanks for trying out Elastic Security. My understanding is that you want to create Elastic Defend Policies and customize them through the API. I will map out a way to do that below. Because I'm copy/pasting entire API responses, I'm breaking this up to two posts so it fits in the character limits.

Judging from the above, I assume you already have an agent_policy_id that you want to add the integration to. Assuming that is the case, you can use the API like below to add the default integration. It seems you've already gotten this far, but adding it for completeness.

Initialize the Elastic Defend policy

curl --user <user>:<pass> 'https://<kibana-url>:5601/api/fleet/package_policies' \
  -H 'Accept: */*' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/json' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'kbn-version: 8.5.4' \
  --data-raw '{"name":"Protect","description":"","namespace":"default","policy_id":<POLICY_ID>,"enabled":true,"inputs":[{"enabled":true,"streams":[],"type":"ENDPOINT_INTEGRATION_CONFIG","config":{"_config":{"value":{"type":"endpoint","endpointConfig":{"preset":"EDRComplete"}}}}}],"package":{"name":"endpoint","title":"Elastic Defend","version":"8.5.0"}}' \
  --compressed

Make sure you replace <POLICY_ID> with your agent_policy_id .

You should get a response which looks something like the below:

{
   "item":{
      "id":"de5d7dd6-877b-45ef-9db3-f72776b4d091",
      "version":"WzMwOTcsMV0=",
      "name":"Protect",
      "namespace":"default",
      "description":"",
      "package":{
         "name":"endpoint",
         "title":"Elastic Defend",
         "version":"8.5.0"
      },
      "enabled":true,
      "policy_id":"b4be0860-d492-11ed-a59c-3ffbbd16325a",
      "inputs":[
         {
            "type":"endpoint",
            "enabled":true,
            "streams":[
               
            ],
            "config":{
               "integration_config":{
                  "value":{
                     "type":"endpoint",
                     "endpointConfig":{
                        "preset":"EDRComplete"
                     }
                  }
               },
               "artifact_manifest":{
                  "value":{
                     "manifest_version":"1.0.2",
                     "schema_version":"v1",
                     "artifacts":{
                        "endpoint-exceptionlist-macos-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-exceptionlist-windows-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-exceptionlist-linux-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-trustlist-macos-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-trustlist-windows-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-trustlist-linux-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-eventfilterlist-macos-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-eventfilterlist-windows-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-eventfilterlist-linux-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-hostisolationexceptionlist-macos-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-hostisolationexceptionlist-windows-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-hostisolationexceptionlist-linux-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-blocklist-macos-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-blocklist-windows-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        },
                        "endpoint-blocklist-linux-v1":{
                           "encryption_algorithm":"none",
                           "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "decoded_size":14,
                           "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                           "encoded_size":22,
                           "relative_url":"/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                           "compression_algorithm":"zlib"
                        }
                     }
                  }
               },
               "policy":{
                  "value":{
                     "windows":{
                        "events":{
                           "dll_and_driver_load":true,
                           "dns":true,
                           "file":true,
                           "network":true,
                           "process":true,
                           "registry":true,
                           "security":true
                        },
                        "malware":{
                           "mode":"prevent",
                           "blocklist":true
                        },
                        "ransomware":{
                           "mode":"prevent",
                           "supported":true
                        },
                        "memory_protection":{
                           "mode":"prevent",
                           "supported":true
                        },
                        "behavior_protection":{
                           "mode":"prevent",
                           "supported":true
                        },
                        "popup":{
                           "malware":{
                              "message":"",
                              "enabled":true
                           },
                           "ransomware":{
                              "message":"",
                              "enabled":true
                           },
                           "memory_protection":{
                              "message":"",
                              "enabled":true
                           },
                           "behavior_protection":{
                              "message":"",
                              "enabled":true
                           }
                        },
                        "logging":{
                           "file":"info"
                        },
                        "antivirus_registration":{
                           "enabled":false
                        },
                        "attack_surface_reduction":{
                           "credential_hardening":{
                              "enabled":true
                           }
                        }
                     },
                     "mac":{
                        "events":{
                           "process":true,
                           "file":true,
                           "network":true
                        },
                        "malware":{
                           "mode":"prevent",
                           "blocklist":true
                        },
                        "behavior_protection":{
                           "mode":"prevent",
                           "supported":true
                        },
                        "memory_protection":{
                           "mode":"prevent",
                           "supported":true
                        },
                        "popup":{
                           "malware":{
                              "message":"",
                              "enabled":true
                           },
                           "behavior_protection":{
                              "message":"",
                              "enabled":true
                           },
                           "memory_protection":{
                              "message":"",
                              "enabled":true
                           }
                        },
                        "logging":{
                           "file":"info"
                        }
                     },
                     "linux":{
                        "events":{
                           "process":true,
                           "file":true,
                           "network":true,
                           "session_data":false,
                           "tty_io":false
                        },
                        "malware":{
                           "mode":"prevent",
                           "blocklist":true
                        },
                        "behavior_protection":{
                           "mode":"prevent",
                           "supported":true
                        },
                        "memory_protection":{
                           "mode":"prevent",
                           "supported":true
                        },
                        "popup":{
                           "malware":{
                              "message":"",
                              "enabled":true
                           },
                           "behavior_protection":{
                              "message":"",
                              "enabled":true
                           },
                           "memory_protection":{
                              "message":"",
                              "enabled":true
                           }
                        },
                        "logging":{
                           "file":"info"
                        }
                     }
                  }
               }
            }
         }
      ],
      "revision":1,
      "created_at":"2023-04-06T15:53:14.020Z",
      "created_by":"elastic",
      "updated_at":"2023-04-06T15:53:14.020Z",
      "updated_by":"elastic"
   }
}

Customize the policy settings

Next, prepare and make the call with your custom Elastic Defend policy.

Keep note of the id field, in this case, "id":"de5d7dd6-877b-45ef-9db3-f72776b4d091". This is the package-policy-id.

Make the following modifications:

Pull out all of the content under the top level item:{} field.
Remove the following fields

      "revision":1,
      "created_at":"2023-04-06T15:53:14.020Z",
      "created_by":"elastic",
      "updated_at":"2023-04-06T15:53:14.020Z",
      "updated_by":"elastic"

Remove that same id field you got the package policy id from:

"id":"de5d7dd6-877b-45ef-9db3-f72776b4d091"

You should be left with an object that looks like the below. Make any changes to the policy section that you'd like:

{
   "version":"WzMwOTcsMV0=",
   "name":"Protect",
   "namespace":"default",
   "description":"",
   "package":{
      "name":"endpoint",
      "title":"Elastic Defend",
      "version":"8.5.0"
   },
   "enabled":true,
   "policy_id":"b4be0860-d492-11ed-a59c-3ffbbd16325a",
   "inputs":[
      {
         "type":"endpoint",
         "enabled":true,
         "streams":[
            
         ],
         "config":{
            "integration_config":{
               "value":{
                  "type":"endpoint",
                  "endpointConfig":{
                     "preset":"EDRComplete"
                  }
               }
            },
            "artifact_manifest":{
               "value":{
                  "manifest_version":"1.0.2",
                  "schema_version":"v1",
                  "artifacts":{
                     "endpoint-exceptionlist-macos-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-exceptionlist-windows-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-exceptionlist-linux-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-trustlist-macos-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-trustlist-windows-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-trustlist-linux-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-eventfilterlist-macos-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-eventfilterlist-windows-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-eventfilterlist-linux-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-hostisolationexceptionlist-macos-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-hostisolationexceptionlist-windows-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-hostisolationexceptionlist-linux-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-blocklist-macos-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-blocklist-windows-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     },
                     "endpoint-blocklist-linux-v1":{
                        "encryption_algorithm":"none",
                        "decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "decoded_size":14,
                        "encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda",
                        "encoded_size":22,
                        "relative_url":"/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658",
                        "compression_algorithm":"zlib"
                     }
                  }
               }
            },
            "policy":{
               "value":{
                  "windows":{
                     "events":{
                        "dll_and_driver_load":true,
                        "dns":true,
                        "file":true,
                        "network":true,
                        "process":true,
                        "registry":true,
                        "security":true
                     },
                     "malware":{
                        "mode":"prevent",
                        "blocklist":true
                     },
                     "ransomware":{
                        "mode":"prevent",
                        "supported":true
                     },
                     "memory_protection":{
                        "mode":"prevent",
                        "supported":true
                     },
                     "behavior_protection":{
                        "mode":"prevent",
                        "supported":true
                     },
                     "popup":{
                        "malware":{
                           "message":"",
                           "enabled":true
                        },
                        "ransomware":{
                           "message":"",
                           "enabled":true
                        },
                        "memory_protection":{
                           "message":"",
                           "enabled":true
                        },
                        "behavior_protection":{
                           "message":"",
                           "enabled":true
                        }
                     },
                     "logging":{
                        "file":"info"
                     },
                     "antivirus_registration":{
                        "enabled":false
                     },
                     "attack_surface_reduction":{
                        "credential_hardening":{
                           "enabled":true
                        }
                     }
                  },
                  "mac":{
                     "events":{
                        "process":true,
                        "file":true,
                        "network":true
                     },
                     "malware":{
                        "mode":"prevent",
                        "blocklist":true
                     },
                     "behavior_protection":{
                        "mode":"prevent",
                        "supported":true
                     },
                     "memory_protection":{
                        "mode":"prevent",
                        "supported":true
                     },
                     "popup":{
                        "malware":{
                           "message":"",
                           "enabled":true
                        },
                        "behavior_protection":{
                           "message":"",
                           "enabled":true
                        },
                        "memory_protection":{
                           "message":"",
                           "enabled":true
                        }
                     },
                     "logging":{
                        "file":"info"
                     }
                  },
                  "linux":{
                     "events":{
                        "process":true,
                        "file":true,
                        "network":true,
                        "session_data":false,
                        "tty_io":false
                     },
                     "malware":{
                        "mode":"prevent",
                        "blocklist":true
                     },
                     "behavior_protection":{
                        "mode":"prevent",
                        "supported":true
                     },
                     "memory_protection":{
                        "mode":"prevent",
                        "supported":true
                     },
                     "popup":{
                        "malware":{
                           "message":"",
                           "enabled":true
                        },
                        "behavior_protection":{
                           "message":"",
                           "enabled":true
                        },
                        "memory_protection":{
                           "message":"",
                           "enabled":true
                        }
                     },
                     "logging":{
                        "file":"info"
                     }
                  }
               }
            }
         }
      }
   ]
}

Kevin_Logan · April 6, 2023, 4:45pm

following up with the last bit from above to save the customized policy...

Save the Elastic Defend Policy

Using the JSON you prepared above, save this all back with a second API call:

curl --user <user>:<pass> 'https://<kibana-url>:5601/api/fleet/package_policies/<package-policy-id>' \
  -X 'PUT' \
  -H 'Accept: */*' \
  -H 'Accept-Language: en-US,en;q=0.9' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/json' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'kbn-version: 8.5.4' \
  --data-raw '{"version":"WzMwOTcsMV0=","name":"Protect","namespace":"default","description":"","package":{"name":"endpoint","title":"Elastic Defend","version":"8.5.0"},"enabled":true,"policy_id":"b4be0860-d492-11ed-a59c-3ffbbd16325a","inputs":[{"type":"endpoint","enabled":true,"streams":[],"config":{"integration_config":{"value":{"type":"endpoint","endpointConfig":{"preset":"EDRComplete"}}},"artifact_manifest":{"value":{"manifest_version":"1.0.2","schema_version":"v1","artifacts":{"endpoint-exceptionlist-macos-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-exceptionlist-windows-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-exceptionlist-linux-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-trustlist-macos-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-trustlist-windows-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-trustlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-trustlist-linux-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-trustlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-eventfilterlist-macos-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-eventfilterlist-windows-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-eventfilterlist-linux-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-hostisolationexceptionlist-macos-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-hostisolationexceptionlist-windows-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-hostisolationexceptionlist-linux-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-blocklist-macos-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-blocklist-windows-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"},"endpoint-blocklist-linux-v1":{"encryption_algorithm":"none","decoded_sha256":"d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","decoded_size":14,"encoded_sha256":"f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda","encoded_size":22,"relative_url":"/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658","compression_algorithm":"zlib"}}}},"policy":{"value":{"windows":{"events":{"dll_and_driver_load":true,"dns":true,"file":true,"network":true,"process":true,"registry":true,"security":true},"malware":{"mode":"prevent","blocklist":true},"ransomware":{"mode":"prevent","supported":true},"memory_protection":{"mode":"prevent","supported":true},"behavior_protection":{"mode":"prevent","supported":true},"popup":{"malware":{"message":"","enabled":true},"ransomware":{"message":"","enabled":true},"memory_protection":{"message":"","enabled":true},"behavior_protection":{"message":"","enabled":true}},"logging":{"file":"info"},"antivirus_registration":{"enabled":false},"attack_surface_reduction":{"credential_hardening":{"enabled":true}}},"mac":{"events":{"process":true,"file":true,"network":true},"malware":{"mode":"prevent","blocklist":true},"behavior_protection":{"mode":"prevent","supported":true},"memory_protection":{"mode":"prevent","supported":true},"popup":{"malware":{"message":"","enabled":true},"behavior_protection":{"message":"","enabled":true},"memory_protection":{"message":"","enabled":true}},"logging":{"file":"info"}},"linux":{"events":{"process":true,"file":true,"network":true,"session_data":false,"tty_io":false},"malware":{"mode":"prevent","blocklist":true},"behavior_protection":{"mode":"prevent","supported":true},"memory_protection":{"mode":"prevent","supported":true},"popup":{"malware":{"message":"","enabled":true},"behavior_protection":{"message":"","enabled":true},"memory_protection":{"message":"","enabled":true}},"logging":{"file":"info"}}}}}}]}' \
  --compressed

After this, you should have your customized policy saved.

To sum it up, you make two API calls:

API call to initialize the Elastic Defend policy
API call to update the Elastic Defend policy.

The initialization happens first because the server will initialize the user artifact entries seen in the response. These are things like, endpoint-trustlist-windows-v1 which refers to the list of Trusted Applications which are bundled and downloaded by the Endpoint.

Let me know if this answers your question or if you have any additional.

alextg · April 14, 2023, 1:42pm

Appreciate your help, works as a charm! I did add an extra header perhaps since I'm using version 8.6.2, but other than that everything works as expected.

'kbn-xsrf: true'

alextg · May 2, 2023, 6:03am

In case someone needs, see below a python function to update the elastic defend policy.

def set_endpoint_int_json(agent_policy_id, package_version, package_name, package_namespace):
    data = {
        'version': package_version, 
        'name': package_name, 
        'namespace': package_namespace, 
        'description': '', 
        'package': {
            'name': 'endpoint', 
            'title': 'Elastic Defend', 
            'version': '8.6.1'
        }, 
        'enabled': True, 
        'policy_id': agent_policy_id, 
        'inputs': [
            {
                'type': 'endpoint', 
                'enabled': True, 
                'streams': [], 
                'config': {
                    'integration_config': {
                        'value': {
                            'type': 'endpoint', 
                            'endpointConfig': {
                                'preset': 'EDRComplete'
                            }
                        }
                    }, 
                    'artifact_manifest': {
                        'value': {
                        'manifest_version': '1.0.426', 
                        'schema_version': 'v1', 
                        'artifacts': {
                            'endpoint-exceptionlist-macos-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'decoded_size': 14, 'encoded_sha256': 'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', 'encoded_size': 22, 'relative_url': '/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'compression_algorithm': 'zlib'}, 
                            'endpoint-exceptionlist-windows-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'f68638429f3d8985f6d9b703cbccb5a79754ed9dd71c508778f761985e03e81b', 'decoded_size': 325, 'encoded_sha256': '1234edf0fe2cfe5e715d66099589b5ef85bf586e806c1b7648afa4b750ac5fdf', 'encoded_size': 157, 'relative_url': '/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/f68638429f3d8985f6d9b703cbccb5a79754ed9dd71c508778f761985e03e81b', 'compression_algorithm': 'zlib'}, 
                            'endpoint-exceptionlist-linux-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'fb4392de137c2bc225f00d6171f3f36276b68813fc6bf7575ab586c2dd00844b', 'decoded_size': 300, 'encoded_sha256': '7d61d979bf76316fddab60dd15815b87cb11493093defd79d83dcc9fd65f69ee', 'encoded_size': 188, 'relative_url': '/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/fb4392de137c2bc225f00d6171f3f36276b68813fc6bf7575ab586c2dd00844b', 'compression_algorithm': 'zlib'}, 
                            'endpoint-trustlist-macos-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'decoded_size': 14, 'encoded_sha256': 'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', 'encoded_size': 22, 'relative_url': '/api/fleet/artifacts/endpoint-trustlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'compression_algorithm': 'zlib'}, 
                            'endpoint-trustlist-windows-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'a2b20afc68713e1994bcd0067d81595e1458d5593262fd28100be0c911e46aa1', 'decoded_size': 544, 'encoded_sha256': '319d3a3ff85b376cbae14e8798dfbcaf89e6dda37d3943c8a63526066df17782', 'encoded_size': 185, 'relative_url': '/api/fleet/artifacts/endpoint-trustlist-windows-v1/a2b20afc68713e1994bcd0067d81595e1458d5593262fd28100be0c911e46aa1', 'compression_algorithm': 'zlib'}, 
                            'endpoint-trustlist-linux-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': '340ce36b21ea840379b7049ac16e7fb8f5ff9773b4363242422a560c34b5d739', 'decoded_size': 431, 'encoded_sha256': 'e0b688add30d1353bb0d1db8df73beaebda83cf1653de6143c8f51d08cf28b1e', 'encoded_size': 134, 'relative_url': '/api/fleet/artifacts/endpoint-trustlist-linux-v1/340ce36b21ea840379b7049ac16e7fb8f5ff9773b4363242422a560c34b5d739', 'compression_algorithm': 'zlib'}, 
                            'endpoint-eventfilterlist-macos-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'decoded_size': 14, 'encoded_sha256': 'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', 'encoded_size': 22, 'relative_url': '/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'compression_algorithm': 'zlib'}, 
                            'endpoint-eventfilterlist-windows-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'decoded_size': 14, 'encoded_sha256': 'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', 'encoded_size': 22, 'relative_url': '/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'compression_algorithm': 'zlib'}, 
                            'endpoint-eventfilterlist-linux-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'decoded_size': 14, 'encoded_sha256': 'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', 'encoded_size': 22, 'relative_url': '/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'compression_algorithm': 'zlib'}, 
                            'endpoint-hostisolationexceptionlist-macos-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': '23b42442e7ec780654c116d37f0a316c25b357a7d8ca80c3303a49a8cc3f8281', 'decoded_size': 393, 'encoded_sha256': '607d0c473e52942d2e1e32be2b1be347cbaa480d38c96527ca56e8ad52fbef16', 'encoded_size': 145, 'relative_url': '/api/fleet/artifacts/endpoint-hostisolationexceptionlist-macos-v1/23b42442e7ec780654c116d37f0a316c25b357a7d8ca80c3303a49a8cc3f8281', 'compression_algorithm': 'zlib'}, 
                            'endpoint-hostisolationexceptionlist-windows-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': '23b42442e7ec780654c116d37f0a316c25b357a7d8ca80c3303a49a8cc3f8281', 'decoded_size': 393, 'encoded_sha256': '607d0c473e52942d2e1e32be2b1be347cbaa480d38c96527ca56e8ad52fbef16', 'encoded_size': 145, 'relative_url': '/api/fleet/artifacts/endpoint-hostisolationexceptionlist-windows-v1/23b42442e7ec780654c116d37f0a316c25b357a7d8ca80c3303a49a8cc3f8281', 'compression_algorithm': 'zlib'}, 
                            'endpoint-hostisolationexceptionlist-linux-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': '23b42442e7ec780654c116d37f0a316c25b357a7d8ca80c3303a49a8cc3f8281', 'decoded_size': 393, 'encoded_sha256': '607d0c473e52942d2e1e32be2b1be347cbaa480d38c96527ca56e8ad52fbef16', 'encoded_size': 145, 'relative_url': '/api/fleet/artifacts/endpoint-hostisolationexceptionlist-linux-v1/23b42442e7ec780654c116d37f0a316c25b357a7d8ca80c3303a49a8cc3f8281', 'compression_algorithm': 'zlib'}, 
                            'endpoint-blocklist-macos-v1': {'encryption_algorithm': 'none', 'decoded_sha256': 'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'decoded_size': 14, 'encoded_sha256': 'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', 'encoded_size': 22, 'relative_url': '/api/fleet/artifacts/endpoint-blocklist-macos-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'compression_algorithm': 'zlib'}, 
                            'endpoint-blocklist-windows-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'decoded_size': 14, 'encoded_sha256': 'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', 'encoded_size': 22, 'relative_url': '/api/fleet/artifacts/endpoint-blocklist-windows-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'compression_algorithm': 'zlib'}, 
                            'endpoint-blocklist-linux-v1': {
                                'encryption_algorithm': 'none', 'decoded_sha256': 'd801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'decoded_size': 14, 'encoded_sha256': 'f8e6afa1d5662f5b37f83337af774b5785b5b7f1daee08b7b00c2d6813874cda', 'encoded_size': 22, 'relative_url': '/api/fleet/artifacts/endpoint-blocklist-linux-v1/d801aa1fb7ddcc330a5e3173372ea6af4a3d08ec58074478e85aa5603e926658', 'compression_algorithm': 'zlib'}
                            }
                        }
                    }, 
                    'policy': {
                        'value': {
                            'windows': {
                                'events': {'dll_and_driver_load': False, 'dns': False, 'file': False, 'network': False, 'process': True, 'registry': False, 'security': False}, 
                                'malware': {'mode': 'detect', 'blocklist': True}, 
                                'ransomware': {'mode': 'detect', 'supported': True, 'notification': False}, 
                                'memory_protection': {'mode': 'detect', 'supported': True}, 
                                'behavior_protection': {'mode': 'detect', 'supported': True}, 
                                'popup': {'malware': {'message': '', 'enabled': False}, 'ransomware': {'message': '', 'enabled': False}, 'memory_protection': {'message': '', 'enabled': False}, 'behavior_protection': {'message': '', 'enabled': False}}, 
                                'logging': {'file': 'info'}, 
                                'antivirus_registration': {'enabled': False}, 
                                'attack_surface_reduction': {'credential_hardening': {'enabled': True}}
                            }, 
                            'mac': {
                                'events': {'process': True, 'file': False, 'network': False}, 
                                'malware': {'mode': 'detect', 'blocklist': True}, 
                                'behavior_protection': {'mode': 'detect', 'supported': True}, 
                                'memory_protection': {'mode': 'detect', 'supported': True}, 
                                'popup': {'malware': {'message': '', 'enabled': False}, 'behavior_protection': {'message': '', 'enabled': False}, 'memory_protection': {'message': '', 'enabled': False}}, 
                                'logging': {'file': 'info'}
                            }, 
                            'linux': {
                                'events': {'process': True, 'file': False, 'network': False, 'session_data': False, 'tty_io': False}, 
                                'malware': {'mode': 'detect', 'blocklist': True}, 
                                'behavior_protection': {'mode': 'detect', 'supported': True}, 
                                'memory_protection': {'mode': 'detect', 'supported': True}, 
                                'popup': {'malware': {'message': '', 'enabled': False}, 'behavior_protection': {'message': '', 'enabled': False}, 'memory_protection': {'message': '', 'enabled': False}}, 
                                'logging': {'file': 'info'}
                            }
                        }
                    }
                }
            }
        ]
    }

system · May 30, 2023, 6:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic Defend Integration using Terraform Elastic Security	5	72	September 24, 2024
Integration Endpoint Security	8	947	March 31, 2023
Elastic Defend integration failing on eck-agent helm chart pods Elastic Agent elastic-stack-security	2	19	September 11, 2024
ElasticDefend Integration is installed but API says otherwise Elastic Security	4	36	September 23, 2024
Elastic-endpoint installed although defend integration is not applied to policy Endpoint Security	5	395	March 7, 2024

Defend API integration

Initialize the Elastic Defend policy

Customize the policy settings

Save the Elastic Defend Policy

Related topics