Advisory: Sophos Endpoint - "Your connection isn't private." We're aware of a certificate issue and are actively working to resolve it. Please see: KB-000045954 for the latest updates.

Option to copy policies or exclusions from one customer to the next?

Hi all,

is there an option to copy settings, policies+exclusions, global exclusions from one customer (central) to another?

There are a lot of settings we have to configure at every Customer for Server-/EndpointProtection / MDR.

Thanks,



Added TAGs
[edited by: Gladys at 2:34 PM (GMT -8) on 16 Jan 2023]
  • Hi dirkkotte,

    Thanks for reaching out to the Sophos Community Forum. 

    One way to do this would be to use Global Templates from Sophos Central Partner. Applying your template policy to a customer's site will allow you to push those settings to the Base Policy. You can also clone the policy from within the customer's site once this is done if they wish to make further changes. 

    Let me know if this helps.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Kushal,

    Ok, thanks.
    I'll give it a try.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • But what if I don't want that policies to apply to all users? I have policies in a sub-estate that I want to copy to another sub-estate, but i can't do it with a global template because i only want them to apply to a group of users or devices...

    If I have to copy manually that policies to 6 or more sub-estates I am going to waste a lot of time (and maybe making mistakes).

    Thank you,

    Quico

  • I'd suggest using the API to accomplish this task. 

    You can use the /policies GET function to retrieve the details from the desired policy. Once you have this data, you can then use the /policies POST function to create the desired policy. 

    Most of the fields returned when running the GET function will be applicable to the POST function. Using something like Postman will help greatly in analyzing the responses. Using the request parameters on the right side of the API documentation can also help. 

    Note that you will need to go to each tenant to create a set of API credentials to get started and have access to each site to send and receive these requests. 

    I'll include below an API request I used to create a policy, in case this helps. (with sensitive information commented out).

    curl --location 'https://api-<DATA REGION>.central.sophos.com/endpoint/v1/policies' \
    --header 'X-Tenant-ID: <TENANT ID>' \
    --header 'Content-Type: application/json' \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer <AUTH TOKEN>' \
    --data '{
      "name": "TestAPI",
      "type": "threat-protection",
      "settings": {
        "endpoint.threat-protection.block-active-adversary-mitigation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.event-logging.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exclusions.intrusion-prevention": {
          "value": []
        },
        "endpoint.threat-protection.exclusions.isolation": {
          "value": []
        },
        "endpoint.threat-protection.exclusions.scanning": {
          "value": []
        },
        "endpoint.threat-protection.exploit-mitigation.all-mitigations.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.amsi-registration-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.java-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.media-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.office-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.web-browser-plugins.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.web-browsers.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.browser-cookie-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.c2-interceptor.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cpu-branch-tracing.enabled": {
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.action-on-ransomeware-detection": {
          "recommendedValue": "terminate",
          "value": "terminate"
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.efs-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.smb-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.ctf-protocol-caller-validation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.dynamic-shellcode-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.hardware-breakpoint-guard.enabled": {
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.mbr-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.apc-violation-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.code-cave-mitigation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.credential-theft-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.dll-hijacking-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.privilege-escalation-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.process-hollowing-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.registry-credential-theft-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.safe-browsing.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.side-loading-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.ultra-exclude.enabled": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.heartbeat-protection.enabled": {
          "value": true
        },
        "endpoint.threat-protection.journal-hashing.exclude-remote-files.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.amsi-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.behavioral-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.cleanup.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.deep-learning.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.desktop-messaging.enabled": {
          "value": true
        },
        "endpoint.threat-protection.malware-protection.exclude-remote-files": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.malware-protection.file-reputation.action": {
          "recommendedValue": "prompt",
          "value": "prompt"
        },
        "endpoint.threat-protection.malware-protection.file-reputation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.file-reputation.reputation-level": {
          "value": "recommended"
        },
        "endpoint.threat-protection.malware-protection.hips-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.live-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.live-protection.on-demand": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.on-access.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.days": {
          "unit": "day",
          "value": [
            3
          ]
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.deep-scanning.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.scan-all-files.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.time": {
          "format": "hourMinute",
          "value": "21:00"
        },
        "endpoint.threat-protection.malware-protection.skip-trusted-installers": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.malware-protection.web-filtering.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.web-scanning.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.c2-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.connection-tracking.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.ips.enabled": {
          "value": false
        },
        "endpoint.threat-protection.network-protection.self-isolation.enabled": {
          "value": false
        },
        "endpoint.threat-protection.process-memory-background-scan.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.threat-analysis.threat-case-creation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.web-control.tls-decryption.enabled": {
          "value": false
        },
        "endpoint.threat-protection.web-control.tls-decryption.quic.enabled": {
          "value": false
        }
      },
      "appliesTo": {
        "users": [],
        "userGroups": [
          "<USER GROUP ID>"
        ]
      }
    }'

    A couple of additional functions which will help in using this process are:
    /endpoint-groups GET
    /endpoints GET

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids