Option to copy policies or exclusions from one customer to the next?

Hi all,

is there an option to copy settings, policies+exclusions, global exclusions from one customer (central) to another?

There are a lot of settings we have to configure at every Customer for Server-/EndpointProtection / MDR.

Thanks,



Added TAGs
[edited by: Gladys at 2:34 PM (GMT -8) on 16 Jan 2023]
Parents Reply Children
  • I'd suggest using the API to accomplish this task. 

    You can use the /policies GET function to retrieve the details from the desired policy. Once you have this data, you can then use the /policies POST function to create the desired policy. 

    Most of the fields returned when running the GET function will be applicable to the POST function. Using something like Postman will help greatly in analyzing the responses. Using the request parameters on the right side of the API documentation can also help. 

    Note that you will need to go to each tenant to create a set of API credentials to get started and have access to each site to send and receive these requests. 

    I'll include below an API request I used to create a policy, in case this helps. (with sensitive information commented out).

    curl --location 'https://api-<DATA REGION>.central.sophos.com/endpoint/v1/policies' \
    --header 'X-Tenant-ID: <TENANT ID>' \
    --header 'Content-Type: application/json' \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer <AUTH TOKEN>' \
    --data '{
      "name": "TestAPI",
      "type": "threat-protection",
      "settings": {
        "endpoint.threat-protection.block-active-adversary-mitigation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.event-logging.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exclusions.intrusion-prevention": {
          "value": []
        },
        "endpoint.threat-protection.exclusions.isolation": {
          "value": []
        },
        "endpoint.threat-protection.exclusions.scanning": {
          "value": []
        },
        "endpoint.threat-protection.exploit-mitigation.all-mitigations.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.amsi-registration-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.java-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.media-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.office-applications.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.web-browser-plugins.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.application-protection.web-browsers.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.browser-cookie-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.c2-interceptor.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cpu-branch-tracing.enabled": {
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.action-on-ransomeware-detection": {
          "recommendedValue": "terminate",
          "value": "terminate"
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.efs-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.cryptoguard.smb-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.ctf-protocol-caller-validation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.dynamic-shellcode-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.hardware-breakpoint-guard.enabled": {
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.mbr-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.apc-violation-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.code-cave-mitigation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.credential-theft-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.dll-hijacking-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.privilege-escalation-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.process-hollowing-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.process-protection.registry-credential-theft-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.safe-browsing.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.side-loading-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.exploit-mitigation.ultra-exclude.enabled": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.heartbeat-protection.enabled": {
          "value": true
        },
        "endpoint.threat-protection.journal-hashing.exclude-remote-files.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.amsi-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.behavioral-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.cleanup.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.deep-learning.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.desktop-messaging.enabled": {
          "value": true
        },
        "endpoint.threat-protection.malware-protection.exclude-remote-files": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.malware-protection.file-reputation.action": {
          "recommendedValue": "prompt",
          "value": "prompt"
        },
        "endpoint.threat-protection.malware-protection.file-reputation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.file-reputation.reputation-level": {
          "value": "recommended"
        },
        "endpoint.threat-protection.malware-protection.hips-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.live-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.live-protection.on-demand": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.on-access.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.days": {
          "unit": "day",
          "value": [
            3
          ]
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.deep-scanning.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.scan-all-files.enabled": {
          "value": false
        },
        "endpoint.threat-protection.malware-protection.scheduled-scan.time": {
          "format": "hourMinute",
          "value": "21:00"
        },
        "endpoint.threat-protection.malware-protection.skip-trusted-installers": {
          "recommendedValue": false,
          "value": false
        },
        "endpoint.threat-protection.malware-protection.web-filtering.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.malware-protection.web-scanning.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.c2-detection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.connection-tracking.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.network-protection.ips.enabled": {
          "value": false
        },
        "endpoint.threat-protection.network-protection.self-isolation.enabled": {
          "value": false
        },
        "endpoint.threat-protection.process-memory-background-scan.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.threat-analysis.threat-case-creation.enabled": {
          "recommendedValue": true,
          "value": true
        },
        "endpoint.threat-protection.web-control.tls-decryption.enabled": {
          "value": false
        },
        "endpoint.threat-protection.web-control.tls-decryption.quic.enabled": {
          "value": false
        }
      },
      "appliesTo": {
        "users": [],
        "userGroups": [
          "<USER GROUP ID>"
        ]
      }
    }'

    A couple of additional functions which will help in using this process are:
    /endpoint-groups GET
    /endpoints GET

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids