Hi all,
is there an option to copy settings, policies+exclusions, global exclusions from one customer (central) to another?
There are a lot of settings we have to configure at every Customer for Server-/EndpointProtection / MDR.
Thanks,
Hi dirkkotte,
Thanks for reaching out to the Sophos Community Forum.
One way to do this would be to use Global Templates from Sophos Central Partner. Applying your template policy to a customer's site will allow you to push those settings to the Base Policy. You can also clone the policy from within the customer's site once this is done if they wish to make further changes.
Let me know if this helps.
I'd suggest using the API to accomplish this task.
You can use the /policies GET function to retrieve the details from the desired policy. Once you have this data, you can then use the /policies POST function to create the desired policy.
Most of the fields returned when running the GET function will be applicable to the POST function. Using something like Postman will help greatly in analyzing the responses. Using the request parameters on the right side of the API documentation can also help.
Note that you will need to go to each tenant to create a set of API credentials to get started and have access to each site to send and receive these requests.
I'll include below an API request I used to create a policy, in case this helps. (with sensitive information commented out).
curl --location 'https://api-<DATA REGION>.central.sophos.com/endpoint/v1/policies' \
--header 'X-Tenant-ID: <TENANT ID>' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <AUTH TOKEN>' \
--data '{
"name": "TestAPI",
"type": "threat-protection",
"settings": {
"endpoint.threat-protection.block-active-adversary-mitigation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.event-logging.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exclusions.intrusion-prevention": {
"value": []
},
"endpoint.threat-protection.exclusions.isolation": {
"value": []
},
"endpoint.threat-protection.exclusions.scanning": {
"value": []
},
"endpoint.threat-protection.exploit-mitigation.all-mitigations.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.amsi-registration-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.java-applications.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.media-applications.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.office-applications.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.web-browser-plugins.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.web-browsers.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.browser-cookie-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.c2-interceptor.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.cpu-branch-tracing.enabled": {
"value": true
},
"endpoint.threat-protection.exploit-mitigation.cryptoguard.action-on-ransomeware-detection": {
"recommendedValue": "terminate",
"value": "terminate"
},
"endpoint.threat-protection.exploit-mitigation.cryptoguard.efs-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.cryptoguard.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.cryptoguard.smb-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.ctf-protocol-caller-validation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.dynamic-shellcode-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.hardware-breakpoint-guard.enabled": {
"value": true
},
"endpoint.threat-protection.exploit-mitigation.mbr-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.apc-violation-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.code-cave-mitigation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.credential-theft-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.dll-hijacking-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.privilege-escalation-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.process-hollowing-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.registry-credential-theft-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.safe-browsing.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.side-loading-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.ultra-exclude.enabled": {
"recommendedValue": false,
"value": false
},
"endpoint.threat-protection.heartbeat-protection.enabled": {
"value": true
},
"endpoint.threat-protection.journal-hashing.exclude-remote-files.enabled": {
"value": false
},
"endpoint.threat-protection.malware-protection.amsi-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.behavioral-detection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.cleanup.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.deep-learning.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.desktop-messaging.enabled": {
"value": true
},
"endpoint.threat-protection.malware-protection.exclude-remote-files": {
"recommendedValue": false,
"value": false
},
"endpoint.threat-protection.malware-protection.file-reputation.action": {
"recommendedValue": "prompt",
"value": "prompt"
},
"endpoint.threat-protection.malware-protection.file-reputation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.file-reputation.reputation-level": {
"value": "recommended"
},
"endpoint.threat-protection.malware-protection.hips-detection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.live-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.live-protection.on-demand": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.on-access.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.scheduled-scan.days": {
"unit": "day",
"value": [
3
]
},
"endpoint.threat-protection.malware-protection.scheduled-scan.deep-scanning.enabled": {
"value": false
},
"endpoint.threat-protection.malware-protection.scheduled-scan.enabled": {
"value": false
},
"endpoint.threat-protection.malware-protection.scheduled-scan.scan-all-files.enabled": {
"value": false
},
"endpoint.threat-protection.malware-protection.scheduled-scan.time": {
"format": "hourMinute",
"value": "21:00"
},
"endpoint.threat-protection.malware-protection.skip-trusted-installers": {
"recommendedValue": false,
"value": false
},
"endpoint.threat-protection.malware-protection.web-filtering.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.web-scanning.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.network-protection.c2-detection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.network-protection.connection-tracking.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.network-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.network-protection.ips.enabled": {
"value": false
},
"endpoint.threat-protection.network-protection.self-isolation.enabled": {
"value": false
},
"endpoint.threat-protection.process-memory-background-scan.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.threat-analysis.threat-case-creation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.web-control.tls-decryption.enabled": {
"value": false
},
"endpoint.threat-protection.web-control.tls-decryption.quic.enabled": {
"value": false
}
},
"appliesTo": {
"users": [],
"userGroups": [
"<USER GROUP ID>"
]
}
}'
A couple of additional functions which will help in using this process are:
/endpoint-groups GET
/endpoints GET
I'd suggest using the API to accomplish this task.
You can use the /policies GET function to retrieve the details from the desired policy. Once you have this data, you can then use the /policies POST function to create the desired policy.
Most of the fields returned when running the GET function will be applicable to the POST function. Using something like Postman will help greatly in analyzing the responses. Using the request parameters on the right side of the API documentation can also help.
Note that you will need to go to each tenant to create a set of API credentials to get started and have access to each site to send and receive these requests.
I'll include below an API request I used to create a policy, in case this helps. (with sensitive information commented out).
curl --location 'https://api-<DATA REGION>.central.sophos.com/endpoint/v1/policies' \
--header 'X-Tenant-ID: <TENANT ID>' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <AUTH TOKEN>' \
--data '{
"name": "TestAPI",
"type": "threat-protection",
"settings": {
"endpoint.threat-protection.block-active-adversary-mitigation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.event-logging.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exclusions.intrusion-prevention": {
"value": []
},
"endpoint.threat-protection.exclusions.isolation": {
"value": []
},
"endpoint.threat-protection.exclusions.scanning": {
"value": []
},
"endpoint.threat-protection.exploit-mitigation.all-mitigations.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.amsi-registration-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.java-applications.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.media-applications.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.office-applications.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.web-browser-plugins.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.application-protection.web-browsers.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.browser-cookie-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.c2-interceptor.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.cpu-branch-tracing.enabled": {
"value": true
},
"endpoint.threat-protection.exploit-mitigation.cryptoguard.action-on-ransomeware-detection": {
"recommendedValue": "terminate",
"value": "terminate"
},
"endpoint.threat-protection.exploit-mitigation.cryptoguard.efs-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.cryptoguard.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.cryptoguard.smb-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.ctf-protocol-caller-validation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.dynamic-shellcode-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.hardware-breakpoint-guard.enabled": {
"value": true
},
"endpoint.threat-protection.exploit-mitigation.mbr-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.apc-violation-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.code-cave-mitigation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.credential-theft-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.dll-hijacking-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.privilege-escalation-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.process-hollowing-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.process-protection.registry-credential-theft-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.safe-browsing.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.side-loading-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.exploit-mitigation.ultra-exclude.enabled": {
"recommendedValue": false,
"value": false
},
"endpoint.threat-protection.heartbeat-protection.enabled": {
"value": true
},
"endpoint.threat-protection.journal-hashing.exclude-remote-files.enabled": {
"value": false
},
"endpoint.threat-protection.malware-protection.amsi-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.behavioral-detection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.cleanup.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.deep-learning.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.desktop-messaging.enabled": {
"value": true
},
"endpoint.threat-protection.malware-protection.exclude-remote-files": {
"recommendedValue": false,
"value": false
},
"endpoint.threat-protection.malware-protection.file-reputation.action": {
"recommendedValue": "prompt",
"value": "prompt"
},
"endpoint.threat-protection.malware-protection.file-reputation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.file-reputation.reputation-level": {
"value": "recommended"
},
"endpoint.threat-protection.malware-protection.hips-detection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.live-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.live-protection.on-demand": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.on-access.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.scheduled-scan.days": {
"unit": "day",
"value": [
3
]
},
"endpoint.threat-protection.malware-protection.scheduled-scan.deep-scanning.enabled": {
"value": false
},
"endpoint.threat-protection.malware-protection.scheduled-scan.enabled": {
"value": false
},
"endpoint.threat-protection.malware-protection.scheduled-scan.scan-all-files.enabled": {
"value": false
},
"endpoint.threat-protection.malware-protection.scheduled-scan.time": {
"format": "hourMinute",
"value": "21:00"
},
"endpoint.threat-protection.malware-protection.skip-trusted-installers": {
"recommendedValue": false,
"value": false
},
"endpoint.threat-protection.malware-protection.web-filtering.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.malware-protection.web-scanning.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.network-protection.c2-detection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.network-protection.connection-tracking.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.network-protection.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.network-protection.ips.enabled": {
"value": false
},
"endpoint.threat-protection.network-protection.self-isolation.enabled": {
"value": false
},
"endpoint.threat-protection.process-memory-background-scan.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.threat-analysis.threat-case-creation.enabled": {
"recommendedValue": true,
"value": true
},
"endpoint.threat-protection.web-control.tls-decryption.enabled": {
"value": false
},
"endpoint.threat-protection.web-control.tls-decryption.quic.enabled": {
"value": false
}
},
"appliesTo": {
"users": [],
"userGroups": [
"<USER GROUP ID>"
]
}
}'
A couple of additional functions which will help in using this process are:
/endpoint-groups GET
/endpoints GET